Applications requiring no external communication are better protected using an internal PKI, enabling organizations to configure certificates effectively. This strategy exemplifies the principle of least privilege, ensuring that certificates serve specific purposes only. The approach aligns with zero trust principles, where secure separation of certificates is paramount. Moreover, user behavior often favors convenience, necessitating security mandates to improve practices. Users prioritize quick and easy task completion, influenced by culture, costs, and ease of processes in their daily operations.
Hollebeek argued that this is the right move, given that "many of these applications need no communication outside of the company network and will therefore be more securely protected on an internal PKI, where the organization can configure certificates as they see fit."
Erik Avakian, a technical counselor at consulting firm Info-Tech, agreed. "Google is actually doing the right thing," he said. "This is good because it goes back to the concept of least privilege" where certs are used "only for the intended purpose. It's about zero trust" when "certificates are separated like this."
Avakian said most users will do whatever is convenient, unless they're required to do otherwise. "It helps to be forced to do better security," he said. "Users want to get things done quickly and easily. It comes down to culture, to costs, to ease."
Collection
[
|
...
]