Zero trust is a burgeoning security practice among cybersecurity-focused organizations. The main concept behind zero trust is limiting a user’s resources to only what they need access to.
For example, a manufacturer implementing zero trust would ensure that their floor manager wouldn’t have access to the same network resources as their CTO. When trying to implement a zero trust network, it’s important to have the right tools to make the change as easy as possible. AD CS is a certificate solution from Microsoft that makes zero trust easy to implement.
Passwords Cannot Be Zero Trust
A password-based network ties each user’s identity to a set of credentials in an IDP. When they log in, their user profile and network settings are applied and dictate what they have access to on the network. A commonly used management system for segmenting user groups and creating policies for each comes from AD CSs Group Policy Object (GPO).
GPO can tie policies to a user’s credentials and apply them when they log in with those credentials. It should be easy to implement zero trust by limiting resources based on a person’s profile. The primary issue arises when you factor that passwords are shared amongst users constantly. 43% of Americans admit to sharing passwords, a frightening number that poses a significant identity security risk.
If a network user hosts a guest and provides them with their secure network password, there will suddenly be an unidentified user with access to resources they likely should not have access to. If they were to lose that password, accidentally leak resources, or maliciously leak resources, it could lead to a full security breach.
Additionally, passwords are incredibly insecure. They can be stolen through a variety of easy to execute attacks, such as dictionary attacks, or social engineering ploys like phishing. In particular, outside actors will target executive, IT, and admin credentials because of the greater access to resources they likely have. A zero trust infrastructure setup is all but eliminated if a hacker gets their hands on credentials that offer unmitigated network access.
Certificate Authentication and Zero Trust
Utilizing certificates for authentication is a far more secure and trustworthy method for implementing zero trust than credentials. Similar to credentials, AD CS users are assigned GPO settings that dictate their resource access when they are authenticated.
But unlike credentials, certificates cannot be shared amongst users. When a user configures their device for an AD CS certificate, that certificate is tied to the identity of the user and device. Each device the user has will contain a different certificate, but they will all apply the same user settings.
Zero trust is built on identifying each network user and automatically limiting their resource access. While AD CS can provide this service, it is well known that they are limited in what they provide organizations. AD CS does not come with an efficient onboarding system, management software, and it is an on-premise solution, which limits your ability to integrate with present and future cloud technology.
A Cloud-Based Certificate Solution
SecureW2 is a cloud-based certificate provider that simplifies every step of the certificate management lifecycle. Beginning with onboarding, the JoinNow onboarding solution allows users to self-configure devices in minutes. Without an onboarding software, and even with a detailed configuration guide, the certificate configuration process can be difficult for users that lack an IT background.
Cloud RADIUS with dynamic authentication easily integrates with AD CS to authenticate certificates and enable cloud authentication. It can accommodate VPN authentication that cannot be completed by AD CS alone. And dynamic authentication allows the Cloud RADIUS to communicate directly with the IDP so you can complete real-time user policy updates without replacing certificates.
AD CS on its own is not a PKI and requires outside management software to keep track of certificates. Our turnkey PKI allows admins to view every certificate on the network and track each authentication event in the case of needing remote troubleshooting for connection errors. When an admin views who is on the network, they can rest easy knowing that it is an accurate portrayal and there are no hidden malicious actors posing as legitimate users.
Certificates Create Zero Trust
Securing the connections of network users has never been more important. So much valuable data exists on the average organization’s network and it’s vital to ensure you take every sensible measure to ensure it’s protected. Check out SecureW2’s pricing page to see if combining our certificate solutions and AD CS will work for you.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Jake Ludin. Read the original post at: https://www.securew2.com/blog/zero-trust-strategy-best-practices-ad-cs