The Role of Digital Certificates in Zero Trust Security Models
Security isn’t new—but the way we approach it must be. As digital assets replace physical ones, and cyber threats grow more sophisticated, organizations need a strategy that assumes nothing and verifies everything. That’s the essence of Zero Trust, and digital certificates are key to making it work.
What is a Zero Trust Strategy?
US executive order 14028, Improving the Nation's Cyber Security, directs federal agencies on advancing security measures that drastically reduce the risk of successful cyberattacks against the federal government's digital infrastructure. On January 26, 2022, the Office of Management and Budget (OMB) released the federal Zero Trust strategy in memorandum 22-09, in support of Executive Order 14028.
The US Department of Defense (DoD) Zero Trust Reference Architecture is cited in the memo to define the spirit of Zero Trust:
"The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It's a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.
The memo further outlines goals for federal agencies using the Cybersecurity Information Systems Architecture (CISA) matrix style maturity model that can be visualized like this:
| Identity | Devices | Networks | Applications and workloads | Data | |
| Visibility | |||||
| Analytics | |||||
| Automation | |||||
| Orchestration | |||||
| Governance |
Addressing the assets listed in the columns of this matrix with the tactics listed in the table rows provides the strategic outline to achieve Zero Trust. That means verifying any and every attempt to perform a digital handshake on all assets that fall in the categories listed in the columns. How an organization may manage verification of the vast and numerous handshake attempts must consider visibility, analytics, automation, orchestration, and governance. Robust security strategies start by identifying assets. Thus, each of the handshake verifications starts with ensuring the identity of the asset and its container.
How PKI Infrastructures Enable Zero Trust Environments
Identity verification of assets is not unlike taking an inventory of product in a warehouse. Ensuring each item has an identifying marker and designated container in the space is key to being able to do business and keep track of where the product is. When workers can verify the product is what they understand it to be, and can direct products to the container that holds them in the warehouse, the workers can efficiently plan how to move and organize products in the way the business needs. Such transparency also reduces loss.
Establishing identity for digital assets requires a robust and secure system. Public Key Infrastructure (PKI) is a resource for organizations to manage digital keys and certificates they can apply to their digital assets to ensure secure communication and authentication over networks. Such digital certificates must be recognized as trustworthy. Instead of trading certificates one-by-one to establish trust, a PKI hierarchy may be trusted to make trustworthiness faster and more efficient.
A PKI infrastructure includes a Root Certificate Authority (CA) and an Issuing Certificate Authority (ICA). These entities have identifying digital certificates that may be trusted in a root store. Once these digital certificates are trusted in a network root store in a network where assets reside, then the assets may trust the digital certificates that are issued on that CA and ICA certificate chain.
When a digital asset in an organization’s environment can be identified in a trusted way, this is a key building block which supports asset visibility, the ability to analyze assets in the environment, automate actions on and around assets, and identification of efficient orchestration and governance of organizational assets.
Digital certificates may be applied to portals and machines alike, to establish trusted gateways and trusted containers. TLS/SSL digital certificates can logically establish trusted traffic among trusted devices, such as servers, laptops, mobile phones, central thermostat controllers, automobiles, etc. Traffic to hubs that access Internet-of-Things (IoT) devices must be protected as a means of protecting the physical and digital assets in that hub environment. Establishing trust of assets, as well as the traffic it sends and receives, is how organizations may use identity-based authentication to ensure each handshake attempt is verified.
In a Zero Trust world, identity is everything. Digital certificates—backed by a trusted PKI—enable organizations to verify every user, device, and transaction. Whether securing IoT traffic or authenticating access to sensitive data, certificates are the backbone of modern cybersecurity.
Ready to strengthen your Zero Trust strategy? Start with trusted digital certificates >>