PKI and zero trust identity verification: are your controls ready?

TL;DR: Zero Trust depends on continuously verified digital identity, and DigiCert argues PKI supplies the authentication, encryption, and integrity layer needed to make that model workable across users, devices, systems, and apps. The practical issue is not whether Zero Trust is desirable, but whether enterprises can inventory, automate, and lifecycle-manage certificates fast enough to support it.

NHIMG editorial — based on content published by DigiCert: PKI as the foundation for Zero Trust

By the numbers:

• 96% of IT security executives believe that PKI is essential to building a Zero-Trust architecture.
• Only 5.7% of organisations have full visibility into their service accounts.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should security teams use PKI to support Zero Trust in mixed human and machine environments?

A: Use PKI to provide verifiable identity for devices, workloads, and services, then connect that trust layer to access policy and lifecycle controls.

Q: Why do certificate lifecycle failures create more risk than certificate issuance alone?

A: Issuing a certificate is only the beginning of trust.

Q: What breaks when organisations try to run Zero Trust without full certificate visibility?

A: Verification breaks because the programme cannot confidently distinguish active, expired, shadow, or orphaned certificates.

Practitioner guidance

• Inventory all certificate-bearing identities Build a complete catalogue of certificates across endpoints, applications, services, and cloud workloads, then assign ownership for each trust object.
• Automate certificate issuance and revocation Remove manual renewal and ad hoc revocation from the critical path by using policy-driven automation for creation, rotation, and invalidation.
• Tie PKI operations to lifecycle governance Integrate certificates into joiner, mover, leaver and offboarding workflows so identities cannot outlive their approved business use.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Certificate lifecycle management workflows for rotating and revoking identities at scale
• Implementation detail on using PKI to support hybrid and cloud-connected Zero Trust environments
• Visibility and automation considerations for large certificate inventories across enterprise systems

👉 Read DigiCert's analysis of PKI as the foundation for Zero Trust →

PKI and zero trust identity verification: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →