Skip to main content
banner image
venafi logo

Why You Need Mutual TLS Authentication for Cloud Instances

Why You Need Mutual TLS Authentication for Cloud Instances

January 11, 2021 | Anastasios Arampatzis

By default, the TLS protocol only proves the identity of the server to the client using X.509 certificate. The client’s authentication to the server is left to the application layer. The purpose of this check is to ensure that no fraud is involved and the data transfer between the client and server is encrypted. But what happens when there is the need to authenticate the client to the server?

Luckily, the TLS protocol offers the option of client-to-server authentication using client-side X.509 authentication. This type of authentication is referred to as mutual authentication or mutual TLS (mTLS).

What is Mutual TLS Authentication?

Mutual authentication, also known as two-way authentication, is a security process in which entities authenticate each other before actual communication occurs. In a network environment, this requires that both the client and the server must provide digital certificates to prove their identities. In a mutual authentication process, a connection can occur only if the client and the server exchange, verify, and trust each other’s certificates. The certificate exchange occurs by means of the Transport Layer Security (TLS) protocol. The core of this process is to make sure that clients communicate with legitimate servers, and servers cooperate only with clients who attempt access for legitimate purposes.

The diagram below provides a description of the mutual TLS authentication.

Figure 1: Mutual TLS Authentication. Source: Cloudflare

The Challenge of Securing Cloud Instances

With more and more businesses migrating to the cloud and taking advantage of the benefits offered by multi-cloud platforms, the question that needs to be answered is how to secure communications with the various cloud instances. Actually, the authentication of cloud-based applications to the respective backend and middleware components seems like the Achilles' heel of application security. It is important to ensure that only approved applications or processes are granted access through APIs.

A mechanism used frequently is through single, static application logins. However, in a rapidly changing world, static logins present some security challenges.

First these logins are not updated frequently. Second, it reduces the organization’s ability to monitor and audit activities because they are grouped under the identity of the application. That problem can worsen when the application is manipulated by an attacker and the credentials are stolen or compromised. If this happens, it can prove difficult to sort out which logins are legitimate application components and which logins are unauthorized.

How Mutual Authentication Fosters Application Security

The problem above can be solved by leveraging mutual TLS authentication. Just like a client (i.e. a browser) authenticates the identity of a website by validating the server certificate, so too can the server validate the client. In the case of cloud-based applications, because HTTP is the transport for the API, we can enable mutual authentication between components. In fact, we can limit the range of certificates acceptable to what is expected by requiring a specific certificate fingerprint or serial number from a particular certificate authority. Mutual authentication can be used either alone or in conjunction with a password or an identity provider.

However, employing a TLS mutual authentication strategy in a cloud environment has a few dependencies. First, as we discussed beforehand, mutual TLS authentication is optional. Therefore, we must customize the API to enable TLS mutual authentication. Luckily all major PaaS vendors offer detailed step-by-step instructions on how to enable mutual authentication (see more for AWS, Azure and Google).

Advantages of Mutual Authentication

TLS mutual authentication has a few advantages from a security standpoint. Most obviously, it means relying less on insecure passwords or static secret values. Using a password or secret creates significant overhead and friction if you are to follow reasonable security practices—changing the password periodically, monitoring its usage, enforcing complexity, making sure it is appropriately protected. TLS mutual authentication removes this hassle. While setting up mutual authentication is not as straight forward as setting up a password, the amount of overhead required to manage certificates—especially if you automate the process—is far less than managing passwords.

Another advantage is that the certificate and corresponding private key are less portable than a password. While these credentials can be stolen or compromised just like any other digital credential, it requires more sophisticated skills for an attacker seeking to impersonate a remote API caller. From a monitoring and auditing point of view, using multiple certificates organizations can keep track of which component makes an API request with more granularity.

It Is All About Effective TLS Certificate Management

However, these certificates are machine identities that need to be administered and managed effectively, otherwise trust will be doomed. For example, TLS certificates do expire. If you generate a certificate now and load it into your application, you should be sure to remember to reissue a new certificate when the old one expires. If you forget, your organization will face potential catastrophic outages. It is important not only to keep track of certificate expiration dates and be proactive about replacing expired certificates, but also to automate and manage effectively the whole certificate lifecycle.

Related posts

Like this blog? We think you will love this.
Featured Blog

What Is an SSL Certificate and How Does it Enable Security

SSL Nomenclature

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more