tampatra - stock.adobe.com
How to use PKI to secure remote network access
Public key infrastructure is a more secure option than password-based or multifactor authentication. Learn how those benefits can extend to remote employees and access.
Most organizations have changed their work patterns and operations to cope with the COVID-19 pandemic. Invariably, this process involved scaling up support for remote work or even deploying new systems to support this model for the first time. Enabling workers to securely access networks remotely is a big challenge -- particularly as cybercriminals are capable of defeating traditional password-based and multifactor authentication tools.
A better, more secure alternative for supporting mobile and remote workforces and controlling network access is public key infrastructure (PKI). Let's take a look at what PKI is, how to implement it and how it ensures secure remote access.
Why PKI?
PKI is a standards-based technology that provides certificate-based authentication and protection to ensure the security and integrity of remote connections and communications.
A PKI digital certificate can't be guessed -- a major weakness of passwords -- and can cryptographically prove the identity of a user or device. These capabilities ensure an entity's information is both correct and belongs to them.
PKI certificates are easier to manage than passwords as they have an expiration date and can be revoked at any moment -- instantly removing a user's or device's ability to access company resources.
PKI is known for its ability to secure users' interactions with websites, but it can also be used to secure networks, mobile and IoT devices, email and documents. User-to-user, user-to-machine and machine-to-machine communications can all be secured with PKI.
PKI relies on asymmetric key pairs, which enable the technology to validate identities just as easily as encrypting data. These capabilities are used for many critical, day-to-day activities and services, such as providing secure connections between Lightweight Directory Access Protocol clients and servers, enabling VPNs to authenticate endpoint communication over insecure networks, encrypting and decrypting email messages, and securing remote access using SSH.
How to implement a PKI platform
Implementing and managing PKIs haven't always been easy tasks. Fortunately, today's products don't require specialist expertise and offer the ability to issue and manage encryption and authentication certificates across a variety of systems and devices. They also provide seamless user access controls, which replace conventional multifactor authentication (MFA) with no-touch authentication.
Organizations can create and issue their own PKIs and digital certificates. This may be appropriate if an organization only issues certificates for internal use. In-house-built PKIs, however, are difficult to scale and are usually resource-heavy. Plus, self-signed certificates are not trusted by browsers or OSes.
A better option is to deploy a managed and centralized PKI platform. Several flexible, scalable and reliable options are available, including cloud-based, on premises, hybrid and PKI as a service. They enable security teams or network administrators to issue, revoke and replace certificates quickly, easily and reliably from a central location. They also automate many issuance and lifecycle management tasks. This leaves security teams more time to monitor the identities of users and devices connected to the network, and it simplifies key management.
Before incorporating PKI, however, organizations must ensure it fulfills specific business, security and user needs and delivers security in compliance with local, industrial and national regulations.
Key management is essential
Key management can be a security headache. The risk of unauthorized access is increased by weak keys, developer keys, unauthorized keys, and untracked trust relationships between systems and accounts. PKI should be used alongside strong key management practices and comprehensive audit policies and procedures -- management by spreadsheet does not work.
A variety of vendors offer lifecycle key management software that inventories PKI keys and analyzes the relationships enabled by each key. Audits should be conducted regularly to identify expired or unused keys and rogue certificates. Maintaining an up-to-date key inventory means security teams can rotate keys on a consistent basis to avoid problems such as keys no longer meeting security policy requirements or ex-employees or contractors having access to keys. All keys should be stored in a centralized and secure location, such as a hardware security module, with access restricted to privileged users with strong passwords and role-based access controls.
How to implement PKI for remote workers
Before deploying PKI to facilitate remote working, employees should complete security awareness training to ensure they understand relevant policies and know how to follow cybersecurity best practices. Employers should mandate all devices connecting to the network have a Trusted Platform Module (TPM). TPMs, now standard on modern devices, provide hardware-based and security-related functions, including access control and authentication. The private key for each user's certificate is stored in their device's TPM, which enables users to securely authenticate and access applications and resources without requiring any further action on their part. Even with the increased efficiency, this form of MFA is far stronger than common passwords and phone-based MFA.
PKIs offer the strongest form of identity authentication but become a security liability when poorly managed. Remember to take the time and effort to deploy comprehensive management tools and training when rolling out or upgrading your PKI services.