Bank Negara, the Central bank of Malaysia (for the benefit of our non-Malaysian readers), will likely announce five organizations that will be issued the first Digital Banking licenses in Malaysia. Although the current BNM-issued Risk Management in Technology guidelines restrict the migration of crucial Banking systems to the cloud, the appeal of the cloud in future infrastructure and application deliveries is undeniable. That said, most banks, especially Digital Banks, may implement plans for migrating applications to the cloud. As a result, this exodus introduces new complexities in securing IT infrastructures using the traditional, “perimeter” focused way.
In light of this, most organizations have been leveraging zero-trust security, a term coined and structurally presented by Forrester in 2010, to edge away from the traditional perimeter focused-defense to an Identity-based security approach. According to the Forrester definition, zero-trust is “an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices”.
The primary principle of the zero-trust model is not to trust anybody or anything; thus, Authenticate and Authorize are essential aspects to enabling zero-trust security. PKI, once implemented correctly, is one of the most secure methods used to Authenticate users, devices, servers, and applications. It ensures non-repudiation and can extend to certain Authorization use cases as well. The benefits of PKI have seen many organizations prefer using Digital Certificates from a private or Public CA as the sole ID to authenticate all its users, which may be ubiquitously issued to all applications and appliances, whether cloud or on-prem.
However, similar to most technologies, PKI introduces various challenges. Some of the common misgivings and grouses or Security Operations in managing PKI are the lack of skilled workforces in the IT job market. While PKI is widely used and a crucial element in securing data, it remains one of the most challenging subjects to understand, not to mention its lack of “cool appeal.” Ask an IT grad which specialization they would rather focus in, PKI or BlockChain, and chances are 100 out of 100 would choose the latter. Worse, PKI systems and digital certificates from well-known Certificate Authorities are highly-priced. Also, the lack of proper tools or processes for tracking and managing digital certificates may lead to repeated system breaches and downtimes.
Fret not, though. If you are thinking of setting up a complete Zero Trust Architecture with PKI for your cloud/hybrid cloud environment, many resources can help. A list of the items that should be in your checklist include:
· Setting up an Internal trusted CA and proper Chain of Trust.
· Adding in systems such as a Certificate Lifecycle Automation software to enable complete Digital Certificate visibility and automation
· Setting up an incubation lab to nurture PKI talents
· Or you can consider outsourcing your PKI to PKI-as-a-Service vendors.
Securemetric has over 20 years of experience building, operating, and managing PKI and Certificate Authorities.
Feel free to talk to us regarding our PKI-as-a-Service offering and other PKI-related solutions.