Hollebeek argued that this is the right move, given that “many of these applications need no communication outside of the company network and will therefore be more securely protected on an internal PKI, where the organization can configure certificates as they see fit.”
Erik Avakian, a technical counselor at consulting firm Info-Tech, agreed. “Google is actually doing the right thing,” he said. “This is good because it goes back to the concept of least privilege” where certs are used “only for the intended purpose. It’s about zero trust” when “certificates are separated like this.”
Avakian said most users will do whatever is convenient, unless they’re required to do otherwise. “It helps to be forced to do better security,” he said. “Users want to get things done quickly and easily. It comes down to culture, to costs, to ease.”
Read the full article here
