When the pandemic hit, enterprises accelerated the move of applications and workloads to the cloud and adopted cloud native Chrome OS for flexibility, agility, collaboration, and cost. Chromebooks have enabled millions of people to continue working remotely through mandatory office closures and employee relocations. Employees were onboarded on Chromebooks for remote work which are now slowly being brought into the physical office and must fit in with a Zero Trust security model in which devices need to be authenticated and authorized before providing access to enterprise resources.
One of the ways to implement this Zero Trust security model is through Public Key Infrastructure (PKI)-based digital credentials for user and device authentication. However, manually provisioning these credentials to large volumes of devices and users will be exceedingly difficult given the complexity of today’s ecosystem. More and more organizations are instead automating the process of provisioning digital certificates for devices and users that is acceptable to the enterprise network authentication service and can easily be updated.
Record Shipments
According to the market research firm Canalys, Chromebooks set record shipment volumes in Q4 2020, increasing 287% over Q4 2019 to reach 11.2 million units and a full-year 2020 total of 30.6 million units. Many of these Chromebooks have only been used remotely due to the pandemic. They now must join all the other devices that have been provisioned for the physical corporate network using the enterprise’s Zero Trust model that assumes all users and devices are untrustworthy and must be authenticated. This will be harder for some organizations than others.
Google provides the Certificate Enrollment for Chrome Operating System (OS) extension for requesting device certificates in enterprises. This is accomplished through the deployment of a Microsoft Public Key Infrastructure based on Microsoft Active Directory Certificate Services (ADCS). However, enterprises are moving toward a cloud-first approach for all their applications and operating systems, and more and more enterprises want to move away from managing ADCS. For others, connecting ADCS to their Google MDM ecosystem for certificate provisioning is not an option. Still others rely on digital certificates to achieve passwordless authentication to corporate wireless networks, as well as wired ones. In many cases, there are different network authentication methods depending on whether a user is on-site or remote.
Another complication is that certificate validity is shortening to improve security. This increases the scale and complexity of the renewal process and is one of the prime factors pushing enterprises to automate management of the entire certificate lifecycle.
In general, Chromebook certificate enrollment will place an additional burden on IT and security teams unless it is automated. This makes certificate management manageable, while also eliminating the risk of missing a certificate expiration date and creating a security liability -- a particular risk now, based on the volume of Chromebooks that are about to descend upon many organizations’ help and service desks.
How to Automate
To automate certificate provisioning for Google Chromebooks, the first step is to add the devices to Google MDM management so security controls can be pushed to them. The second step is to use an identity provider that enables Single Sign-On (SSO) and reduced Sign-On (RSO) authentication to employees for internal or external applications. The third step is to work with PKI-as-a-Service (PKIaaS) provider to establish a PKI infrastructure that works in conjunction with Google MDM without having to manage Microsoft ADCS services in-house. This can be achieved with a PKI-aware Request Proxy mechanism. The proxy sits within a PKIaaS provider’s hosted environment to ensure that all requested certificates are from a Chromebook that the organization manages, and a user that has been authenticated by a trusted identity provider service.
The PKIaaS provider enables the organization to not only automate certificate issuance but also manage certificate renewals and revocations. The certificate issuance policies and templates can be defined with these PKIaaS providers. They then push certificate MDM policy to each managed Chromebook and begin the certificate issuance flow when a Chromebook attempts to authenticate to the enterprise network.
The certificate issuance workflow beings when a Chromebook attempts to authenticate to the enterprise network. First, the Chromebook connects to the PKI-aware Request Proxy and is prompted to authenticate via redirect to an enterprise federated identity system. After the certificate request is processed and a certificate is returned to the Chromebook and presented, the user is allowed to access the network.
This workflow provides a strong authentication based on possession of an enterprise-managed Chromebook and logging in with a corporate identity, while ensuring that the user must authenticate to the corporate SSO (federated identity) environment. PKI services also cache an authentication token after successfully passing the previous steps, which enables true automation by allowing the Google MDM and PKI service to monitor for the presence of required certificates. To mitigate the risk of a certificate expiration, organizations can also have their PKIaaS solution alert them before certificate expires and automatically renew it without user intervention and replace it if it is removed from the Chromebook.
The traditional walled-fortress IT security posture is not feasible as the world transitions to hybrid remote and in-person work environments using a growing variety of computing devices and operating systems. While most agree that ensuring Zero Trust security requires a PKI infrastructure that enables organizations to establish trusted machine identities, managing the associated digital certificates has become increasingly difficult to do manually. It will be especially challenging for help desks that are preparing to onboard a flood of Chromebooks as they are brought into the physical workplace during the coming months. Organizations need an easy, cloud-based certificate automation approach that enables these devices to authenticate to enterprise networks in a passwordless, Zero Trust network access environment, while also enabling organizations to keep up with hundreds or thousands of certificate renewals each year.
About the Author:
Mrugesh Chandarana is Director of Product Management, Identity and Access Management (IAM) Solutions, for HID Global, a worldwide leader in trusted identity solutions. Prior to HID Global, Chandarana served in executive positions with RiskSense, Inc., and WhiteHat Security. He holds a Master of Science degree in electrical engineering from San Jose State University.