Just a few years ago, the number of keys and certificates most organizations needed to serve as machine identities was relatively manageable. As a matter of fact, the number of machine identities you were managing a few years ago is just a fraction of what you need today. Plus, earlier machine identities didn’t need to be updated or changed as often as they do now. And, to make matter worse, in the past unmanaged machine identities weren’t targeted as frequently by cybercriminals nearly as often as they are now.
But everything has changed. These new risks have made the need to manage and protect machine identities far more urgent, but most organizations are still trying to protect them using the technology they used a decade ago.
Here are three reasons why traditional approaches to certificate management can’t keep pace with the rapid evolution of your machine identities.
1. Manual tracking doesn’t scale
Despite the accelerated use of keys and certificates, more than half of organizations still use some form of manual tracking to manage their machine identities. Like these organizations, you may have tried to build an inventory of keys and certificates on spreadsheets or by using shared Intranet databases. You probably learned the hard way that this manual approach isn’t just error-prone; it’s a recurring headache. The enrollment, distribution, validation, and revocation stages of the certificate lifecycle are difficult enough to keep up with in a small company, let alone for the number of certificates that exist in a massive enterprise.
Most companies don’t even know how many certificates they have and managing them to the meticulous degree necessary to avoid outages, misuse, or compromise is simple impossible to do manually. You’re probably tracking only a tiny fraction of the machine identities used for a subset of critical services, leaving the machine identities, that support important business functions unmanaged and unprotected.
2. Home-grown scripts are too rigid
When organizations try to automate manual machine identity processes, they often start by using custom software scripts. These programs rarely collect all the information necessary to manage and protect machine identities. After all, some of the vital information you need can’t even be learned from the keys and certificates themselves. Where a certificate is located, who owns it, and which protocol it’s using are just some of the key things you need to know about your certificates.
Home-grown scripts are also cumbersome and difficult to maintain. But you may face an even more challenging problem with home-grown scripts. When the script developer changes positions or leaves the company, you’re left with a custom-built tool that’s difficult or impossible to adjust or use.
3. Siloed management tools are too limiting
It’s easy to turn to siloed management tools, such as those provided by your CAs, to manage your certificates. Unfortunately, the information these siloed management tools deliver isn’t sufficient to manage your machine identities.
Each tool can only manage a limited set of certificates issued by that CA, making it difficult to prioritize security risks across all certificates and efficiently deploy limited resources to address them. Even more challenging, these siloed tools don’t contain information about where certificates are installed. Without this basic information, it’s nearly impossible to track down a certificate’s location quickly.
The Venafi Technology Network is an ecosystem of hundreds of partners with thousands of proven integrations. This ecosystem works together to develop machine identity solutions that work seamlessly with every stage of your machine identity management strategy.
Traditional certificate management tools are not dynamic enough to keep pace with the rapidly evolving world of machine identities. While they may have worked for a limited number of physical machines, they can’t stretch to support the surging number of physical and virtual machines on enterprise networks. Relying exclusively on these tools also makes it difficult to identify weaknesses or detect vulnerabilities either in the certificates or on the servers where they’re installed.
We completely understand that moving processes into automation can seem daunting, but Venafi will be there for you every step of the way. Our extensive onboard discovery process will help you inventory your network and roll out new workflows.
NOTE: This blog has been updated. It was originally posted by Scott Carter on July 30, 2019.