PKI and cryptography are critical components of a Zero Trust strategy, driving the use of encryption to keep identities, devices, data, connections, and communications secure. Like many things, increased use of encryption starts with good intentions, but may have unintended consequences. In this case, the proliferation of certificates across the organization may create a management and ownership challenge, adding cyber risk. This is the Zero Trust encryption paradox, which is why two of the critical early steps on an organization’s Zero Trust journey are to identify and inventory all cryptographic assets, followed by establishing clear ownership.

As a clear example, the 2024 State of Zero Trust & Encryption Study sponsored by Entrust highlights how a lack of skilled personnel and no clear ownership makes the management of credentials painful, cited by 50% and 47% of respondents, respectively. And at the same time, 59% of respondents say managing keys has a severe impact on their organizations.

Establishing visibility and clear ownership of cryptographic assets may seem very logical and manageable on the surface, but today’s reality is far more complex. Long gone are the days of a massive Active Directory implementation to service an entirely on-prem certificate authority (CA). Today’s digital ecosystem spans servers, applications, networks, identities, infrastructure, hardware, and endpoints, with some data residing in the cloud and other data on-prem. New use cases continue to add to PKI deployment complexity as more teams use certificates, causing PKI sprawl. As well, in their zeal to implement a Zero Trust strategy, different siloed teams from IT to security to infrastructure and beyond often acquire their own certificate authorities, deploying PKI and certificates without proper governance. In fact, the Entrust study revealed that 37% of organizations polled cited unmanaged certificates as a main area of concern that might result in the exposure of sensitive or confidential data.

Why an enterprise-wide Zero Trust strategy is critical

Without an enterprise-wide Zero Trust strategy, this increased use of PKI can actually increase an organization’s vulnerability both today and in the future when planning for PQC migration. Plus, expired certificates can cause significant organization disruption, costing time and money to locate the expired certificate and identify everywhere it was installed.

Today, PKI and cryptographic assets are critical infrastructure, expanding in number, and essential to a Zero Trust strategy. However, it is a false assumption to think that systems will be secured forever with conventional PKI cryptography, and the magnitude of this risk is often unknown because organizations lack enterprise-wide crypto asset visibility. Simply put, you can’t manage what you can’t see. CISA’s Zero Trust Maturity Model (ZTMM) features five pillars underpinned by three core tenets: Visibility and Analytics, Automation and Orchestration, and Governance. Visibility in the CISA ZTMM refers to observable artifacts that result from the characteristics of and events within enterprise-wide environments. This focus on cyber-related data analysis helps inform policy decisions, facilitate response activities, and build a proactive security risk profile.

Essential early steps

So how do you resolve the Zero Trust encryption paradox? The first step is to establish clear ownership with a team accountable for enterprise-wide Zero Trust and encryption strategy and migration. And it appears more organizations are taking this to heart with dedicated PKI specialists operating under CxO oversight vs. being the domain IT generalists. Next is to inventory data and flows to identify the location of high-value data at rest, in transit, and in use. With ownership and data flows identified, the next step is to inventory the organization’s cryptographic assets, which is usually a combined automated manual effort to identify all keys, certificates, secrets, and libraries. Armed with this information, the dedicated team is now able to draft a crypto-agility strategy. This is a critical milestone in the Zero Trust journey, mitigating the organization’s crypto-related risk – including people, processes, and technology – with built-in capabilities.

And there you have it: An enterprise-wide Zero Trust strategy with clear ownership and crypto asset visibility and agility not only resolves the Zero Trust encryption paradox, but also provides a strong foundation for the next step of your Zero Trust journey.