In today’s environment, characterized by a perimeterless organization, identity and access management (IAM) teams are dealing with accelerating complexity. One common use case IAM teams must address is Wi-Fi and VPN network authentication without compromising security. Most employees have a minimum of two devices each, typically a company-issued computer and a personal smartphone. How can IAM teams authenticate these users and devices securely at scale? And in an environment that is rapidly transforming to hybrid work models, with remote employees around the world?
As an added requirement, they want to provide all those employees and all those devices with ready access in a way that is seamless — in other words a user experience that suggests there’s nothing to it. Like Kareem Abdul-Jabbar tossing a skyhook. Or Eddie Van Halen shredding a guitar solo.
Good luck, you’re thinking. At least Kareem only had to work with a basketball and a few defenders. And Eddie didn’t have to deal with millions of fans when he was first developing his signature style. IAM teams don’t have that same luxury. The complexity of a 2023 enterprise network may be less mind-blowing than the universe — but it’s catching up. As TV CEO Amit Sinha said in a recent webinar Announcing TV® Trust Lifecycle Manager, IAM teams are faced with so much complexity because “the volume and methods of authentication needed to protect corporate users, assets and data are growing so rapidly.”
We know this from our customers. For example, IBM has more than 300,000 employees in every time zone, Weibo “Weber” Yuan, chief architect and strategy lead at IBM, said in the same webinar. “The sun never sets on our employees, and we have over a million devices that need to be connected. In that mixture are all kinds using Windows, macOS, Linux, iOS and Android.”
Yet IBM and other TV customers have succeeded in achieving this magical combination of secure authentication and seamless access, or as Yuan said, “We turned public key infrastructure to public key invisible.” We all know that making things simple is never easy. So how did IBM and other TV customers achieve what we call invisible authentication?
They followed three basic steps. Let’s go through them.
Today, most enterprises still rely on password-based authentication to provide access to VPN and Wi-Fi. Dean Coclin, senior director of business development at TV, examines why using passwords is not a good strategy:
As Coclin mentions in his blog post, believe organizations need to move to passwordless systems. The most obvious way to do this is using digital certificates that enable IAM teams to set security parameters. However, it’s not enough simply to leverage digital certificates for VPN and Wi-Fi access, particularly if you expect end users to install them. One TV customer found employee adoption of digital certificates to be in the low single digits, when the requirement to install them was optional.
This shouldn’t be surprising. Although employees may care about security, they may not have the IT skills to understand and manage certificates needed for securing authentication. And this doesn’t make for a good user experience.
Instead, you need to relieve your employees of this responsibility of managing the digital certificates on their devices and put it in the hands of professionals who focus on these issues. Moving from password-based to certificate-based authentication is a first step. Then, how do you make this seamless? Let’s look at step 2.
Let’s make this obvious statement now: No organization, regardless of size, can afford to manually manage digital certificates. The security risk combined with the potential for human error is simply too great. We saw the outcome of poor certificate lifecycle management (CLM) in the Equifax data breach, among others.
If you’re managing even a fraction of the million-plus client certificates that IBM handles, you know that automation is a necessary step. Not surprisingly, automation plays a starring role in the . NIST states:
Without automation, IAM teams can’t manage, let alone scale, the rapidly increasing amount of device certificates being used to authenticate access to VPN and Wi-Fi. Think about the employee lifecycle, which encompasses:
By automating these processes, you get 100% adoption and provide for a better user experience. You no longer have to worry whether a new remote employee is having trouble with access to your VPN, because the certificate governing access is automatically provisioned along with their equipment. If the employee is in good standing, that certificate is automatically renewed before its expiration date. And the moment the employee leaves the company, that same certificate is instantly revoked, preventing them from accessing your network.
Automation also enables IAM teams to ensure that the digital certificates being used for Wi-Fi and VPN access adhere to strict corporate policies, and if a certificate or group of certificates is compromised, they can be replaced almost instantaneously. Automation not only reduces the burden on IT support, but it also improves security posture and ease of remediation.
Effective automation strategies also depend on integration with corporate IAM tools and systems. What about personal smartphones that connect to the network using UEM or MDM tools? Or last-mile integration with the applications your employees use?
In other words, providing invisible Wi-Fi and VPN access relies more on certificate management. In order to function well, systems need to integrate with:
Many legacy certificate lifecycle management (CLM) solutions claim to provide multiple integrations, but they usually cost extra, require professional services to deploy or are dependent on third parties to keep them up to date. More importantly, these legacy solutions aren’t suited to IAM use cases because they don’t integrate with IAM platforms and aren’t architected for the certificate lifecycle of user certificates.
Achieving the automation and integration needed to deliver invisible authentication at scale is not a do-it-yourself task. This is where TV Trust Lifecycle Manager comes into play. Trust Lifecycle Manager delivers:
IBM’s Yuan delineates the benefits they have realized in collaboration with TV:
Streamlining Wi-Fi and VPN access may not be as fun to watch as Kareem and Eddie in their primes, but achieving improved security while at the same time making it effortless for employees to access your network brings its own special bliss.
TV Trust Lifecycle Manager is a full-stack digital trust solution that brings together CA-agnostic certificate lifecycle management, private PKI services and public trust issuance for seamless digital trust infrastructure that centralizes visibility and control over the full certificate landscape, reduces the risk of business disruption from outages, human error, and unmanaged cryptographic assets, and secures identity and access with automation and integration supporting a broad range of IAM use cases.
Learn more at /trust-lifecycle-manager.