Whitepaper

10 PKI Use Cases

for Stronger
Enterprise Security

www.appviewx.com
What’s Inside?

Keeping Up with the Changing Times in Cybersecurity 03

Zero Trust - Never Trust, Always Verify 05

The Critical Role of PKI And Digital Certificates in Enterprise Security 07

10 PKI Use Cases for Stronger Enterprise Cybersecurity 09

1. Securing public facing websites and applications (TLS/SSL) 09

2. Device authentication (Bring your own device, Mobile, IoT) 12

3. Cloud application access 18

4. DevOps (Code Signing) 21

5. Securing communication between microservices and containers 24

6. Passwordless shell access to machines (SSH) 27

7. Multi-factor Authentication (MFA) for VPN or private network access 31

8. Corporate WiFi protected access 33

9. Mutual authentication for secure web applications (mTLS) 35

10. Email security 38

Compliance Attestation 41

PKI – The Road Ahead 42

Meet AppViewX CERT+ PKIaaS 43

2
© 2022 AppViewX, Inc. All Rights Reserved.
Keeping Up with the Changing
Times in Cybersecurity
To describe data as the very lifeblood of organizations is no longer an exaggeration. It
is indeed the new fuel powering the digital economy. Harvesting the potential of data is
helping unlock new growth opportunities, and it has become a winning strategy for
organizations of all sizes across all industry sectors.

On the other hand, protecting data, the most valuable asset, has become a massive
challenge for organizations. Digital transformation, multi-cloud, DevOps, BYOD,
Internet of Things (IoT), and distributed workforces have dramatically expanded the
attack surface with countless new entry points into an organization’s network. With
perimeter-based security controls no longer reliable, managing network access for
hundreds to thousands of distributed devices and applications has grown beyond
complex for security teams. Unlike before, data is now available everywhere, moving
freely between multiple public and private clouds. Protecting data throughout the
lifecycle— at rest, in transit, and in use—is yet another challenge for overburdened
security teams. Unknown and unaddressed vulnerabilities stemming from this
management complexity are weakening the security fabric, resulting in increased data
breaches, identity theft, and financial losses.

According to a Ponemon Survey, 82 % of respondents

said they believe their organizations experienced at
least one data breach due to digital transformation.

3
© 2022 AppViewX, Inc. All Rights Reserved.
The need to protect valuable data and an interconnected, distributed network of
technology and systems is necessitating enterprises to think beyond the perimeter and
explore new security solutions that understand the security requirements of the
cloud-first world.

The search for a new approach has led many organizations to identity-first security.
Identity-first security revolves around the idea of using digital identities to protect
enterprise assets and secure network access. Unlike traditional perimeter-based
security, identity-based security is location-agnostic, allowing organizations to extend
security beyond the identified locations and protect assets regardless of where they are
being accessed from. In other words, users can securely access corporate apps and
resources from any device, any location, and at any time. The ability to provide secure
network access to remote workers makes identity-first security the most effective
security approach to protecting distributed, cloud-driven IT environments and lays an
excellent foundation for implementing Zero Trust security, the gold standard of
modern cybersecurity.

One of the key findings from the 2022 State of Zero

Trust Report by Okta indicates that 80% of the survey’s
respondents deem identity important to their Zero
Trust strategies.

4
© 2022 AppViewX, Inc. All Rights Reserved.
Zero Trust Security - “Never Trust,
Always Verify”
A widely recommended approach to securing access to distributed applications,
systems and services is Zero Trust security. The central idea of Zero Trust is to not trust
anything inside or outside the corporate network without strict and continuous identity
verification. With the traditional security perimeter dissolving, identity has become the
new perimeter, and the Zero Trust model mandates authenticating both human and
non-human entities before allowing them network access.

Another principle of Zero Trust is “least privilege access,’ which mandates allowing
network users to access only those services and applications required to do their job.
Access is limited by micro-segmentation or smaller security perimeters at the host,
application, and data layers. Providing conditional, role-based access to every user and
device in the network helps provide the right access to the right services at the right
time, enabling tighter network and data security.

In January 2022, President Biden's administration released a new

memorandum that called for federal agencies to make bigger
strides toward adopting Zero Trust Architectures. It set forth
specific strategic goals to be achieved by the end of Fiscal Year
2024, aligning with CISA’s five pillars - Identity, Devices, Networks,
Applications and Workloads, and Data.

- Presidential Memorandum

5
© 2022 AppViewX, Inc. All Rights Reserved.
Here are the key focus areas through which Zero Trust helps organizations strengthen
their security posture and limit their attack surface:

Strong user identification and access policies

Segmentation of data and resources

Strong data security in storage and transfer

Security orchestration

Understandably, identity verification and data protection form the building blocks of
the Zero Trust strategy. By getting these right, organizations can create a strong
foundation for implementing Zero Trust security.

The percentage of companies with a defined Zero Trust

initiative in place more than doubled in the last one year.

- 2022 State of Zero Trust Report by Okta

As digital transformation progresses, data breaches will continue to rise. Zero Trust
promises to build cyber resilience by shifting the focus of security from location to data.
As Zero Trust gains adoption this year and starts to become a standard security
approach, identity-first security solutions will play an instrumental role in its effective
implementation.

6
© 2022 AppViewX, Inc. All Rights Reserved.
Public Key Infrastructure (PKI)
The Foundation of Identity-First and
Zero Trust Security

As identity-based security and Zero Trust take center stage in cybersecurity, IT security
leaders are refocusing on public key infrastructure. PKI is not a new concept.
Enterprises have been using PKI for decades as part of identity and access
management. However, with digital transformation expanding the IT footprint, PKI has
become even more vital for cybersecurity.

PKI is a widely used security tool for authentication and encryption of data and
communications. Primarily, PKI helps authenticate network assets via unique digital
identities and encrypt communication for secure data transfer. Authentication is
carried out with the help of digital certificates, and encryption/decryption is carried out
with a pair of cryptographic (private and public) keys. With identity at its heart and a
powerful combination of authentication and encryption capabilities, PKI helps
organizations ensure privacy, integrity, and security of data regardless of where it is
stored, processed, or transferred.

Elements of PKI

PKI-based digital certificates are identity proofs that help verify the authenticity of
every user, device, and application on the network to ensure secure network access.
By binding unique identities to every asset, digital certificates make security more
mobile, allowing enterprises to take it closer to the location of the assets. In other
words, enterprises can create a cybersecurity mesh that focuses on protecting every
access point by building individual security perimeters for assets. Doing so helps
secure access to data and systems regardless of where they are – the cloud, edge, or
on-premises.

7
© 2022 AppViewX, Inc. All Rights Reserved.
 End-to-end encryption is another core strength of PKI. With the majority of
applications moving to the cloud and a distributed workforce accessing data
remotely, most network communication now happens outside the traditional network
perimeter. Securing this communication from malicious actors hinges largely on how
strong the encryption is. PKI is built on the foundation of cryptography and encrypts
data at all times—at rest, in transit, and in use. This helps secure machine-to-machine
communications and, in turn, maintains the confidentiality and integrity of data
exchanged.

In its “Zero Trust Architecture” report, the National

Institute of Standards and Technology (NIST) describes
PKI as an essential foundational component of Zero
Trust architecture.

As digital ecosystems grow in scale and complexity, the need for PKI-based
authentication and encryption only grows stronger. As more enterprise use cases
emerge, PKI is rising to the challenge by continuously evolving and adapting to the
needs. Today, PKI can secure a broader range of new use cases than it was initially built
for, accelerating secure digital transformation. This whitepaper explores ten different
enterprise use cases that can be best protected with PKI.

8
© 2022 AppViewX, Inc. All Rights Reserved.
01

Securing Public Facing Websites

and Applications

Rapid digital transformation in recent times has led to an unprecedented surge in

internet communications. Securing data transmission on the internet has become
more critical than ever, considering the aggressive threat landscape.

SSL/TLS is a popular cryptographic protocol used to establish a secure web connection

between an application client and a server and ensure the data being transferred stays
protected from malicious actors.

One of the most common areas where SSL/TLS is used is browser-server

communication, which protects internet-facing websites and services. Every service in
the world today mandates that connections are secured by TLS.

Note: TLS is the successor to SSL, and TLS 1.3 is the latest and most secure version of
the protocol. However, SSL continues to be used as a metonym for both protocols in
general, as several organizations continued to use SSL even after TLS was released.
Hence, the protocol is often referred to as SSL/TLS.

9
© 2022 AppViewX, Inc. All Rights Reserved.
 There are three critical functions and benefits of the TLS protocol:

Authentication: Verify that the communicating parties are genuinely who

they claim to be.

Confidentiality: Protect the data in transit by converting the plain text

message into a ciphertext message so it can only be accessed and read by
mutually trusted parties.

Data integrity: Guarantee that the message received is in its original form
and is not altered or tampered with during transit.

It is completely possible to establish web connections without TLS. However, non-TLS

communications are not encrypted, therefore, completely exposed to external access.
Any malicious actor could easily eavesdrop on these communications and steal data or
tamper with it. For example, if a user logs into a banking website that is not secured by
SSL/TLS, an attacker could effortlessly steal user credentials and misuse them to carry
out fraud.

How does SSL/TLS work?

TLS certificates are vetted and issued by a certificate authority (CA). When a TLS
certificate is installed on a web server, it includes important information about the
owner of the domain along with a public key and a private key. This certificate is used
to validate the identity of the web server.

10
© 2022 AppViewX, Inc. All Rights Reserved.
When a user visits a website, the browser initiates a connection with the server. In
response, the server sends a copy of its public key, embedded in its digital certificate, to
the browser. The browser checks the certificate to verify that the server is legitimate
and, if it is, proceeds with the session.

The client uses the server’s public key and its private key to encrypt a ‘session key,’
which is a key that will be used by both parties to encrypt and decrypt information in
this particular session. The session key becomes invalid as soon as the connection is
terminated. Both parties test the connection by sending each other encrypted
messages. If the other can decrypt them using the session key, the connection has
been successfully secured.

Connections secured by an SSL/TLS certificate display HTTPS (Hypertext

Transfer Protocol Secure) status in the address bar along with a lock
icon. This indicates that the domain is legitimate and the
communication with the website or service will remain protected.

PKI management problems?

What if you could automate all of your PKI processes?

Register for the AppViewX CERT+ PKIaaS demo to learn more.

11
© 2022 AppViewX, Inc. All Rights Reserved.
02
Device Authentication

As organizations transition to digital business models and hybrid work constructs,

there is an explosion of mobile and IoT devices. Securing this ocean of distributed
devices is a significant challenge for security teams amidst the risks of misconfigured
firewalls, public WiFi connections, and unaware employees. Organizations are caught in
a dichotomy, trying to balance employee freedom and data security. Without a
well-thought-out device security strategy and the right security tools, the chances of
device compromises causing security breaches becomes significantly higher.

Challenges with bring your own device (BYOD) policy

With work-from-anywhere becoming the order of the day, organizations of all sizes are
increasingly adopting BYOD or Bring Your Own Device policies to boost employee
productivity while reducing costs. Implementing BYOD has also driven a sharp rise in
the use of personal devices, such as smartphones and tablets for work. Recent data
indicates that two-thirds (66%) of smartphones and over half (55%) of tablets used in
the enterprise last year were employee-owned.

12
© 2022 AppViewX, Inc. All Rights Reserved.
Since every endpoint that connects to the corporate network from outside the
perimeter is a potential attack point, it is critical that these are efficiently regulated,
managed, and well protected. This is especially critical when it comes to BYOD because
employees use the same devices for both personal and business use. Enforcing
organizational security policies on employee-owned devices is also a challenge as it can
interfere with their personal usage. Ensuring that the organizational data is accessed,
stored, and exchanged securely on these personal devices has become an uphill battle
for security teams.

Challenges with BYOD and mobile devices

Due to remote and hybrid work models, there is a huge uptick in the number of mobile
devices, such as laptops, used for business. As more mobile devices now have access to
corporate networks and sensitive data, the attack surface has expanded by leaps and
bounds. Unlike the traditional desktop PCs that are bound to the office premises and
protected by firewalls, laptops are portable with no definite location, therefore not
protected by the network perimeter. Remote users connect to the corporate network
via unsecured home and public WiFi networks and access sensitive business data
directly from the cloud.

While Mobile Device Managers (MDMs) help simplify and streamline the management
of mobile devices, they do not entirely address the security problem. There might be
scenarios where vendors and partners need to access enterprise applications. Their
devices may not be part of the enterprise MDM and can pose a threat to security.

Although organizations can enforce security policies in some capacity on these devices,
without strong access controls, they are still vulnerable to attacks. According to a 2022
report by Check Point, 97% of companies have faced cyberattacks involving mobile
threats, such as phishing, banking trojans, man-in-the-middle attacks, and more.

13
© 2022 AppViewX, Inc. All Rights Reserved.
Addressing BYOD and mobile device security issues with PKI

PKI helps effectively mitigate mobile and BYOD security risks by basing security not on
location but on the identity of the device and user. To trust mobile devices and their
owners with network and application access, PKI-based digital certificates help
authenticate both the user and device, regardless of their location. Strong user and
device authentication help ensure only authorized devices are allowed network access
and authorized users are allowed specific application access.

With mobile communications, the importance of encryption cannot be overstated. PKI

helps secure all mobile communications with robust end-to-end encryption. Encrypting
data and creating a secure communication channel helps protect data at all times—
storage, transfer, and processing. Encryption also ensures data remains protected even
when the device gets stolen or hacked.

Another advantage of using PKI is the multi-functional nature of digital certificates,

meaning – a single certificate can be used to secure a variety of mobile security use
cases.

Email Access: Allow only authorized devices to access corporate email servers and
authenticate users to their email.

Email Communication: Allow users to digitally sign the email and encrypt the message
sent, ensuring the authenticity, integrity, and confidentiality of the email.

WiFi Access: Allow only those mobile devices with valid digital certificates to access
your corporate WiFi network.

VPN Access: Configure VPN connections to only allow devices with pre-installed
certificates to access corporate connections.

14
© 2022 AppViewX, Inc. All Rights Reserved.
As hybrid work models are now the new normal, the BYOD trend will continue to
gather more momentum, and the use of mobile devices will increase. At the same time,
mobile-based threats will also increase. It is imperative that organizations focus on
implementing a proper BYOD and mobile device security policy supported by necessary
security measures to prevent device security compromises.

Challenges with the Internet of Things (IoT)

One of the game-changing outcomes of digital transformation is the rise of the

Internet of Things (IoT). The power of real-time data and analytics has caused a
paradigm shift in the way organizations perceive IoT today. Besides manufacturing
and automotive sectors that are at the forefront of IoT adoption, consumer-facing
industries such as healthcare, retail, and wearables are also exploring everyday use
cases to capitalize on IoT.

IoT making in-roads rapidly in both consumer and industrial sectors has activated the
threat landscape like never before. IoT devices are being attacked within five minutes
of being plugged into the internet (NetScout Report). From the Mirai-powered botnet
attack on the popular DNS provider, Dyn, that brought down the internet to the
Verkada Surveillance breach that exposed live feeds of thousands of surveillance
cameras—IoT attacks continue to create more dangers. The frequency and complexity
of these attacks are also steadily increasing, year after year, giving rise to serious data
privacy, security, compliance, and human safety concerns around IoT.

Why are IoT devices soft targets?

IoT devices are not like conventional mobile devices, such as laptops and smartphones,
that have built-in security functions. IoT devices come in several form factors and may
use different, non-standard software and vendor-specific technologies that make
implementing security measures in them extremely difficult.

15
© 2022 AppViewX, Inc. All Rights Reserved.
In addition, factors such as the interoperability of devices, the vulnerable edge location,
insecure communication channels, firmware or software corruption, improper device
updates, and the lack of robust security protocols also make IoT highly susceptible to
attacks.

Weaving Security into the IoT Fabric with PKI

To protect IoT devices from cyberattacks, enterprises today need to focus on meeting
three critical security requirements: secure deployment, scalability, and complete
control. These requirements can be effectively met by taking the PKI route to IoT
security.

PKI helps enterprises double down on IoT security by switching from device-focused
security to identity-based security. This helps protect IoT devices regardless of their
location.

Using PKI, enterprises can build IoT security at multiple levels through:

1. Identity-based authentication: Provisioning unique digital identities to IoT devices

right at the manufacturing stage via X.509 digital certificates that allow fool-proof
authentication of devices. Using digital certificates procured from trusted CAs for
verification removes the need for passwords and delayed authorization checks.

2. Data encryption: Encrypting the data stream between IoT devices and the network
with strong TLS protocol and ciphers for private and secure communication.

3. Code signing or Firmware signing: A verification mechanism to ensure that the

correct version of software/firmware is installed. This enables tamper detection and
secure boot.

16
© 2022 AppViewX, Inc. All Rights Reserved.
4. Strong policy enforcement and control: Establishing controls and policies to ensure
secure access to all devices, i.e., to provide the right access to the right devices to the
right people. It also helps comply with industry standards by ensuring that the devices
are running the latest, most secure software versions.

As the world pivots towards the development of smart cities and AI finds
more applications, the IoT market will continue to flourish. It is predicted
that by 2025, there will be approximately 27 billion connected IoT
devices— including cameras, thermostats, door locks, smart TVs, health
monitors, lighting fixtures, automobiles, industrial controls and more.
Considering this growth forecast and the evolving attack vectors, it is
critical for IoT vendors and organizations to focus on safeguarding IoT
devices right through the manufacturing process and operating securely
in edge locations where they are installed. Thanks to the IoT Cybersecurity
Improvement Act and Biden's executive order, there is now greater
awareness about securing IoT by design.

Setting up a secure, scalable, and

compliant PKI has never been easier.

Register for the AppViewX CERT+ PKIaaS demo to learn how.

17
© 2022 AppViewX, Inc. All Rights Reserved.
03

Cloud Application Secure Access

Moving software applications, storage, and even security solutions to the cloud
definitely has sizable advantages for enterprises today, such as high efficiency, agility,
scalability, and cost and resource savings. Despite the many advantages, the
unprecedented level of expansiveness that the cloud brings also introduces a number
of unique security challenges.

While the cloud service provider might be responsible for a few security-related SLAs,
the lion’s share of security responsibilities still falls squarely on the shoulders of the
enterprise’s IT function, especially with private cloud solutions that are hosted
in-house.

18
© 2022 AppViewX, Inc. All Rights Reserved.
The biggest challenge that comes with cloud migration is securing and controlling
access to the vast number of applications and services in the growing cloud ecosystem.
Legacy security controls stacked in data centers are failing to extend security to assets
in third-party cloud environments that are beyond the purview of the traditional
perimeter. As a result, some resources are granted default access that is more
excessive than needed, which has significantly increased the risk of lateral movement
and data breaches.

High-profile breaches such as the SolarWinds attack clearly illustrate how malicious
actors can exploit weak privileged access controls to gain access to cloud applications
and then break into larger corporate networks.

There is also the problem of fragmented visibility that makes it particularly challenging
to monitor assets and assess risks in multi-cloud environments. Different cloud
services come with different management platforms, making it difficult to centralize
and track resources, entitlements, and access permissions.

Securing a distributed cloud infrastructure requires a distributed security model that

can protect assets in whichever cloud they are. In other words, it requires a
location-independent security model that is not dictated by the traditional network
perimeter. This is where PKI comes to help.

PKI helps establish unique identities for all cloud users, applications, and assets via
digital certificates and uses them to establish trust and enable secure access. Digital
certificates help authenticate and authorize every cloud user and application (even on
the microservices level) in a systematic way to provide trusted network access. Using
digital identity as the access control helps prevent a host of cloud security issues such
as unauthorized application access, unwarranted lateral movement, data breaches, and
non-compliance.

19
© 2022 AppViewX, Inc. All Rights Reserved.
Visibility is key for protecting multi-cloud environments from vulnerabilities and
cyberattacks. PKI helps gain complete visibility of the cloud environment by issuing
digital certificates for every asset in the cloud. Through these certificates, organizations
can efficiently monitor the entire environment for security weaknesses, eliminate blind
spots, and improve incident response.

PKI also provides end-to-end data encryption. Encrypting data at rest, in transit, and in
use is particularly critical in the cloud, considering cloud applications are accessed from
literally anywhere. PKI certificates help build a secure communication channel between
users and cloud applications, protecting the data transfer from interception or theft.
While strong data encryption helps build an additional layer of security for the cloud, it
also helps ensure data protection regulations, such as GDPR and others, are met
satisfactorily.

According to the State of Cloud Security 2021 by IDC, “70% of

organizations are spending more than $10M yearly on cloud
infrastructure. On the other hand, 98% report having at least one cloud
data breach in the past 18 months, and 67% report three or more
incidents.” It is irrefutable that the cloud is the new field of play for
attackers. Even so, organizations can beat these odds and reap the fruits
of such massive cloud investments by implementing robust security
controls in the cloud. PKI-based Identity security promises better control
over cloud security without undermining its agility and efficiency.

20
© 2022 AppViewX, Inc. All Rights Reserved.
04

DevOps

The focus on speed and agility is driving rapid adoption of continuous

integration/continuous delivery (CI/CD) and DevOps practices. Rapid release cycles are
transforming the way applications get packaged and delivered, and, in turn, drive more
revenue streams and profitability.

While DevOps is an effective practice, the success of DevOps greatly relies on the
organization’s ability to secure the software being released. As frequent software
updates are part and parcel of DevOps, threat actors are finding new ways of
corrupting software releases and executing large-scale supply chain attacks. The
infamous SolarWinds supply chain attack was the biggest wake-up call for software
publishers across the world to start focusing on securing software applications as much
as developing them.

21
© 2022 AppViewX, Inc. All Rights Reserved.
Securing DevOps and the software supply chain with
code signing

To secure software releases, PKI-based code signing is one of the most critical security
layers developers can add to their software development lifecycle. Code signing is a
security practice that allows developers to digitally sign applications and software
programs in order to prove to customers that the software is from a trusted source
and that it has not been tampered with since signing. This assures consumers that the
code is valid and from a legitimate source.

Whenever a user tries to download software onto a computer, the Operating System
authenticates the software by checking its code signing certificate. If no digital
certificate is found, then the user can be alerted to this fact and prompted to either
stop or continue the installation.

Without code signing, software distribution can serve as an easy attack vector for
launching software supply chain attacks and infiltrating corporate networks that are
otherwise well protected. Code signing is especially critical in DevOps, where software
releases are more frequent.

Benefits of code-signing

Source verification - Helps authenticate the identity of the developer, promoting trust
on both sides of the transaction.

Code integrity - Provides proof that the software has not been tampered with and is
being consumed in the way it was intended to be.

Software distribution - Allows developers to distribute software on a broad range of

platforms—given that major platforms mandate code signing before publishing.

22
© 2022 AppViewX, Inc. All Rights Reserved.
Code signing is a component of almost all commercially packaged and distributed
software these days. Apart from Windows, Java, Linux, OSX, and other applications,
code such as VBA macros is also code-signed before being released. Apps that are
distributed on major mobile platforms—Google’s Play Store and iOS’ AppStore—have
to be signed before they are distributed on their respective platforms.

As application teams aggressively shift to DevOps and CI/CD practices,

code signing has become greatly important in the cybersecurity
landscape. When implemented correctly with security best practices, code
signing can be one of the most powerful defenses organizations can use
to fight cyber threats and secure the software supply chain.

Turnkey enterprise PKI integrated with certificate lifecycle

automation. That’s the power of AppViewX CERT+.

Register for a demo to learn more.

23
© 2022 AppViewX, Inc. All Rights Reserved.
05

Securing Communication
between Microservices and Containers

One of the biggest drivers of agile application delivery is the adoption of microservice
architectures and containers. The modular structure of microservices and
containerization make application development simple, flexible, and scalable.
Developers can quickly apply changes, roll out updates easily to selective modules, and
compile applications to run in different environments.

While working with microservices and containers has immense benefits, it also comes
with a unique set of security challenges.

As microservices create several fragments of a single application, they also create as

many vulnerable entry points for attackers. Microservices are often developed by
independent teams and deployed in different environments, which significantly
increases the risk of unauthorized access and threat propagation.

24
© 2022 AppViewX, Inc. All Rights Reserved.
Containerized environments are inherently more complex than traditional deployment
environments. Most organizations run multiple container images, with multiple
instances of each image—inadvertently creating a single point of failure. When one
container environment is compromised, all applications within each instance are at
risk. Further, as containers need to constantly communicate with each other, a single
breach could quickly propagate from one container to another, leading to a massive
data breach.

Further, developers incessantly churn containers at a large scale to accelerate release

cycles. The sheer sprawl, the shorter lifespans, and the dynamic nature of containers
make it extremely challenging to monitor them at any given time for code integrity and
misconfigurations.

Securing microservices and containers boils down to applying identity-based security at

every layer of microservices and implementing micro-segmentation. Such layered
application security can be effectively implemented with PKI.

Using PKI-based Mutual TLS or mTLS certificates, developers can enable individual units
in the microservices ecosystem to mutually authenticate their identities and encrypt
communication between multiple services. In doing so, PKI helps strongly secure
north-south and east-west traffic to eliminate the risk of unauthorized lateral
movement and communication in the network.

In a typical microservices architecture, enterprises use service mesh, a dedicated layer

that helps control how parts of an application interact and share information. Service
mesh helps route requests for data between services to improve communication and
optimize application performance.

25
© 2022 AppViewX, Inc. All Rights Reserved.
Certificate lifecycle management (CLM) solutions today provide deep integrations with
service mesh platforms such as Istio to help efficiently manage the certificates enabling
authentication, authorization, and encryption of service communication. This
integration further allows enterprises to effectively implement micro-segmentation to
secure service-to-service communication at the application layer.

To manage and orchestrate containers, DevOps teams typically use Kubernetes – an

open-source engine that offers services for scheduling and deploying containers and
scaling them based on utilization. PKI can also be used for Kubernetes authentication.
It can help run the cluster for communication between container functions and encrypt
the traffic passing within the application that runs inside the container. While
Kubernetes can automatically generate certificates for containers, security-conscious
organizations can also generate their own certificates and configure them for reliability.

CLM vendors today provide extensive automation capabilities that can

greatly improve certificate management for containers. An integrated
CLM solution supports container-based platforms and integrates with
dedicated container management tools that provide an efficient and
reliable mechanism for deploying certificates and keys for applications
hosted in a container infrastructure.

26
© 2022 AppViewX, Inc. All Rights Reserved.
06

Passwordless Shell Access to

Machines (SSH)

The new reality of remote work has resulted in a large number of employees accessing
corporate resources via home WiFi networks and public internet. In a distributed and
dynamic environment such as this, it is essential for organizations to have a strong user
authentication system to ensure that only authorized people are allowed access to
sensitive business information and mission-critical systems.

SSH (Secure Shell protocol) is a popular cryptographic protocol that enables secure
remote access to servers and devices over the public internet. Traditionally, enterprises
use password-based authentication for SSH. SSH users usually pass on their credentials
to remote servers for client authentication. The server checks for these credentials in
the database and, if found, authenticates the client and allows it to communicate.

27
© 2022 AppViewX, Inc. All Rights Reserved.
A major drawback of this process is that passwords are shared over the wire. If an SSH
password gets compromised, attackers can get root access to critical systems, leading
to dire consequences. A recent study released by NordPass revealed that weak, reused,
or compromised passwords are frequently responsible for the majority of data
breaches across industries, such as healthcare, technology, finance, energy, hospitality,
manufacturing, and more. Also, even large organizations are struggling to enforce safe
password practices, exposing themselves to the risk of phishing, credential stuffing,
and brute force attacks.

Password vulnerabilities coupled with the rapid rise in credential-based attacks are
necessitating a new approach to SSH authentication, one that does not involve
passwords. That’s where passwordless authentication comes in.

Passwordless authentication for SSH

As the name suggests, passwordless authentication completely removes passwords

from the equation. Instead, it authenticates users and machines using other secure
options, such as one-time passwords (OTPs), magic links, biometrics, and PKI that are
more real-time and short-lived. These methods do not require users to create or use
passwords, making them highly convenient to use and significantly more secure than
password-based authentication

According to the 2022 State of Zero Trust report by Okta, 24% of the
survey’s participants working in financial services said they are planning
to move forward with passwordless authentication soon or have already
done so. Also, nearly one-fifth of health care (17%) and software
companies (18%) in the survey said they expect to do likewise.

28
© 2022 AppViewX, Inc. All Rights Reserved.
The PKI approach to passwordless authentication

One of the reliable approaches to implementing passwordless SSH authentication is

PKI. While traditional password-based authentication is based on ‘what you know’ (a
password), PKI authentication is based on ‘what you have’ (a private key related to a
certificate).

In the case of SSH, the client authentication is carried out with the help of the key pair
that the client owns and its ability to decrypt an encrypted message (with its private
key). Unlike the case of passwords, SSH users are not required to share the private key
with the remote server at any stage of the communication. As the private key never
leaves the user’s system, there is no question of it getting compromised, which
minimizes the risk of exposure and security breach.

As private keys are the heart of PKI-based authentication, they are stored in highly
secure locations such as HSMs (Hardware Security Module) and key vaults. Secure
storage of private keys reduces the risk of hackers getting access to them. Private keys
are also extremely difficult to crack through brute force as they are mathematically
derived and complex, unlike passwords that are usually alpha-numeric.

Replacing passwords with PKI also saves IT resources a significant amount of time and
effort as they no longer have to engage in recurring password reset requests. It also
removes the need for point solutions, such as password managers and help desk
ticketing systems.

28
© 2022 AppViewX, Inc. All Rights Reserved.
To help cut down on deployment complexity and make the onboarding journey fast
and smooth, modern PKI solutions are now available as a service. They are easy to
provision and scale, as the infrastructure is entirely taken care of by the PKI service
provider.

Modern PKI solutions also provide extensive integration support for multi-cloud,
DevOps, and containerized environments. They integrate seamlessly with existing
enterprise solutions such as ITSM, SIEM, and MDMs, making them easy to manage and
convenient to use cross-functionally.

Passwords are an organization’s first line of defense. But they are no

longer fool-proof enough to defend against modern threats. Given the
surge in credential-based crimes and the need for strong and secure
authentication mechanisms, passwordless is definitely a safer alternative.
PKI has been around for decades and has evolved to meet the complex
security requirements of the modern IT landscape.

With PKIaaS, setting up an enterprise PKI is now

easier and faster than ever!

Talk to one of our experts to learn how.

30
© 2022 AppViewX, Inc. All Rights Reserved.
07 VPN

VPN

VPN
VPN

Multi-Factor Authentication (MFA)

for VPN Or Private Network Access

With the majority of workforce working remotely, VPN has become the lifeline of
everyday business operations. VPNs are enabling remote employees, partners, and
third-party vendors to securely access corporate networks and resources over the
internet, regardless of where they are.

However, with remote work driving an exponential increase in the number of VPN
connections, VPN-based threats have also increased proportionally. VPNs are being
targeted with various attack tactics, such as VPN hijacking, man-in-the-middle, malware
injection, DNS leak, DDoS, and more. Amidst these threats, securing VPNs has become
critical to protecting business communications and transactions.

Securing VPN connections starts with implementing strong authentication.

Authenticating users and endpoints is key to mitigating the risk of unauthorized access.

31
© 2022 AppViewX, Inc. All Rights Reserved.
For a long time, VPN connections relied solely on usernames and passwords for
authentication. While passwords do provide security to some extent, they are no longer
enough. Factors like poor password hygiene and shareability are being frequently
exploited by threat actors, necessitating multi-factor authentication (MFA) for VPNs.

PKI-based digital certificates serve as a reliable and secure MFA option for VPN access.
They are based on cryptography and provide a fool-proof way of authenticating users
and their endpoints. Unlike other MFA mechanisms such as hardware tokens and
one-time passwords, digital certificates cannot be shared, guessed, or stolen. The
private key never leaves the client machine and cannot be stolen in transit, making it
more secure to use. As PKI certificates serve as identity proofs for every authorized
endpoint, organizations can rest assured that the connecting device can be trusted.

Further, PKI certificates carry out authentication checks seamlessly in the background,
requiring no user intervention. The user’s identity certificate key is stored on their
computer, laptop, or mobile phone and is authenticated without requiring any action.
This, in turn, simplifies the connection process and improves the user experience.

When coupled with password-based authentication, PKI-based certificates provide an

effective, additional layer of security for VPN access. This two-factor authentication
approach significantly reduces the chances of unauthorized access and security
breaches.

With the hybrid work model seeing widespread adoption, VPNs will
continue to be used on a large scale. Given the broad range of access that
VPNs provide, attackers will find new ways of exploiting them, especially
when simple, password-based authentication is used. To provide highly
secure VPN access, organizations must implement strong multi-factor
authentication safeguards, such as PKI.

32
© 2022 AppViewX, Inc. All Rights Reserved.
08

Mutual Authentication for Secure

Web Applications (mTLS)

In a remote work model, employees can essentially work anywhere there is an Internet
connection, which means accessing business-to-business (B2B) applications directly on
public WiFi or home WiFi networks. When accessed on these unsecured networks, the
risk of application exposure to brute force, credential stuffing, spoofing, phishing, and
man-in-the-middle attacks becomes significantly higher. To fortify application security,
it is imperative to ensure that traffic is secure and trusted in both directions between a
client and server.

In a typical TLS-secured communication such as the browser-server (discussed earlier),

authentication is carried out one-way, meaning only the server is authenticated to
establish its legitimacy. Client authentication, on the other hand, is handled by the
application layer. While this is okay for public-facing websites and applications, not
authenticating the client at the transport layer for internal applications and services
leaves them highly vulnerable to attacks. This is why mutual TLS (mTLS) authentication
is required.

33
© 2022 AppViewX, Inc. All Rights Reserved.
Mutual TLS is a two-way authentication process where the identities of both the
communicating parties are validated before establishing a network connection. Both
the client and the server hosting the application are authenticated by verifying their
respective TLS certificates. Mutual authentication is an excellent way of providing
additional protection for corporate applications, services, devices, and APIs that store
and process highly confidential information.

Benefits of using Mutual TLS (mTLS):

When mTLS is enabled, attackers cannot authenticate to either the client or the
server, making man-in-the-middle attacks almost impossible to execute.

Even if stolen credentials are used for logging in as a legitimate user, mTLS ensures
that the attacker is not permitted application access without a valid TLS certificate.
Client authentication via digital certificate considerably reduces the risk of phishing,
credential stuffing, and brute force attacks.

mTLS helps secure API integrations by ensuring that API requests come from
genuine, authenticated users only. This helps defend against malicious API requests
sent to exploit vulnerabilities or cause API malfunction. Securing API integrations is
highly critical in the banking sector, which relies on third-party APIs to facilitate
mobile banking.

mTLS is especially effective in authenticating IoT devices that are installed at the
edge and do not follow a defined login process.

Since mTLS involves authenticating all the communicating parties every time they
request application access, the risk of unauthorized access is substantially reduced,
making it a key enabler of Zero Trust security.

34
© 2022 AppViewX, Inc. All Rights Reserved.
09

Corporate WiFi Protected Access

The transition to remote work compelled many organizations to replace hefty desktop
computers with mobile-friendly laptops and adopt user-friendly BYOD policies. While
these changes certainly bring more work flexibility, they amplify WiFi security risks as
employees begin to return to the office.

As the number of devices accessing corporate WiFi networks increases, so does the risk
of cyberattacks. Device vulnerabilities and unsecured WiFi networks are ripe targets for
over-the-air credential-based attacks such as man-in-the-middle and evil twin proxies.
Considering how critical WiFi availability is to keep the business up and running,
organizations must implement strong security measures to protect WiFi.

35
© 2022 AppViewX, Inc. All Rights Reserved.
Many organizations rely on usernames/passwords to authenticate employees. But this
is no longer enough to secure WiFi networks. Due to evolving password-change policies
and poor password hygiene, threat actors increasingly target passwords. Passwords
are also high-maintenance for IT helpdesk teams due to recurring password reset
requests. Further, the increase in personal device usage has introduced a new threat
vector – device security compromises. Less secure mobile devices serve as launchpads
for threat actors looking to infiltrate corporate WiFi networks. This has led many
organizations to rethink WiFi authentication methods for the modern workforce.

WPA2-Enterprise, otherwise referred to as 802.1X, is a standard for secure network

authentication. It allows network devices to communicate securely with WiFi access
points. However, the effectiveness of the 802.1X standard relies on the authentication
mechanism being used—whether it is password-based or certificate-based.

Certificate-based EAP-TLS is considered the most secure form of authentication for

802.1X networks today. EAP-TLS is an authentication protocol within the 802.1X
standard that enables the use of digital certificates for validating devices for network
access. It also helps encrypt the communication between devices and the network for
secure data transfer.

Using EAP-TLS, organizations can issue digital certificates to all network devices and
authorize them every time they try connecting to the network. Digital certificates can be
issued to both BYOD and organization-managed devices to ensure that only approved
devices are allowed on the network. This is not often the case with shared credentials
that enable network access even when users log in from unauthorized personal
devices. Using certificates to identify and validate devices helps gain complete network
visibility and better control over devices accessing the network.

36
© 2022 AppViewX, Inc. All Rights Reserved.
One of the advantages of using certificate-based EAP-TLS is the ability to perform
server certificate validation. This enables users to verify the authenticity of the RADIUS
server (with its server certificate) while initiating a connection, eliminating the chances
of users connecting to a rogue access point and unknowingly revealing their
credentials. The connection request will be automatically disregarded if the certificate
is rendered invalid, protecting users.

Using PKI-based digital certificates also improves the end-user experience. As

authentication is carried out seamlessly in the background, users are automatically
connected to the WiFi network without any manual intervention. It also removes the
need for users to remember passwords or reset them frequently, inherently mitigating
the risk of password-based attacks.

Given the nature of WiFi communication and the widespread use of

ill-secured mobile devices, threats to wireless networks are steadily
increasing. The best way to harden WiFi security is to shift the focus of
authentication from users to devices. PKI is a safe, reliable, and efficient
way of authenticating devices and safeguarding WiFi network access.

Zero set up, maintenance, and operational costs.

That’s PKIaaS for you.

Register for the AppViewX CERT+ PKIaaS demo to learn more.

37
© 2022 AppViewX, Inc. All Rights Reserved.
10

Email Security

Email is the most popular means of business communication and forms a significant
part of overall online communication. This is also why email is one of the most
sought-after targets by cybercriminals. According to the latest HP Wolf Security Threat
Insights Report, email remains the top attack vector, with 75% of threats being
delivered by email.

Phishing ranks as the second most expensive cause of

data breaches—a breach caused by phishing costs
businesses an average of $4.65 million.
- IBM Research

38
© 2022 AppViewX, Inc. All Rights Reserved.
Over the years, the corporate email network has fallen victim to several types of
cyberattacks such as spear phishing, malware, ransomware, spamming, and BEC
(Business Email Compromise) that have led to devastating data breaches, transaction
frauds, and financial losses. Compounding the problem is the lack of user awareness
that makes email the weakest link in the security chain. According to The State of Email
Security Report 2022, spoofing company websites and email domains is on the rise as
organizations experienced an average of 10 such attacks this past year.

As emails often carry highly sensitive business information, protecting and validating
this communication is critical for cybersecurity. Many organizations rely solely on the
default security controls offered by Microsoft Exchange and Google Workspace for
email security. But attackers have found ways to dodge these controls and spoof
standard business processes, making it hard for users to differentiate between
legitimate and fake emails. Securing emails requires more layered protection, and this
is where PKI comes into play.

PKI helps reinforce email security in two different ways:

S/MIME (secure/multipurpose internet mail extension) certificates

SSL/TLS certificates

S/MIME (Secure/Multipurpose Internet Mail Extensions) is an encryption protocol

defined to secure emails. Based on public key cryptography, S/MIME can be used to
help establish the authenticity of the sender and guarantee the recipient that the
message sent is in its original form and the contents of the message have not been
altered during transit. The digital signature also serves as proof of non-repudiation,
which means that the sender of the email who signed it cannot deny sending the email.

While the digital signature helps verify the identity of the sender, end-to-end encryption
protects the contents of the email message, so they cannot be intercepted or altered
during transit. In other words, S/MIME certificates provide authentication,
confidentiality, and data integrity for emails.

39
© 2022 AppViewX, Inc. All Rights Reserved.
S/MIME certificates are usually provisioned to individual email accounts. So, these are
great for sender authentication and email message encryption. But there is still the
possibility of attackers spoofing the email server and extracting your communications.
To address this challenge, PKI helps build a secure communication channel over the
internet for email transmission. With a PKI-based SSL/TLS certificate, organizations can
secure the email server itself through which the emails travel, so no attackers on the
network are able to eavesdrop on communications and meddle with their contents in
transit.

While SSL/TLS certificates ensure emails are transmitted over a secure channel, S/MIME
certificates ensure emails are encrypted and protected while resting on the web server.

Email is the most integral and ubiquitous part of everyday business

communication. This is also why email-targeted cyberattacks are seeing a
stark rise. While educating users about email security best practices is
undoubtedly a must, human misjudgment will always be a risk. So, it is
best to employ comprehensive and layered security solutions such as PKI
to defend email communications against evasive threats.

Want to set up a secure, scalable, and efficient PKI?

Talk to one of our experts to learn about AppViewX PKIaaS.

40
© 2022 AppViewX, Inc. All Rights Reserved.
Compliance Attestation
The unprecedented surge in cybercrime—especially in sectors such as healthcare and
finance that deal with sensitive customer data—has led to rapid changes in the
compliance landscape. In response to emerging threats, data privacy regulatory bodies
across the world are introducing new compliance requirements with the intent of
compelling organizations to implement and follow security best practices.

Regulations such as GDPR, HIPAA, PCI-DSS, CCPA, and others closely monitor industries
to ensure organizations follow secure and reliable security practices to maintain data
confidentiality and integrity. Any deviation from the required standards is set to invoke
massive regulatory penalties that can severely impact an organization.

Compliance is also no longer just about steering clear of hefty fines. It is about
becoming cyber resilient and building trusted relationships with customers, vendors,
and partners. Today, compliance is more a strategic business necessity than just
another routine box to tick on the security checklist.

Proactive compliance management creates value and earns new

business: 22% of respondents said they lost a new business deal
due to a missing compliance certification.

- 2022 Compliance Benchmark Report

That said, compliance remains a persistent challenge for security teams. Apart from
shouldering the responsibility of defending complex networks from multipronged
cyberattacks, security teams are also stressing under the pressure of meeting
ever-evolving compliance mandates. Expanding digital footprint, lack of visibility, poor
management, and outdated or weak encryption standards are some of the many
challenges faced by security teams that get in the way of compliance.

41
© 2022 AppViewX, Inc. All Rights Reserved.
Some of the first steps towards simplifying audits and compliance would be to
implement strong access controls, enforce robust data protection, and build holistic
visibility. Public key infrastructure, with its combination of authentication and
encryption, can serve as an effective tool to improve compliance, as it helps better
govern network access and protect communications.

As new threats emerge, the regulatory environment will continue to see big changes.
Organizations will have to keep pace with new regulations and make necessary amends
to their security frameworks to stay compliant. To that end, PKI can be a key enabler of
compliance.

PKI – The Road Ahead

As enterprises increasingly digitize their operations, security is bound to grow more
complicated. The cloud, DevOps, containers, mobile, and IoT make for a diverse
environment with a unique set of security requirements. Meeting these dynamic
requirements and building digital trust is not easy, but with the right solution, it is
possible.

PKI is a smart security solution for hyper-connected, cloud-driven IT environments. As

the number of connected machines grows, the need for digital identities, stronger
authentication, and data encryption only grows stronger. As digital identities form the
fulcrum of PKI, it helps build a flexible, adaptable, and scalable security framework that
can be used to secure a wide variety of enterprise use cases.

42
© 2022 AppViewX, Inc. All Rights Reserved.
PKI has come a long way, and mature certificate lifecycle management solutions today
are driven by automation, which greatly simplifies enterprise PKI management. They
are built to provide complete visibility of the digital certificate environment, centralized
management, role-based access control for reliable and restricted access, strong
governance for improved compliance, and, more importantly, an end-to-end
automated system for certificate lifecycle management.

Meet AppViewX CERT+

AppViewX CERT+ is a next-gen PKI management platform that manages and automates
certificate and key lifecycles across multi-cloud, hybrid cloud, and containerized
environments. When coupling AppViewX CERT+ PKIaaS, a turnkey managed enterprise
PKI offering, with CERT+ CLMaaS for key management, certificate issuance and
automated CLM, enterprises have a powerful and comprehensive solution for digital
identity management. The complete AppViewX CERT+ solution is CA-agnostic - issuing
and managing certificates from an array of cloud and on-premises CAs.

Need more information?

Scan QR code to schedule a free session
with one of our experts.

AppViewX Inc.,

City Hall, 222 Broadway info@appviewx.com +1 (206) 207-7541

New York, NY 10038 www.appviewx.com +44 (0) 203-514-2226

43
© 2022 AppViewX, Inc. All Rights Reserved.