Using Certificates for Device Trust in a Zero Trust Environment

Written by Zach DeMeyer on December 28, 2020

Share This Article

In order to secure their fully remote workforce, many organizations are shifting from the traditional, perimeter-based security approach to a Zero Trust model. A major aspect of this shift is building trust on end user devices and ensuring that only properly managed and configured devices access organizational resources. Using a cloud directory platform, IT administrators can establish certificate-based trust to remotely secure end user devices.

What is Zero Trust?

Zero Trust security is an IT strategy that moves from a perimeter-based security model to one in which employees work remotely and don’t need to connect to the network behind the firewall. In a Zero Trust security model, users, devices, networks, and other resources are all untrusted by default and until something else proves they are secure. A directory platform like JumpCloud offers an out-of-the-box solution for organizations looking to move to a Zero Trust security model without designing, deploying, and managing a complex solution.

A Zero Trust security model is a practice of implementing the “Trust Nothing, Verify Everything” security model. With the Zero Trust security model, employees need to be on trusted devices and trusted networks before authenticating and being authorized to access resources. By installing a certificate at the beginning of the device deployment process, IT organizations can establish trust for that device. JumpCloud’s conditional access leverages a certificate to be installed on the machine to begin the chain of trust process. 

The first step toward Zero Trust

With JumpCloud, you can provision, manage, and control user accounts by providing user access across your device endpoints — all from your web-based console. JumpCloud is compatible with Mac®, Windows®, and Linux®, so you can begin implementing Zero Trust Security regardless of your organization or users’ choice of device.

It all starts by downloading JumpCloud’s system agent/daemon onto user devices. Doing so installs a certificate on each device, designating it as a trusted device. From there, you can then enforce permission settings and secure password policies across your entire fleet.

The device is verified first, and then the user is authenticated. Then, JumpCloud’s agent can manage configuration settings across your entire lineup of devices. Some example Policies you can enforce are:

Even though an IT administrator has full control over a workstation for security and compliance, the end user still has a quality experience. JumpCloud uses a lightweight agent to maintain communication with JumpCloud’s directory services to verify user identity, and it doesn’t require a VPN to maintain a secure integration. It also receives instructions, commands, and user account changes. By avoiding the VPN connection, end users get their local internet connection’s full speed without worrying about overhead.

Combining Devices and Identities

The intersection between device management and identity management is something that all IT managers should consider as well. Throughout a Zero Trust Security lifecycle, verifying someone’s identity across a wide range of products and services will be required. JumpCloud’s Zero Trust implementation simplifies this process for organizations looking to secure their operations beyond the firewall. The process is simpler because identity authentication and device authentication are built into the same platform.

When you connect your Zero Trust Security strategy with a hosted directory service, your users will have an easy way to change their passwords and access resources in Google Workspace, Azure® Active Directory® (Microsoft 365™), on-premises AD, and SaaS products through a unified identity and access management system.

Then, using a solution like JumpCloud, they can enforce Conditional Access policies, restricting access to applications and infrastructure to only devices that are certified. Going further, admins can also create lists of allowed IPs, ensuring that users must be on a trusted network as well as a trusted device before accessing data. 

Admins can follow up by enforcing or relaxing multi-factor authentication based on whether users are on a trusted device/network or not. This both promotes security by blocking unauthorized access while also streamlining end users’ ability to work securely.

Learn More

Is your organization ready to begin your journey to a Zero Trust model of IT security? Get your copy of our this new Forrester Research guide, which provides actionable takeaways to implement a Zero Trust model at your organization. 

Get your free copy of the report to learn about:

  • How to start building a Zero Trust roadmap
  • Assessing your organization’s Zero Trust architecture and maturity today
  • Identifying and partnering with key stakeholders for a security strategy shift
  • The vital components for Zero Trust with current security controls (and what you may need to replace)

You can also get started using the JumpCloud Directory Platform as a turnkey identity, access, and device management solution for implementing Zero Trust. Your first 10 users and devices in the platform are free to use to get your bearings, so sign up today — no credit card required.

Continue Learning with our Newsletter