Chromebooks have been the home-working workhorses of the global pandemic, enabling millions of people to continue operating through mandatory office closures and employee relocations. The next challenge is how to bring these devices into the office by the tens, hundreds, or even thousands as workers return while following the Zero Trust security model. The best way to implement a Zero Trust security model is to use PKI-based digital credentials for user and device authentication. It will be difficult without automating the process of provisioning each Chromebook with a digital certificate that is acceptable to the enterprise network authentication service.
As remote workers are returning to offices in large numbers, implementing the manual process of provisioning certificates would add an additional burden on IT and security teams. Today's device and user ecosystem is far more complex than in the days when certificates secured a limited number of stationary devices, users, and webpages connected through comparatively simple infrastructure. Automation makes certificate management manageable while also eliminating the risk of missing a certificate expiration date and creating a security liability. This is a particular risk now, thanks to the sheer volume of Chromebooks that are about to descend upon many organizations' help and service desks.
Complexity of managing Chromebooks
According to the market research firm Canalys, Chromebooks set record shipment volumes in Q4 2020, increasing 287% over Q4 2019 to reach 11.2 million units and a full-year 2020 total of 30.6 million units.
Many of these Chromebooks have only been used remotely due to the pandemic. They now must join all the other devices that have been provisioned for the physical corporate network. The challenge is how to make them fit in with the enterprise’s Zero Trust model that assumes all users and devices are untrustworthy and must be authenticated. This will be harder for some organizations than others.
Google Mobile Device Management (MDM) allows an enterprise to use their existing Microsoft Active Directory Certificate Services (ADCS) for certificate provisioning. However, many enterprises do not have an internal Microsoft ADCS infrastructure. For others, connecting Chromebooks to their Google Mobile Device Management (MDM) ecosystem for certificate provisioning is not an option. Still, others rely on digital certificates to achieve password-less authentication to corporate wireless networks, as well as wired ones. In many cases, there are different network authentication methods depending on whether a user is on-site or remote.
Another complication is that certificate validity is shortening to improve security. This increases the scale and complexity of the renewal process and is one of the prime factors pushing enterprises to automate the management of the entire certificate lifecycle.
Building on an existing foundation
Enterprises already have many of the components they need to automate certificate management for Google Chromebooks. The first two are Google MDM and the Chromebooks that it manages, regardless of make or model. The third is an identity provider to enable Single Sign-On (SSO) and Reduced Sign-On (RSO) authentication to employees for internal or external applications.
To automate certificate provisioning and management for Google Chromebooks, organizations can work with a PKI-as-a-Service (PKIaaS) provider for a PKI infrastructure that works in conjunction with Google MDM without having to manage Microsoft ADCS services in-house. For the Zero Trust security model, a PKI-aware Request Proxy can be used. It sits within a hosted environment to ensure that all requested certificates are from a Chromebook that the organization manages and a user that has been authenticated by a trusted service.
With these pieces in place, organizations can work with a PKI-as-a-Service (PKIaaS) provider to automate not only certificate issuance but also manage certificate renewals and revocations. Today's private services manage many different PKI certificate types that are signed by the organization's hosted issuing Certificate Authority (CA). They push certificate MDM policy to each managed Chromebook and begin the certificate issuance flow when a Chromebook attempts to authenticate to the enterprise network. First, the Chromebook connects to the PKI-aware Request Proxy and is prompted to authenticate via redirect to an enterprise federated identity system. After the certificate request is processed and a certificate is returned to the Chromebook and presented, the user is allowed to access the network. To mitigate the risk of a certificate expiration, organizations can also have their PKIaaS solution alert them within no more than 80 percent of the certificate’s remaining lifetime and automatically renew it.
Zero Trust security requires a PKI infrastructure that enables organizations to establish trusted machine identities. But managing the associated digital certificates has become increasingly difficult to do manually. It will be especially challenging for help desks that are preparing to onboard a flood of Chromebooks as they are brought into the physical workplace during the coming months. Automation will streamline the process of ensuring that all devices can authenticate to enterprise networks in a password-less, Zero Trust network access environment while enabling organizations to keep up with hundreds or thousands of certificate renewals each year.
Mrugesh Chandarana is Director of Product Management, Identity and Access Management (IAM) Solutions for HID Global.