6 quick questions about PKI and Zero Trust to a security expert

As cyber threats grow and regulations tighten, identity management has become central to every modern security strategy. Zero Trust has emerged as a key concept, but what does it mean in practice? And how does it relate to technologies like PKI and certificate-based authentication?

We asked six quick questions to Per-Olov Sjöholm, security expert at B3 Init AB, to clarify how organizations can build a scalable and future-proof solution for identity and access.

What does Zero Trust mean in an era of cloud services, remote work, and IoT?

Today, there is no longer a clear boundary between "inside" and "outside" the network. Security must therefore be embedded in every access and every session, and this is where Zero Trust comes in. Zero Trust means that no user or device is automatically trusted. Every access must be verified, every session monitored, and permissions limited to the absolute minimum. It is based on the principle of "never trust, always verify" and shifts security closer to the actual use of information, rather than relying on outdated thinking where everything inside the firewall is considered safe.

Is PKI connected to Zero Trust?

Yes, absolutely. PKI (Public Key Infrastructure) is one of the most important building blocks in a Zero Trust architecture. By using certificates, strong and verifiable identities can be created for users, servers, applications, and machines. This means that every entity or person trying to access a resource must first securely prove their identity. For example, banks can use PKI to reduce or completely eliminate reliance on passwords in critical systems. In industry, PKI enables secure communication between machines on the production line, reducing the risk of manipulation and operational disruptions. PKI is not just a technical solution, it’s a strategic investment in trust and security, provided that key management, policies, and lifecycle handling are done correctly.

What market trends are linked to Zero Trust?

A clear trend is that identity has become the new security perimeter. In a Zero Trust model, it is no longer the network that determines access, but who or what is trying to gain access. This applies not only to people, but also to systems, containers, applications, and IoT devices. Organizations therefore need to build scalable identity management that covers the entire IT environment. This means that every new resource, like a sensor in a factory or a microservice in the cloud, should automatically be assigned a unique, traceable identity. That way, every access attempt can be verified and controlled, which is the core of the “never trust, always verify” principle.

How do hybrid and multicloud environments affect Zero Trust?

Hybrid and multicloud environments are now standard for many organizations, but they also create security challenges. When resources exist both locally on-premises and in various cloud services, inconsistencies in security policies and access controls can arise. Zero Trust offers a solution by introducing unified security principles regardless of where resources are located. By making identity the common denominator, organizations can manage access consistently and reduce the risk of misconfigurations. This ensures that hybrid environments do not become a patchwork of security gaps, but rather an integrated whole.

Why is automation important in Zero Trust?

Zero Trust is built on continuous verification, which means identities, certificates, and access controls must be updated in real time. Manual processes are not sufficient when an organization manages thousands of users, servers, and devices. Automation makes it possible to handle the certificate lifecycle, from issuance to revocation, with minimal manual administration. Through DevSecOps, new resources automatically receive secure identities upon creation. This reduces the risk of temporary systems becoming security vulnerabilities. Automation is therefore key to maintaining Zero Trust at scale without overburdening the organization.

What is the first step for organizations wanting to adopt Zero Trust and PKI?

The most important step is to start with a thorough assessment of the current state. Map out how identities are managed today, for users, systems, and devices. Identify where weak methods like passwords are used, and where certificate-based authentication could improve security. Review access levels, permissions, and logging. Are there over-assigned privileges or poor traceability? Also, inventory the infrastructure, especially in hybrid and multicloud environments, and assess whether security policies are consistent. Finally, examine processes and regulations. Zero Trust can help meet regulatory requirements through improved traceability, strict access control, and reduced risk exposure. By measuring progress and risk reduction, you can justify investments and strategically guide your security efforts.

Contact us to learn more about how you can build a Zero Trust architecture with PKI.