Can the White House successfully spearhead zero-trust?

Jason Soroko, CTO of PKI, Sectigo, discusses the role of PKI in securing digital identity and implementing zero-trust architectures within the Governmental and public sector arena

As the world inches towards the end of a turbulent year, governments across the world are looking closely at new strategies to safeguard their nations’ cybersecurity for a stronger 2022. Just last week, President Joe Biden called a summit of 30 nations to discuss the dizzying number of ransomware attacks taking place across the globe.

On an infrastructure level, the Wall Street Journal recently reported the White House is looking at implementing zero-trust to prevent federal networks, systems, and devices from suffering another attack like customers of Solarwinds. The main concept behind zero-trust is that devices should not be trusted by default behind a firewall. There is a long road towards realizing the potential of zero-trust, and secure digital identities will need to sit at the heart of any successful strategy.

What the White House wants

Traditional pre-pandemic approaches to digital security are now ineffective, with massive ransomware attacks on the Colonial Pipeline showing the vulnerabilities within American critical national infrastructure.

The White House’s latest focus on zero-trust as the foundation of its new cyber strategy highlights that securing identities is the key area of differentiation for modern security. This encouraging approach emphasises strong identity policies, encryption, and automation.

Making this a success will require a multifaceted strategy, as zero-trust is a set of principles rather than a single technology. However, a key thread running through any successful zero-trust infrastructure is public key infrastructure (PKI).

PKI: The building block for a secure future

PKI involves a set of roles, policies, hardware, software, and procedures used to create and manage digital certificates, and manage public-key encryption. These certificates assess the identity of machine or human contacts by encrypting communication behind hugely complex cryptographic algorithms that only verified users can breakthrough. The use of PKI is already widespread, as it is deployed to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.

PKI is generally required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred. Digital identities provided by PKI provide one of the strongest, easiest-to-use authentication and encryption solutions that modern technology enables.

PKI plays a critical role in consolidating and automating the deployment, discovery, management, and renewal of digital certificates for every device, user, and application across an organization. While PKI is not the only identity solution, it is a mature and strong technology that has innovated to handle the scale necessary for a proliferation of digital identities and the move towards more secure authentication for all network nodes.

Digging into the new strategy

The White House’s new strategy is broken down into five pillars. The first pillar and required action of the new directive centre on identity-based security. The other four pillars of the plan also represent important changes being made to the way cybersecurity is addressed, all of which could be enhanced through PKI.

Devices: The US government is emphasising the fundamentals, such as taking inventory of devices, and provisioning IoT devices with strong identities, enabling security in the form of secure authentication and encryption of data from those devices in transit and at rest.

Networks: The US Government will be using security standards that have been adopted in the past, but it is important to note the importance of PKI email encryption and S/MIME standards.

Applications: The new framework calls for multi-factor authentication to be integrated into all applications. This makes PKI certificates an ideal solution because they are ideally suited to single sign-on to multiple applications and can span cloud and on-premises applications.

Data: Data in the modern digital organisation regularly crosses hostile network boundaries and needs to be protected. Encryption of data in transit and at rest will require digital identities, most commonly in the form of PKI certificates.

Cyber-securing the future

Ultimately, modern government bodies are facing unprecedented cybersecurity risks, from both private individuals and their hostile foreign powers. The White House’s increased rhetoric and action on cybersecurity are very promising. By focussing on secure identities, and keeping applications and devices secure with regularly updated PKI certificates, the US government will stand itself in good stead for the inevitable attack attempts of the future.