After completing the massive transition to a public trust public key infrastructure (PKI), the web security teams at Department of Defense (DoD) agencies will be intimately familiar with the amount of time it actually takes to provision large numbers of certificates. Indeed, security strategies often suffer because the certificate provisioning process is too complicated and lengthy. Unlike changing a password, changing a certificate can take from hours to weeks. In this blog, I’ll discuss how Certificate as a Service (CaaS) can extend across both human and Non-Person Entities (NPEs). I’ll also call out what should be considered in the identity layer as well as how to assess the viability of CaaS for security, scalability and speed of delivery.
First let’s talk about how our notions of identity are different for people and machines. We need to move towards a broader definition of identity that includes both actors on the network – people and machines. Many automated machine-to-machine functions support critical mission functions, yet we are investing billions in human identity security and almost nothing securing the machine identities that provide critical authentication points for countless NPEs across the DoD enterprise.
With growing threats and the dynamic nature of today’s network perimeter, ongoing authentication at the identity layer is becoming more essential. But as devices and applications outpace people on the network—with cloud workloads, virtualization, Fast IT & containerization, mobility and IoT—identity-layer solutions must extend not only to human identities, but also to NPEs.
To achieve balance between speed and security, a CaaS platform should be used to automate the procurement and deployment of cryptographic keys and digital certificates as part of the build process—fully integrated with next-generation software development platforms, hardware security modules and existing certificate authorities. These certificates can then be used to authenticate machines. In addition, secure self-service, end-user, web-based mobile and user certificate portals can ensure policy-enforced certificate issuance.
Consumers and providers of NPEs reside throughout the agency enterprise. They require rapid and secure issuance of machine identities as well as the quick determination of the appropriate level of trust for all machine identities connected to their agency that reside inside and outside the boundaries of their network. With this dependence on machines, IDaaS strategies need to include authentication of both people and NPEs—securing all actors on the network—and CaaS can deliver this broad and strong authentication in a fast and scalable platform.
Contact us to discuss how offering certificates as a service can improve policy compliance at your agency.