PKI and IdP for Devices and NPEs in Zero Trust

PKI and IdP for Devices and NPEs in Zero Trust (Activity 2.1.2 “NPE/PKI, Device under Management”)

In Activity 2.1.1 “Device Health Tool Gap Analysis”, an organization inventories their devices to understand the ‘what’ connecting to our network. Activity 2.1.12 “NPE/PKI, Device under Management” we create a verifiable identity for these non-human entities (NPEs) using the enterprise’s Public Key Infrastructure (PKI) and managing them through the enterprise’s Identity Provider (IdP).

This activity extends identity beyond human users. Organizations must use the Enterprise PKI solution/service to deploy x509 certificates to all supported and managed devices. This means leveraging the established enterprise trust fabric (Activity 1.9.1 “Enterprise PKI/IDP Part 1”) to give devices an identity. Furthermore, it requires that “Other Non-Person Entities” – a broad category including web servers, network devices, routers, applications, and service accounts – that support x509 certificates be assigned x509 certificates in the PKI and/or IdP systems.

The immediate outcome is that NPEs are managed via PKI and IdP. Every automated system, service, and device has a verifiable identity managed by the core identity infrastructure.

Why is this important? In Zero Trust, implicit trust is removed. Devices and NPEs often have broad access and perform critical functions. Relying on static credentials or weak authentication for these entities creates significant attack vectors. PKI, with its cryptographically bound identities (X.509 certificates), provides a much stronger form of authentication and identity verification for NPEs.

Solutions for Achieving NPE/PKI, Device under Management

Implementing Activity 2.1.2 requires close coordination between PKI operations, identity management, and endpoint/NPE management teams. Solutions focus on leveraging enterprise infrastructure, automating certificate lifecycle management, and integrating NPE identities into the IdP.

Leveraging Enterprise PKI and Certificate Authorities (CAs):

The foundation is the established Enterprise PKI hierarchy (Activity 1.9.1 “Enterprise PKI/IDP Part 1”). This trusted infrastructure is the source for issuing X.509 certificates to devices and NPEs.

Automated Certificate Management and Deployment Tools:

Deploying and managing certificates at scale for a diverse range of devices and NPEs is a significant undertaking. Automated tools are essential for requesting, issuing, deploying, renewing, and revoking certificates throughout the entity’s lifecycle.

For Devices: Integration with Endpoint Management (EM) or Unified Endpoint Management (UEM) tools is crucial for pushing certificates to managed devices.

For NPEs: Managing certificates for servers, applications, and other NPEs may require dedicated certificate lifecycle management (CLM) platforms or scripting and automation leveraging protocols like ACME for web servers or APIs for other systems.

Enterprise Identity Provider (IdP) / Identity and Access Management (IdAM) Solutions:

The Enterprise IdP platform (centralized or federated, as per Activity 1.9.1 “Enterprise PKI/IDP Part 1”) plays a key role in managing the identity of NPEs.

This involves incorporating representations of devices, applications, service accounts, and other NPEs into the IdP’s directory or identity store.

The IdP links the X.509 certificates issued by the PKI to the corresponding NPE identities, enabling certificate-based authentication and authorization based on that identity.

Endpoint Management (EM) / Unified Endpoint Management (UEM) Tools:

Beyond inventory (Activity 2.1.1 “Device Health Tool Gap Analysis”), UEM/EM tools are critical for the technical deployment and management of certificates on managed devices. They work in conjunction with the automated certificate management tools and the PKI to ensure devices receive and maintain valid certificates.

How These Technologies and Tools Work Together:

Achieving Activity 2.1.2 requires these different types of tools to interoperate:

The Enterprise PKI issues the trusted X.509 certificates.
Automated Certificate Management and Deployment Tools, often integrated with UEM/EM tools for devices, handle the technical process of getting the certificates onto the devices and NPEs and managing their lifecycle. UEM/EM Tools are essential for the technical deployment of certificates to managed endpoints.
The Enterprise IdP/IdAM solution manages the digital identity of the NPE, links it to the issued certificate, and uses this validated identity for authentication and authorization decisions.

Key Considerations:

NPE Diversity and Certificate Support: The wide variety of NPE types means their ability to support X.509 certificates and automated management varies significantly. Identifying which NPEs are capable is a crucial first step.

Certificate Lifecycle Automation at Scale: Manual certificate management is prone to errors and outages. Implementing robust automation for issuance, renewal, and revocation for potentially millions of certificates is a major undertaking.

Integration Complexity: Tightly integrating the Enterprise PKI, automated certificate management tools, UEM/EM systems, and the Enterprise IdP requires careful planning and technical expertise.

Establishing Ownership and Accountability: Defining clear ownership and responsibility for the identity and certificate lifecycle of different categories of NPEs is essential for successful management.

Legacy Systems: Older systems may not support modern certificate standards or automated management protocols, potentially requiring exceptions or plans for modernization/decommissioning.

The Technical Buyer’s Non-Human Identity Challenge:

Activity 2.1.2 establishes strong, verifiable identities for the non-human entities in your environment by applying PKI and centralized identity management to your devices and automated systems. For technical buyers, success in this activity hinges on effectively leveraging your Enterprise PKI, implementing robust automated certificate management and deployment solutions for a diverse range of devices and NPEs, and utilizing your Enterprise IdP/IdAM solution to manage these NPE identities and enable certificate-based authentication. This activity is about bringing the same level of identity assurance you demand for humans to the critical non-human actors in your digital landscape, a crucial step in building a truly comprehensive Zero Trust architecture.

Pillar: Device

Capability: 2.1 Device Inventory

Activity: 2.1.2 NPE/PKI, Device under Management

Phase: Target Level

Predecessor(s): 2.6.2 Enterprise Device Management Part 1

Successor(s):