When the pandemic hit, many organizations responded to mandatory office closures and employee relocation by outfitting those who used desktop computers “on the network” with laptops and Chromebooks. The latter’s shipments have more than doubled year-over-year, and now many of these Chromebooks are returning to the office. The challenge is how to make them fit in with a Zero Trust model that assumes all users and devices are untrustworthy and must be authenticated.
Implementing zero trust security with Chromebooks will be especially difficult for enterprises that do not have an internal Microsoft ADCS (Active Directory Certificate Services) infrastructure and rely on digital certificates to bootstrap passwordless authentication to corporate wireless (or wired) networks. Additionally, many of an enterprise’s physical sites use a different network authentication method than what has been set up for remote users, so employees returning to one of these sites may not have a device provisioned for the physical corporate network. Help and service desk managers will need to bring parity to these Chromebooks that have only been remote, by provisioning them with PKI certificates that are acceptable to the physical location’s wired or wireless network authentication service.
This provisioning task would be daunting if it had to be performed manually in today’s complex device and user ecosystem. It would be risky, too, since the latest security best practices call for shorter certificate validity. This increases the scale and complexity of manual renewal. As a result, most enterprises have automated the process or are exploring how to do it.
Five Components
Enterprises already have three of the five components required for certificate automation: Google MDM; the Chromebooks that it manages; and an identity provider to enable SSO (single sign-on) and RSO (reduced sign-on) authentication to employees for internal or external applications. The fourth component is a PKIaaS (PKI-as-a-service) for digital certificate issuance and management. These service providers work organizations to create for a PKI infrastructure that works with Google MDM without requiring that the organization manage Microsoft ADCS services in-house. To implement the zero trust security model, the fifth component is PKI-aware Request Proxy. It sits within a hosted environment to ensure that all requested certificates are from a Chromebook that the organization manages, and a user that has been authenticated by a trusted service.
The certificate issuance policies and templates can be defined with these PKI-as-a-service providers. They push them through Google MDM to each managed Chromebook. The certificate issuance workflow beings when a Chromebook attempts to authenticate to the enterprise network. The Chromebook connects to the PKI-aware Request Proxy and is prompted to authenticate via redirect to an enterprise federated identity system. The certificate request is processed, a certificate is returned to the Chromebook, it is presented, and the user is allowed network access.
This workflow provides a strong authentication based on possession of an enterprise-managed Chromebook and logging in with a corporate identity. It also ensures that the user must authenticate to the corporate SSO (federated identity) environment. PKI services also cache an authentication token after successfully passing the previous steps, which enables true automation by allowing the Google MDM and PKI service to monitor for the presence of required certificates. Organizations should configure their solutions to check for certificate expiration within no more than 80% of the remaining certificate lifetime, and then automatically renew them without user intervention, and replace them if they are removed from the Chromebook.
The traditional walled-fortress IT security posture is not feasible as the world transitions to hybrid remote and in-person work environments using a growing variety of computing devices and operating systems. Organizations need to plan for an easy, cloud-based approach to automating digital certificate management that enables these devices to authenticate to enterprise networks in a passwordless, zero trust network access environment.