JUST LIKE TRUE STRENGTH, TRUE ZERO-TRUST STARTS FROM WITHIN!

For once, Let’s take a step back and think “Inside the box” ... I agree that zero trust for remote users is such a fantastic approach, but what about systems themselves? What about the die-hard habits.

Let’s say that your most mission critical system is patched up, running the most stable “up to date” version of firmware, and … guess what? It is still managed using a self-signed certificate.

In the heat of the moment, the system admin isn’t going to check if the certificate error is caused by the self-signed certificate itself or by a MiTM CA … Moreover, some questions for thought: How many self-signed certs are scattered all over your environment? … How many your DevOps guys create every day to keep the pace of production “fast”?

I believe that many of the problems in this industry have to do with the lack of internal organisation. They have to do with shabby short-cut practices that are ought to end.

Hire PKI specialists to manage your PKI infrastructure, ask them to create an inventory of existing self-signed certs, ask other teams to help them in this process and make sure it is C-level initiative, then … ask them to put together a roadmap for replacing these with certificates signed by an internal intermediate CA.

Ask them to Automate … Automate … Automate.

This means automating the process of generating new certificates as soon as DevOps need them, plus automating certs renewal and revocation … Finally, make sure these guys are fully dedicated to PKI infrastructure management, with full segregation of duties from anything else.