Digital identities and PKI

The Cornerstone of Zero Trust

Organisations' infrastructures are increasingly becoming more complex. The distributed workforce and the explosion of connected devices - including mobile devices and IoT - are only a few cases that steer the demand for a strong digital identity approach.

"Public Key Infrastructure Supports Greater Security"

Organisations rely on digital identification as a cornerstone of Zero Trust security, enabling a passwordless architecture for users, devices, servers, and applications. There is no stronger authentication solution than the digital identity provided by PKI (Public Key Infrastructure). PKI has proven effective, flexible, reliable, and scalable in securing a wide range of authentication methods. 

 

parker-byrd-gxD8hCmi0IQ-unsplash-1

PKI in Network Security


PKI is an acronym for Public Key Infrastructure and governs the issuance of digital certificates. It manages the public keys used by the network for public-key encryption, identity management, certificate distribution, certificate revocation, and certificate management. 

"PKI Enables Strong Certificate-based Security"

Digital certificates offer the highest security and protect critical corporate data, providing unique digital identities for users and devices. A digital certificate is comparable to a passport or an identity card as they too are a type of identification that proves your identity and provides a certain allowance. Moreover, they are also hard to forge.

The Principle of PKI


PKI relies on digital signature technology, which uses public-key cryptography by generating a private and public key. The users and devices that have keys are called entities. The principle of PKI is that that entity only knows the private key of each entity. In contrast, the public key can be made available to anyone. 

Another crucial element of the PKI is the certificate authority (CA). The CA is the trusted party issuing the digital certificates. Users and devices generate their public key, which the CA then signs to bind the user's name to their public key securely. The CA thus acts as an agent of trust in a PKI.

The Certificate Authority (CA) - Key Features


Distinguished Name

The unique name plus any other attributes uniquely identifying the user requesting the certificate.

Certificate Holder's Public Key

A copy of the public key used for encrypting messages and digital signatures.

Public Key Verification

The user's public key required to verify the user's digital signature.

Certification Expiration Date

The expiration date ensures the end date of the validity of the certificate. 

Purpose of the Public Key

The purpose for which the public key is used, i.e. digitally identifying, encryption of data, etc.

Digital Signature

Digital signature of the issuing CA guarantees the certificate is trusted and assigned to the user.

Certificate Integrity


The integrity of a certificate is determined by verifying the digital signature of the CA. Since the digital signature of the CA is verified, certificates are inherently secure, allowing certificates to be distributed in a public manner.

At the same time, users retrieving a public key from a certificate are assured that the public key is valid and is still within its defined validity period. Equally important, users can trust the certificate and be assured the associated public key belongs to the entity specified by the distinguished name, and the public key can be used safely for which it was initially certified by the CA.

Group 1005

Securing Wi-Fi and VPN access with certificate policies that do not require a password increases network security.
Group 1011

Deploying digital certificates on mobile devices prevents unauthorised access to a company network.
Group 1010

Using digital certificates on network devices (e.g., routers and switches) ensure network integrity.
Group 1006

Assigning certificates to connected IoT devices guarantee only authorised devices can access a company network.

Group 1007

Providing the key to connecting devices give control that only trusted users can access a company network.

Group 1008

Installing private, trusted TLS/SSL certificates on internal and external-facing webservers strengthens network integrity.

NetAttest EPS's Certificate Authority


Common use cases for using a private CA:

  • Virtual Private Network (VPN), wired or wireless authentication
  • Device identification 
  • Intranet sites
  • IoT (Internet of Things)

The advantages of using an internal CA:

  • NetAttest EPS is standard equipped with an internal CA
  • Simplified and ease of management, no dependency on an external entity for certificates
  • No cost involved for a certificate 
  • Much lower cost of configuration and expanding the PKI
  • NetAttest EPS's auto-enrolment feature further simplifies the certificate issuing process
  • Allows for controlling and managing own-distributed certificates in line with the organisation's security needs

Some generic disadvantages:

  • External parties, in general, will not trust a digital certificate signed by an internal CA
  • The security and accountability of PKI lies fully with the organisation
  • The certificate management overhead of an internal CA is higher than that of an external CA

NetAttest EPS enhances the advantages and, in specific targets, the generic disadvantages. NetAttest EPS is designed as a dedicated appliance; specific security controls can be implemented to limit and fortify access to the CA as the vital component. Furthermore, features such as automation and special-purpose certificates eliminate the need for skilled IT staff.

NetAttest EPS and PKI

There is no stronger authentication than the digital identity provided by PKI to control and secure access to companies' networks. PKI certificates safeguard critical data from unauthorised parties and against vulnerabilities that put businesses at risk. Without a PKI, data is susceptible to hackers and theft. 

Now is the time to rethink the certificate lifecycle management approach and adopt an automated solution, ensuring certificates are correctly configured and deployed with minimalised human intervention.

pexels-anthony-shkraba-5475755
pexels-pixabay-270557

NetAttest EPS offers interoperability, high up-time, stability, governance and improves administration and certificate lifecycle management through:

  • Automation: advance the deployment of certificates while eliminating costs and errors 
  • Scalable: managing certificates from small to large scale, based on needs
  • Visibility: a centralised status overview of each issued certificate

Use Cases


Digitalisation across various industries boosts the need for digital authentication to secure and control the organisation's networks. PKI is a strategic part of network security; some of the use cases include:

Adoption of Zero Trust security

Zero Trust is a security concept concentrating on trusted identities. Using digital identities provides the ability to assign roles and enforce policies based on the Zero Trust principles. Only trusted and verified uses and devices can access the respective company's networks and resources. 

Securing the remote workforce

PKI supports IT in remote deployment and managing digital certificates, automatically tracking certificate lifecycle and automated provisioning of certificates to onboard new users. For certificate deployment, NetAttest EPS supports compatibility with Mobile Device Management (MDM) platforms.

Restricting access to Wi-Fi

EAP-TLS - the WPA2-Enterprise network protocol for encrypted certificate-based authentication - uses a PKI. EAP-TLS confirms the identity of the user and the server in an encrypted EAP tunnel and prevents outsiders from intercepting credentials or other information sent over the air. Customising the PKI hierarchy effectively implements Zero Trust security policies.

Accessing VPN

PKI makes it easy to integrate a VPN into your network. Users can enrol for a certificate that authenticates to the VPN in the same way it does with Wi-Fi, providing IT-admin with the ability to revoke VPN access when required.

User and device authentication

PKI is used amongst for authenticating users and devices. It enforces the verification to certify that a particular key belongs to a specific user or device. The key is then used as an identity for the user and can grant access to, i.e., certain company network resources. 

Compliancy

PKI is a natural fit to help organisations meet various international regulations and industry standards. PKI provides the foundation in establishing and maintaining a trustworthy network environment while enhancing the company's security overnight.

Need for passwordless authentication

Passwordless authentication provides technologies to reduce and potentially eliminate the use of passwords. Passwordless authentication collects additional attributes about a user's identity, such as a one-time password (OTP) and device identifier. 

Securing IoT

PKI can be used to deploy unique digital certificates to each device to ensure mutual authentication and network authentication. It removes the need for passwords and protracted authorisation checks – devices can identify each other with their public key and start exchanging data. 

Contact us to find out more