MY TAKE: ‘Digital trust’ has a huge role to play mitigating cybersecurity threats, going forward

By Byron V. Acohido

Modern digital systems simply could not exist without trusted operations, processes and connections. They require integrity, authentication, trusted identity and encryption.

Related: Leveraging PKI to advance electronic signatures

It used to be that trusting the connection between a workstation and a mainframe computer was the main concern. Then the Internet took off and trusting the connection between a user’s device and a web server became of paramount importance.

Today we’re in the throes of digital transformation. Software-defined-everything is the order of the day. Our smart buildings, smart transportation systems and smart online services are all network-connected at multiple levels. Digital services get delivered across a complex amalgam of public cloud, hybrid cloud and on-premises digital systems.

It is against this backdrop that digital trust has become paramount. We simply must attain —  and sustain — a high bar of confidence in the computing devices, software applications and data that make up he interconnected world we occupy.

And yet at this moment, digital trust isn’t where it needs to be on the boardroom priority list or the IT security team’s strategy. It remains all too common for threat actors to subvert connected ecosystems. This challenge has not escaped the global cybersecurity community. Largely out of the public’s eye, technologists from the private and public sectors are fully engaged in shaping the elements of digital trust that will safeguard our connected future.

Protocols and policies setting new parameters for trusted connections are being hammered out and advanced encryption, authentication and data protection solutions are being ramped up.

Failure is not an option. These efforts must result in a level of digital trust significantly higher than we have today if we are to have full confidence in digital services, going forward.

This was the main topic of discussion recently at DigiCert Security Summit 2022. I had the chance to talk about DigiCert’s perspective  with Jason Sabin, DigiCert’s Chief Technology Officer.

We discussed why elevating digital trust has become so vital. Here are a few key takeaways.

Trust under siege

Long gone are the days when a security team mainly had to be concerned about network connections getting made internally, on company-owned equipment, or externally, across a VPN connection or a public-facing webpage.

Today, software developers are king and agile software is their golden chalice. Developers stitch together modular microservices and software containers that tap into far-flung software-defined resources. This results in ephemeral connections firing off at a vast scale — humans-to-software and software-to-software – all across the Internet Cloud.

Trust is under siege. The challenge faced by a security team is to verify the authenticity of each connection and preserve the encryption, as needed, across a massive, sprawling attack surface.

And this is where digital trust comes in, with core implementations such as public key infrastructure (PKI), Sabin noted. PKI is the framework by which digital certificates get issued to authenticate the identity of users and devices; and it is also the plumbing for encrypting data that moves across the public Internet.

Most folks come into contact with the most visible subset of PKI — the TLS/SSL/HTTPS authentication and encryption protocol – each time they connect to a secured website.

However, PKI has engrained itself much more pervasively than that across the digital landscape. Over the past decade or so, companies have turned to using PKI to certify and secure many types of digital connections inside their private networks, as well.

Consider that just five years ago, a large enterprise was typically responsible for managing tens of thousands of digital certificates. Today that number for many organizations is pushing a million or more digital certificates, as digital transformation accelerates.

“There’s a massive shift unfolding very, very quickly,” Sabin told me.  “Trust has become the backbone of security and, as a result, companies are leveraging PKI technology to implement trust in all parts of their ecosystem, which basically comes down to issuing and managing a lot of digital certificates.”

Protocols, policies and PKI

The question then becomes: Is PKI robust enough to support the elevated level of digital trust that’s needed?

DigiCert and other security experts essentially argue that the answer is: PKI is ubiquitous, time tested and well-suited to leveraging automation. It can form a foundation of a larger digital trust strategy.

DigiCert, for instance, supplies advanced PKI management systems that can authenticate the identity of an individual, a business, a machine, a workload, a software container or a microservice. And automation already is being leveraged to assure that an object hasn’t been tampered with, as well as ensure the encryption of data in transit – at scale.

Advanced data security technologies, no matter how terrific, are just one piece of the puzzle. The security experts and thought leaders at DigiCert’s conference discussed the progress being made on a couple of other fronts: protocols and policies.

In order to achieve a level of digital trust needed to support great leaps forward, a fresh set of technical protocols, compliance benchmarks and supporting audits remain to be finalized and implemented.

The model for driving consensus of this sort has been laid out by the industry forums and consortiums that convened to give us the protocols and policies undergirding the public Internet. Many of these same groups remain active, like the CA/Browser Forum, which focuses on benchmarks for digital certificates, are actively hashing out new rules of the road.

Ssabin

“We have to think about how to extend trust to mobile devices and to IoT devices, and how to more effectively protect supply chains and critical infrastructure,” Sabin says. “We also must find ways to encourage high levels of compliance with industry standards and government regulations. This is all part of building trusted digital ecosystems.”

Everyone should realize what’s at stake here: smarter buildings, autonomous transportation systems, climate change remediation, medical breakthroughs.

As people spend larger chunks of their waking hours online, the boundary between personal and work connectivity has become fluid. Companies need come to view digital trust as a strategic imperative.

This challenge speaks to verifying the integrity of homespun and third-party software builds, firmware on connected devices and their trusted access, trustworthiness of documents and much more, Sabin says.

I agree.  And I’m encouraged that the work of prioritizing digital trust is well underway. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone