Skip to main content
banner image
venafi logo

Defining Cloud Agnostic Certificate Security for DevOps: Protecting Machine Identities in Hybrid Clouds [Part 4]

Defining Cloud Agnostic Certificate Security for DevOps: Protecting Machine Identities in Hybrid Clouds [Part 4]

graphic of a man holding a cloud with a lock in it
January 6, 2020 | Anastasios Arampatzis

In my first posts in this series,

I discussed the growth of hybrid cloud in enterprises and the challenges of protecting machine identities and the risks you’ll need to overcome in protecting machine identities in hybrid clouds. And now let’s look at some of the strategies you might take to keep your machine identities safe in hybrid cloud environments.

First let’s talk about the components you’ll need to protect machine identities in the hybrid cloud. If we are to manage machine identities effectively and securely both on-premises and on hybrid cloud environments, we need to develop and operate a security infrastructure that satisfies the following requirements:

  • Use of trusted and protected certificates
  • Certificate Authorities (CA) agility
  • Delivery of non-reputable audit logs and response to audit requests
  • Protection of private keys
  • Integration with vulnerability management and threat intelligence systems
  • Regulatory compliance
  • Resilience to cryptographic compromise
  • Visibility
  • Attestation of corporate compliance.

In other words, it is important to develop a consistent security policy that will satisfy all of the above security and certificate management requirements. It is also important to understand that this security policy will cater for the same level of machine identity protection as in traditional environments. The same visibility, intelligence and automation that is required for traditional, on-premises infrastructure, is also required for the various cloud environments.



Who’s Responsible for Machine Identity Protection in the Cloud?

Before discussing the elements of the certificate management policy, it is important to understand the shared responsibility model for both Amazon AWS and Microsoft Azure, where a great deal of misunderstanding and fog exists.

Amazon AWS shared responsibility model is described in their respective website, where it is noted that “Security and Compliance is a shared responsibility between AWS and the customer.” Specifically, AWS is responsible for the “security of the cloud”. “AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.”

On the other hand, the customer is responsible for the “security in the cloud”. Per AWS “The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.”

What AWS actually says is that within the cloud it is the customer who is responsible for machine identity protection. The customer is responsible for network traffic encryption, client-side encryption, server-side encryption and identity and access management.

Microsoft Azure has a bit of a different approach to shared responsibility, but essentially responsibility for identity and directory infrastructure, as well as network controls and applications for PaaS and IaaS are retained by the customer. The only aspect of security that transfers wholly to Azure is physical security. Per Microsoft’s words “Ensuring that the data and its classification is done correctly and that the solution will be compliant with regulatory obligations is the responsibility of the customer. Physical security is the one responsibility that is wholly owned by cloud service providers when using cloud computing.”

Aforementioned clarifications should clear away the fog on who is responsible for what. Clearly: customers are responsible for the machine identity protection. It is far from clear that a consistent certificate management policy has to be developed and enforced in order to provide a smooth migration to hybrid cloud environments. Venafi has a comprehensive platform for machine identity protection that enforces consistent policies across all environments—ideal for a hybrid cloud strategy.

Are you providing as much protection for your machine identities in the cloud as you are for those on-premises?



Related posts

Like this blog? We think you will love this.
cloud cyber security, cloud security, zero trust security
Featured Blog

Why Zero Trust in the Cloud Requires On-demand Machine Identity Management

So, as machines are spun up in the cloud, we need to assign security parameters based on their p

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more