Trust is the foundation of many of our interactions, be they with our close family and friends, with our co-workers, our wider circle of acquaintances, our day-to-day interactions with others that we meet, or with the many businesses and organizations that we interact with on a regular basis. Trust is a key cornerstone in how we manage our lives and our relationships. In the physical world, we’ve learned to build trust based on our interactions with others, subtle physical cues or how they appear, or whether someone we already trust in turn trusts that person.
For many of us, trust is vital to our daily lives. From the moment we were born and the umbilical cord connecting us to our mother was cut, our identification relies on others. Our mother trusted those who delivered her baby to ensure the right baby was given to her, and from that moment on our trust relationships are based on verification from others. Our mothers introduced us to the rest of our family and friends as her child, and as we grew older we got government identification, such as a driver’s license or passport. Others such as employers, banks, landlords, airlines, police and many others trust that the government-issued ID represents the person presenting that ID.
In the digital world we have a similar approach to trust, in that we are dependent on third parties to verify the trust. However, the digital world has greatly impacted our trust interactions, as we no longer need to only trust people and organizations, we now also have to trust computers, their operating systems, the websites we interact with, the cloud services we consume both at a personal and professional level, and systems, websites and applications.
This challenge has grown exponentially as a result of the COVID-19 pandemic, as many organizations engaged with cloud service providers, increased how core business systems could be accessed from outside the organization, and enabled staff to work remotely. As we come out of the pandemic, these new shifts in how organizations do business will not change. In particular, many organizations will need to continue to trust and support their remote workforce, be they hybrid or fully remote workers. The systems migrated to cloud will remain there, which entails trusting those cloud providers and the vendors those cloud service providers use. Remote access platforms will need to be secured, and we have plenty of evidence of where insecure remote access solutions have led to organizations being victims of ransomware attacks.
In addition to the above challenges, we are witnessing a revolution in the Internet of Things (IoT) and smart technologies. This revolution will have many implications for organizations as they employ smart devices to enhance their business, such as smart heating systems in buildings to better control the environment. Other organizations will deploy smart technologies and IoT to help make their production lines more effective, enhance their stock management systems or improve other areas of their business. This entails trusting an ever-increasing number of devices, vendors and systems.
As a result, we can no longer rely on our network perimeter to provide a controlled trusted environment, as networks no longer have a defined perimeter. Our perimeter now extends into the homes and locations that staff work from, into the cloud service providers, into the pockets of people who access our systems from their mobile devices, and it intertwines with the network perimeters of our clients and suppliers.
Many have commented that employing a zero trust model is the best way to approach this challenge. I have to admit I dislike the phrase “zero trust,” as it implies a lack of trust, whereas our goal should be to be in a position to trust. After all, in the physical world we do not normally start an interaction or relationship with someone by not trusting them; instead, we assume different levels of trust based on the interaction.
A key element in building, establishing and maintaining trust is through the use of digital certificates. Today, one key (pardon the pun) challenge comes in managing those certificates. Traditionally, this was often done by a system administrator using a spreadsheet listing all the certificates with their properties and expiration date, or those who were really advanced set a reminder in their calendar scheduled a month before the certificates were due to expire.
However, the above does not scale in today’s challenging environment. We are employing more and more digital certificates to manage the trust relationships that we have. We run our systems on platforms that are not fully under our control; we access services provided from the cloud but may be managed by a third party; and we have staff working remotely from locations such as their homes, coffee shops, hotels or work hubs.
The lack of comprehensive management and visibility capabilities over the certificates deployed across various devices, systems, platforms and environments can quickly result in issues such as rogue certificates, unexpected PKI outages, the introduction of vulnerabilities into secure environments and compliance issues. All of these issues can lead to the undermining of the trust we place in those certificates.
The Digicert 2022 State of Digital Trust Report highlights the impact losing trust in PKI solutions and certificates can have on a business. According to the report, 84% of customers would move to a competitor if they lost trust in a business. This means organizations need to employ solutions that give them better visibility, automation and tools to manage all of their digital certificate assets.
Trust is a very precious thing. It can take a long time to establish and maintain but can be lost in the blink of an eye. In a world where a competitor is only a click away, organizations need to cherish and protect the digital trust given to them by their clients, staff and stakeholders. They need to treat digital trust as a strategic imperative, and managing trust across the organization is key. Organizations should look for unified approaches to managing trust to ensure a centralized orchestration of managing PKI services, public trust issuance and certificate lifecycles.