Digital identities are a critical component for securing the modern enterprise. Any entity that exists and communicates in the fabric of the enterprise needs to be authenticated and authorized to do so. Today, PKI certificates are used to establish those identities, and this approach has demonstrated proven success for more than two decades across a wide range of security and operational purposes.
In today’s increasingly connected landscape, the range of
entities that require digital identities has expanded considerably. For
example, a public web server may be uniquely identified with an SSL
certificate, or an employee may use a device certificate on a personal
smartphone to identify themselves to a VPN or corporate application. These are vastly different use cases, and exploring the nuances between how certificates are used to implement identities reveals the potential for both new applications and increased security.
entities that require digital identities has expanded considerably. For
example, a public web server may be uniquely identified with an SSL
certificate, or an employee may use a device certificate on a personal
smartphone to identify themselves to a VPN or corporate application. These are vastly different use cases, and exploring the nuances between how certificates are used to implement identities reveals the potential for both new applications and increased security.
Understanding Digital Identities
Digital identities have a wide range of uses, but it is most helpful to think of them in terms of four distinct categories: server identities, user identities, device identities, and software identities. While there is considerable nuance to identities and their use cases, organizations can leverage these categories to develop the potential for an even broader set of use cases supporting the evolving security demands of the enterprise.
Server identities provide the traditional and commonly understood verified web server authentication implemented using SSL/TLS certificates. No matter what entity is interacting with a server—whether within the enterprise or exposed beyond the firewall—the certificate provides a
mechanism to ensure that the server is, in fact, what it represents itself to
be. This extends beyond web servers and includes application servers, load
balancers, network infrastructure, and more.
mechanism to ensure that the server is, in fact, what it represents itself to
be. This extends beyond web servers and includes application servers, load
balancers, network infrastructure, and more.
User identities offer the promise of more streamlined resource interaction while still maintaining a high level of security. If the identity in question represents an employee, it is mostly to be installed on a smart device such as a smartphone or laptop.
Possession of that device is sufficient to establish the identity, because access to the certificate is usually established using biometric or other means. User identities can be used to sign and encrypt email using tools like S/MIME, or to sign a document for personal or business purposes. Broader entities such as partners and vendors can also be classified as user identities, as they tend to interact with the enterprise in an equivalent manner.
Device identities extend from Windows PCs to every other category of device that may interact with the enterprise. Amid the exponential
rise of the Internet of Things (IoT), this category has only grown more
important. As IoT continues to expand, new approaches to securing devices will be needed—particularly with the growth of smart infrastructure ripe for attackers to exploit.
rise of the Internet of Things (IoT), this category has only grown more
important. As IoT continues to expand, new approaches to securing devices will be needed—particularly with the growth of smart infrastructure ripe for attackers to exploit.
Finally, software identities provide assurance within the enterprise and beyond that the technology itself is genuine and validated. This category is continuously evolving, from basic code signing to local modular verification and validation of all external code being deployed within the enterprise.
As DevOps functions become increasingly common, the granularity of software identities will likely increase, providing authentication of libraries, containers, and applications, increasing the resilience of software infrastructure and reducing the potential for rogue software being executed in the enterprise.
The Growing Value of Automation
Managing this wide range of identities requires the ability to automate the processes of certificate issuance and deployment. Private and public certificates provide the underlying technology behind digital identities, and modern automation solutions can provide enterprises with the tools and techniques needed to manage and deploy those certificates throughout
the enterprise. The proliferation of digital identities underscores the need
for automation, as manual certificate management is untenable given today’s growing certificate volumes.
the enterprise. The proliferation of digital identities underscores the need
for automation, as manual certificate management is untenable given today’s growing certificate volumes.
Simply put, the more automated the approach to digital identity, the better. Consider the risk of an outage if a certificate expires, or if unauthorized certificates are mistakenly deployed within an enterprise’s environment.
The ability to quickly swap out all certificates in an environment in the event of a catastrophic event is essential. Without automation, that process would be cumbersome and time consuming. With standard certificate lifespans growing shorter and shorter and the major paradigm shift of quantum computing on the horizon, automation has never been more important.
Automated digital identity is also a key element for passwordless authentication. Today’s businesses are increasingly moving away from password-centric security policies, and digital identities provide a more streamlined approach to authentication that doesn’t require password memorization and comes without the inherent risk of compromise. This aligns well with the growing shift toward zero trust architecture models, where network entities are not trusted by default, and must instead prove their identity using certificates.
Understanding the value of automation is the first step, but it’s also important to understand—in real-world terms—the danger that poor certificate management can pose. An unanticipated expired certificate fulfilling a critical role in an ecommerce platform could cost millions of dollars in lost business—not to mention significant reputational harm or potential legal and regulatory repercussions. Expired certificates have caused service outages even within organizations like Microsoft and Spotify, which have a reputation for being technologically savvy. It can happen to anyone.
Digital Identity is Essential
At its core, digital identity provides authentication, verification, and encryption of data in transit and at rest, and public and private certificates support the efficient and effective use of cryptographic elements within the enterprise.
Decision makers in IT operations, security, and DevOps should consider the connected entities within their networks and how the application of digital identity concepts can help create consistency, operational integrity, and greater efficiency. By leveraging digital identities, today’s enterprises can enable and secure a growing number of transformative business applications.