While technology changes rapidly, one constant is the use of Google and its spread across all facets of business technology. But how people connect to Google services and how they secure it has certainly undergone change.
Organizations are finding that simple credential-based cybersecurity does not come close to providing the security they need. This includes organizations that provide Google Wi-Fi that relies on Active Directory (AD) and NPS to secure network users. While some have taken steps to upgrade AD, there are other solutions that provide a better cybersecurity experience for admins and users.
Why Move Away From Credentials?
Famously, passwords are the lowest form of authentication security as there are innumerable methods to bypass them. They can be stolen in the air with a Man-in-the-Middle attack, bulldozed by a Brute Force attack, coerced from a user with Phishing, and so many more. Simply put, security that relies on passwords is bad security.
In addition to being easily hacked, passwords provide a poor user experience. Besides having to remember countless different passwords and physically entering them to log in, upholding credential best practices is a nuisance.
In order to maintain best practices, users should have a unique and complex password for every single account they use across all social media, email, work accounts, etc. Those passwords should never be written down for fear of losing them, and they should be regularly changed. Many businesses and universities will require password expiration policies, and for good reason – passwords are constantly vulnerable to theft.
Overall, the issue with credentials can be summed up by the concept that they rely far too heavily on the human component. In cybersecurity, the user is almost always the weakest link in the security chain and the goal should be to reduce their role in maintaining a secure network.
Google Wi-Fi and Active Directory
A common network setup for many organizations is to support Google Wi-Fi to enable Google Workspace tools by using AD, Active Directory Certificate Services (AD CS), and NPS to authenticate users. While enabling AD CS is certainly a step up from solely using credentials, it isn’t the best solution available for authentication security.
Over Reliance on On-Premise Infrastructure
AD CS is an on-premise PKI and NPS is an on-premise RADIUS server. The underlying trend of cybersecurity is an increased reliance and transition to cloud-based technologies.
On-premise infrastructure is quickly becoming outdated and does not have the longevity to be viable years down the road. It requires frequent maintenance, physical security to ensure it is not damaged or tampered with, and is difficult to scale over time as your organization grows.
Already, many new cloud technologies are built without direct compatibility with on-premise technology – what will the situation be just 5 years down the road? As networking drives towards a cloud-based future, maintaining extensive on-premise infrastructure will become more difficult to adapt.
Certificate Services without Support
While upgrading from credentials to certificates for authentication is a step in the right direction, AD CS simply doesn’t provide the tools most organizations need to be effective with certificates.
AD CS does not come with a certificate management software package or reporting software. Without these tools, admins can easily lose track of who has certificates and what they are used for. Certificates require management over their lifecycle to be an effective security tool, and without software to back them up, it can take a team of PKI professionals to maintain.
Another issue many organizations run into is difficulty provisioning devices with certificates. While this isn’t an issue for IT professionals, the average network user will be at a loss when equipping their device with a certificate. Even with a detailed setup guide, the steps involved will confuse many and lead to support ticket requests.
Any organization that isn’t exclusively Microsoft products is bound to experience configuration issues. Many organizations, especially those that enable BYOD, do not have ubiquitous device OS. Those users will likely need extensive support to configure their devices.
Perhaps the most visible issue when combining Google-based Wi-Fi and AD CS is the requirement to use AD. Organization’s cannot use another directory service to enable AD CS. If a university wants to stick with their Google directory because it enables users to enjoy an SSO policy, they would be required to transition to AD.
Using Google Wi-Fi and AD can be done and be effective, but there are a number of caveats that come with it. Simpler solutions exist to help organizations make the switch away from credential-based authentication.
Google Wi-Fi and SecureW2
SecureW2’s primary function is to enable organizations to move from credentials to certificates as seamlessly as possible. It is designed to work with any Wi-Fi infrastructure, which certainly includes Google. For admins, configuration is easy and you can have your network fully customized and ready to authenticate certificates within a day.
As a complete certificate solution, our main focus is to make everything to do with authenticate run smoothly. Our certificates can be used to enable an SSO policy based around your Google identity so a single device certificate can authenticate to all Google Workspace applications. Of course, those devices must be equipped with a certificate, and the JoinNow onboarding solution can provision users with a certificate in minutes.
Our turnkey PKI integrates with Google directory to populate user’s certificates with their Google identity. It is an HSM-backed cloud PKI, ensuring that it is both highly secure and easy to configure and scale with your organization. The wide range of certificate capabilities provided by SecureW2 begins here.
And to authenticate those users, the Cloud RADIUS stands ready. As with all other SecureW2 tech, it integrates easily with any network infrastructure, is cloud-based, and allows for scalability over time.
It is excellent for VPN authentication, web app authentication, multi-factor authentication, and more. With the increase in remote work, cybersecurity has never been more important for remote workers, and certificate-based VPN has you covered. Authentication with certificates simply cannot be matched by any credential-based methods.
Cloud RADIUS also provides the capability for dynamic authentication. If a user required updated network permissions, say for a promotion, they would need to be issued all new certificates. With dynamic authentication, their Google identity could be updated to reflect the new policy settings. Cloud RADIUS would communicate with the IDP during authentication and provide them with an updated network experience without ever needing to reissue a certificate.
Cybersecurity for the Cloud
A key tenant for cybersecurity is to protect against any possible threats without hindering the network experience for users. While combining AD and Google Wi-Fi does provide sufficient security, it can be a hindrance for both admins and users.
SecureW2’s certificate solutions aim to provide the best experience for all while protecting against the numerous threats facing organizations today. Check out our pricing page to see if our certificate solutions can fit your organization’s needs.
