In May 2021, the White House published its Executive Order (E.O.) on improving the nation’s cybersecurity. We noted at that time how Section 3 of the mandate, entitled “Modernizing Federal Government Cybersecurity,” emphasized the need for Federal Civilian Executive Branch (FCEB) agencies to transition to a Zero Trust Architecture (ZTA). The E.O. specifically referenced the standards and guidance outlined by the National Institute of Standards and Technology (NIST) as a means by which FCEB agencies could migrate to a ZTA.">
No doubt the Executive Order was referring to Special Publication (SP) 800-207. Released by NIST in August 2020, the document lists several core components that organizations can use to adopt a zero trust architecture. Among them is enterprise PKI. As quoted from the publication:
"This system is responsible for generating and logging certificates issued by the enterprise to resources, subjects, services and applications. This also includes the global certificate authority ecosystem and the Federal PKI, which may or may not be integrated with the enterprise PKI. This could also be a PKI that is not built upon X.509 certificates."
As part of their use of enterprise PKI, Federal Civilian Executive Branch agencies, critical infrastructure organizations, and other entities need to make sure they are managing their certificates across their entire lifecycle. If they don’t, they could increase their exposure of an attack.
This is especially pertinent for organizations’ machine identities. These resources are growing twice as fast as human identities, according to Forbes. This makes the task of machine identity management more difficult for IT and security teams. More Internet of Things (IoT) devices, containers, and other machine-based resources contribute to more administrative workload for these teams. In managing those devices, IT and security personnel might make mistakes that leave their organizations vulnerable to attack—especially if they rely on manual processes.
Teams don’t always have visibility over all their machines either. In the age of hybrid and remote work, employees can introduce new machines and IT assets into their employer’s environment without the knowledge of IT and security. Individual users may also deploy their own keys and certificates for shadow IT outside the guidance of security personnel, thereby increasing the organization’s risk of an outage or compromise.
If security and IT don’t have the requisite levels of visibility, their machine identities could end up in the wrong hands. Malicious actors could then leverage those assets to insert themselves into encrypted communication, evade security controls, impersonate trusted services, or conceal their attack attempts, all for the purpose of moving to critical assets and exfiltrating victims’ sensitive information.
It’s a bit complicated. The problem is that machine identities have become so numerous that they are exceeding many organizations’ management capabilities. Machine identities are not just growing comparatively more quickly than human identities. They’re also increasing in number as the definition of ‘machines’ expands beyond just servers and PCs to include applications, containers, cloud instances, APIs and others. Each one of those machines requires its own identity so that IT and security teams can establish identity and authenticity. Subsequently, organizations typically use anywhere from thousands if not millions of certificates and keys across their environments.
Let’s put this growth into perspective with just one element of machine identity growth. According to Forbes, there were 2.25 million robots used by the global workforce in 2019. That’s twice as many machines as there were in 2010. Looking ahead for 2022, approximately a third (32%) of global infrastructure decision-makers said that they expect to leverage robotic process automation (RPA).
As they acknowledge the challenges they face when managing their machine identities, it is essential that organizations consider employing an automated certificate management platform. Such a solution will help organizations to manage their machine identities across their entire lifecycles without human error. These types of tools can help to reduce staff time and operational costs as well as enhance availability, capability and scalability. In the process, they can prevent a certificate outage, thereby reducing the risk of digital attack and protecting an organization’s brand reputation in the process.
Learn more about Venafi’s machine identity management platform here: https://www.venafi.com/platform/trust-protection-platform.