Protecting Remote Workers with PKI

May 20, 2020 Alan Grau & Tim Callan, Sectigo

The COVID-19 pandemic has led to an unprecedented surge in employees working from home.  Organizations with a large percentage of employees working from home have faced challenges in scaling to support the surge in remote workers.  Other firms have faced even greater challenges as they have transitioned from a 100% “in the office” policy to a full “work from home” setup. This requires new laptops for all team members, enabling remote access for them all, and revamping entire work flows and operations. 

Cybercriminals have wasted no time exploiting the situation, aggressively targeting remote workers and exploiting the newly deployed remote access solutions.  The first 100 days of COVID-19 has seen an increase in the volume of attacks by over 33%.  The World Health Organization (WHO) says it has seen a 500% increase in attacks.

Ensuring the security of remotely accessible IT solutions and remote workers is a critical priority for any company transitioning to a remote workforce. Workers moving to at-home employment may lack required skills and knowledge on cybersecurity best practices. The push to enable remote workforces has put connectivity requirements ahead of security.  Even as companies begin transitioning back to a “new normal,” they will still rely on increased numbers of remote workers, making security even more critical.

Unfortunately, traditional password-based and multi-factor authentication fails to deliver the required level of security for remote workforces.  Cybercriminals have become so proficient at defeating multi-factor authentication solutions that the FBI has issued warnings and recommended moving away from these approaches.

Utilizing PKI to implement certificate-based authentication provides much stronger protection and can help companies secure their remote workers. By following a three-step process, companies can implement certificate-based authentication to protect remote workforces.

Step 1 – Replaces passwords with user identity certificates

Offering secure remote access starts with ensuring the identity of the user. Passwords offer some measure of security, but attackers have become increasingly adept at tricking employees and stealing passwords. PKI-based identity certificates are the strongest form of identity and make life easier for employees, reducing the burden of remembering, updating, and managing passwords.

Passwords rely on sharing a secret that may be accidently, or purposefully misused. PKI certificate-based authentication is superior because: 

•          The private key never leaves the client

•          The private key cannot be stolen in transit

•          The private key cannot be stolen from the server repository

•          The private key would take decades to decrypt by brute force attack

•          There is no need to change passwords or enter usernames

•          There is no risk of security breaches due to password reuse or weak passwords

Step 2 – Replace multi-factor authentication with no-touch authentication

Phone- or token-based multi-factor authentication provides an extra layer of security beyond the use of simple passwords. This two-step approach reduces the chance employee identities are stolen. But the additional effort an employee must make to use an application, beyond remembering a password, makes life even more complex for both the employee and IT administrators.

For employees working from home, PKI-based certificates not only offer the strongest form of identity authentication, but they also simplify the process for employees to connect. The employee’s identity certificate key is stored directly in their computer, laptop, or mobile phone, meaning they are automatically authenticated without requiring any action on their part. The employee can simply access applications and start working.

Digital certificates can secure multiple use cases for remote authentication including:

•          VPN access

•          Desktop as a Service (DaaS)

•          Wi-Fi access

•          Digital signatures

•          Encryption

Step 3 – Automate issuance of all identity certificates

While it’s increasingly feasible to enable employees to work remotely without having to use passwords or enter additional authentication codes, managing and maintaining the many digital certificates you need across your entire enterprise must be very easy if it’s to be effective.

Using manual processes to manage the certificates for even a few employees can be labor-intensive, technically demanding, and error prone. Automating issuance and lifecycle management allows your IT security team to issue, revoke, and replace certificates quickly, reliably, and at scale while alleviating their management burden. You can manage certificates all in one place, while monitoring the identities of everything and everyone connecting to your network. And a no-touch approach makes deployment as simple for the user as a single click

About the Authors

Alan Grau has 30 years of experience in telecommunications and the embedded software marketplace. He is VP of IoT/Embedded Solutions at Sectigo, the world’s largest commercial Certificate Authority and provider of purpose-built, automated PKI solutions. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was CTO and co-founder, as well as the architect of Icon Labs' award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security. Prior to founding Icon Labs, Alan worked for AT&T Bell Labs and Motorola.  He has an MS in computer science from Northwestern University.

Tim Callan is Senior Fellow at Sectigo, the world’s largest commercial Certificate Authority and a leader in purpose-built, automated PKI solutions, and co-host of the popular PKI and security podcast “Root Causes.” Tim has more than 20 years of experience in leadership positions for prominent providers of PKI and digital certificate technology including VeriSign, Symantec, Digicert, and Comodo CA. A security blogger since 2006, he is a frequently published author of technology articles and has spoken at conferences including the RSA Security Expo, Search Engine Strategies, Shop.org, and the Internet Retailer Conference and Expo. A founding member of the CA/Browser Forum, Tim played a key role in the creation and roll out of Extended Validation SSL in the late 2000s.

Prior to his role as Senior Fellow at Sectigo (formerly Comodo CA), Tim served as VP of Product Marketing in the VeriSign/Symantec Trust Services division (Nasdaq: VRSN), and in CMO roles at Melbourne IT Digital Brand Services, RetailNext, and SLI Systems. Tim has served on the Boards of Directors for Digicert and the Online Trust Alliance.

About Sectigo

Sectigo is a leading cybersecurity provider of digital identity solutions, including TLS / SSL certificates, DevOps, IoT, and enterprise-grade PKI management, as well as multi-layered web security. As the world's largest commercial Certificate Authority with more than 700,000 customers and over 20 years of experience in online trust, Sectigo partners with organizations of all sizes to deliver automated public and private PKI solutions for securing webservers, user access, connected devices, and applications. Recognized for its award-winning innovation and best-in-class global customer support, Sectigo has the proven performance needed to secure the digital landscape of today and tomorrow. For more information, visit www.sectigo.com and follow @SectigoHQ.

Previous Article
Bring Your AI to the Edge on a Power Budget
Bring Your AI to the Edge on a Power Budget

You’ve heard it many times before: AI and machine learning (ML) are moving to the Edge of the IoT. The reas...

Next Article
Anti-Piracy During the Pandemic: Five Tips for Protecting Software
Anti-Piracy During the Pandemic: Five Tips for Protecting Software

COVID-19 underscores the need for software companies to take an aggressive, integrated, and comprehensive a...