​​​​​​Between distributed workforces and scattered schedules, there’s no doubt the work environment has faced enormous disruption over the past few months, forcing enterprises to modernize their security measures. The solution? Jason Soroko, Chief Technology Officer (CTO) at Sectigo, believes it's a Zero-Trust Security Strategy.

Here we talk to Soroko about the importance of a zero-trust strategy, especially during the ongoing COVID-19 pandemic. 

Security magazine: What are your responsibilities as CTO, and your background?                       

Soroko: As the CTO of Public Key Infrastructure (PKI) for Sectigo, I’m responsible for researching, innovating, educating, and contributing to strategy; developing national-level guidance, intellectual property development, and consortium standards. Throughout my 20+ years in the digital identity industry, I have garnered results and guided innovations that have made the web and all connected experiences more secure around the globe. Prior to my two decades in the security business, I worked as an architect and developer for silicon and oil and gas industries.

Security magazine: How is zero-trust important during the ongoing pandemic? Why is a Zero-trust security strategy the solution to enterprises looking to modernize their security measures as a result of COVID-19?

Soroko: Between distributed workforces and scattered schedules, there’s no doubt the work environment has faced enormous disruption over the past several months, forcing enterprises to modernize their security measures. To combat the negative effects brought on by COVID-19, many businesses have turned to zero-trust security principles. Too much is trusted implicitly. Central to any zero-trust strategy is the concept of digital identities.  Now more than ever, enterprises need to utilize automated management of digital identities to successfully scale deployments.

Earlier this year, Sectigo and Wakefield Research conducted a survey to explore how IT pros are navigating the work-from-home environment. The study found that 56% of IT professionals surveyed implement user identity certificates to protect networks and applications from unauthorized access. This means that by using a zero-trust solution through digital certificates, enterprises can strengthen the verification of digital identities and secure the connections between entities.

As employees continue to work from home for the foreseeable future, the zero-trust approach better addresses today’s distributed environments and is critical for operational and secure success.

Security magazine: How can enterprise security teams ensure this strategy is implemented effectively?

Soroko: There’s a common misconception that implementing a zero-trust strategy requires deploying new tools into their preexisting environment. However, in most cases, many legacy tools can be used to support the strategy, with the ability to automate and provide centralized management across environments. Now more than ever, automation is key in order to address today’s dynamic enterprise. As new applications are created and more users are onboarded, controls must be automatically provisioned and policies applied based on the user, group, type of device, location, and other elements. Modern enterprises face the task of managing distributed systems, including hybrid and multi-cloud environments.  The trust model for these use cases call for a single pane of glass giving visibility to the proliferation of digital identities.  Avoiding outages and vendor lock-in requires thinking ahead and choosing the right digital identity solution.

Security magazine: Why should enterprises consider digital identity solutions that look beyond the tired and no- longer-effective authentication strategies?

Soroko: The majority of data breaches not caused by human error or phishing involve stolen credentials or brute force. This has created an overwhelming need for companies to rethink their strategies for determining access to data and network infrastructure.

Having a rock-solid digital identity is the best proven method to prevent a digital impersonator and is critical to support a zero-trust strategy. Using PKI certificates and cryptographic key pairs can strengthen the verification of digital identities and secure the connections between entities beyond the firewalled network architecture. In addition, the zero-trust model increases the need for a consolidated, automated, and modern approach to PKI.

Security magazine: How can user identity certificates support a zero-trust strategy?

Soroko: Now more than ever, the verification of digital identity is a vital piece of the puzzle to support a zero-trust approach. In recent years, there has been an increased need for a consolidated, automated, and modern approach to PKI.

With PKI, companies replace passwords with user identity certificates. PKI-based identity certificates are the strongest form of identity, and make life easier for employees, reducing the burden of remembering, updating, and managing passwords. These solutions provide a consolidated and automated approach across the deployment, discovery, management, and renewal lifecycle that are essential in today’s zero-trust environments.

This certificate-based authentication is superior to password-based authentication for many reasons, including:

• Users are not required to remember or manage passwords
• The private key never leaves the client
• Digital identities are stored in secure hardware separated zones
• The overall user experience is better
• Digital identities are not vulnerable to human social engineering

In the end, this simplified and more secure approach to authentication ensures your employees, their devices, and your business services are protected. Case in point: PKI is the best way to replace passwords via authentication and is the gold standard for authentication and encryption.