How certificates enable trust even out of the office
September 2020 by Brian Trzupek, SVP Product Emerging Markets, DigiCert
Trust can be a tricky concept, especially when it comes to security. The age of network computing demands that we extend trust to lots of people - many of whom we don’t know. As remote working gains speed - we extend that trust not just to employees and users, but to their home devices, the wi-fi networks they use and the people they associate with.
That’s at least partly why humans are so often called the weakest link in security. Even when you can trust them personally, it’s hard to trust them entirely. Yet, it’s the trust relationship upon which security is based.
It’s also that trust relationship that attackers want to exploit. Whether that be through phishing emails disguised as a government alert, whaling messages from someone claiming to be your employer, or stolen credentials which allow attackers to impersonate legitimate entities. The current situation makes that separation particularly sensitive.
Recent global events have turned office staff into remote workers. That shift involves a leap of trust which many will be hesitant to make. Understandably so - it means trusting employee’s private digital habits and their potentially insecure devices, all without the benefit of enterprise security infrastructure.
Attackers understand that. It’s perhaps why Coronavirus related phishing attempts have skyrocketed. Google reported that in one week, they had to block 18 million Coronavirus related phishing attempts every day.
Even when you can trust the person you may not be able to trust the technology. While well run enterprises are based on human trust, when it comes to security it is safer to lean on digital trust. Certificates are just one way to do that.
In this situation - they can substitute the trust you might have from working side by side with someone. A certificate is essentially a file that connects a cryptographic key to an individual or organisation’s identity. It’s that seemingly small development which helps secure credit card transactions, and ensures secure browsing all over the world.
For untold millennia - the signature (or seal) has been the means of authenticating a documented agreement or contract. Contracts make it back and forth across an office multiple times a day but that’s not possible during the current public health crisis. It is digital document signing, however, that can recreate that kind of trust.
In this case - a signature is an encrypted hash of a message that can be decrypted by anyone who has a copy of your public key.
That digital signature is backed up with a certificate, where the signatory holds the private key (a unique identity to cryptographically identify the signer), granted by a certificate authority who has already verified the identity of the signatory. That signature not only ensures the identity of the signatory, but that the signed document has not been tampered with on its way to or from either party.
As long as phishing is the most popular attack vector for cyber criminals and whaling remains one of the potentially most damaging attacks, the inbox is the frontline of enterprise security. Certificates can provide some measure of confidence here through S/MIME. S/MIME encrypts and digitally signs emails, ensuring that the emails are sent from a trusted source and receivers know they can trust their emails and the contents of those emails.
Digital trust is increasingly important at both the developer and the user level. For developers, software that has been code signed is becoming nearly mandatory and many software distributors will not endanger themselves and others without the assurance of executing signed applications. For users, the presence of a code-signing certificate means that they can trust the software and apps that they’re using.
The security of a technology supply chain is something that enterprises have to rely on even while attackers exploit the links within them. Applications that have been signed mean that they can effectively rely on it.
Additionally, with many organisations moving to the cloud, there is a new spotlight on secure code execution and authentication within the containers and container management systems that are running many modern applications. Here is another intersection of digital signing and authentication, and a great fit for the strong identity and authentication that is provided by Public Key Infrastructure (PKI) based digital certificates.
So too are code signing certificates helping to secure the IoT, a field which has been long dogged by embarrassingly obvious security flaws.
The IoT combines a number of security problems. Enterprise IoT often involves hard to police, hard to see deployments of hundreds if not thousands of small devices. Each of those devices, if compromised, could provide an effective breach point for an attacker. They often come with a panoply of embarrassingly obvious security flaws - often baked in at the manufacturer level.
PKIs combined with certificates are helping here. By issuing digital identities to devices in the form of certificates, PKIs can encrypt connections, authenticate devices, ensure secure code updates and operation, and scale to establish trust across large networks of devices and users.
In the current moment - enterprises are bending over backwards to provide secure access to their employees. VPNs are doing much of the heavy lifting, providing secure connections from the homes of quarantined employees directly to office networks.
Few enterprises were built to accommodate this amount of remote workers let alone VPN users - so they have to be used judiciously. Furthermore, VPNs are resource intensive - they use up bandwidth at a time when enterprises cannot afford to waste it.
VPNs commonly require a mere password and username to login. If an intruder can guess that password - then they can abuse that connection. Supplementing that login with PKI and certificates ensures that those connections can be policed and helps enable greater security functionality with multifactor authentication. Using a digital identity for employees with VPNs allows an enterprise to strongly authenticate, manage, control and revoke access to those already limited resources.
Mobile Device Management
As workforces have become remote - enterprises have had to rely on the security of their employees home devices. Needless to say, rarely do they measure up to enterprise standards. PKIs can be used to enable secure login, strong authentication and isolate enterprise networks from the vulnerabilities of their remote worker’s devices.
The current decentralised nature of work has disrupted the way we did things even a few months ago. Much like gaps in the supply chain, attackers are trying to exploit the gaps between remote workers and their workplaces. But in place of the human trust that many relied on in the office, certificates can provide it for digital interactions.