Skip to main content
banner image
venafi logo

Establishing Zero Trust with Certificate Lifecycle Automation

Establishing Zero Trust with Certificate Lifecycle Automation

March 28, 2022 | David Bisson

In May 2021, the White House published its Executive Order (E.O.) on improving the nation’s cybersecurity. We noted at that time how Section 3 of the mandate, entitled “Modernizing Federal Government Cybersecurity,” emphasized the need for Federal Civilian Executive Branch (FCEB) agencies to transition to a Zero Trust Architecture (ZTA). The E.O. specifically referenced the standards and guidance outlined by the National Institute of Standards and Technology (NIST) as a means by which FCEB agencies could migrate to a ZTA.

Fast, simple, SaaS-based private PKI
Examining one of NIST’s migration steps

No doubt the Executive Order was referring to Special Publication (SP) 800-207. Released by NIST in August 2020, the document lists several core components that organizations can use to adopt a zero trust architecture. Among them is enterprise PKI. As quoted from the publication:

"This system is responsible for generating and logging certificates issued by the enterprise to resources, subjects, services and applications. This also includes the global certificate authority ecosystem and the Federal PKI, which may or may not be integrated with the enterprise PKI. This could also be a PKI that is not built upon X.509 certificates."

As part of their use of enterprise PKI, Federal Civilian Executive Branch agencies, critical infrastructure organizations, and other entities need to make sure they are managing their certificates across their entire lifecycle. If they don’t, they could increase their exposure of an attack.

This is especially pertinent for organizations’ machine identities. These resources are growing twice as fast as human identities, according to Forbes. This makes the task of machine identity management more difficult for IT and security teams. More Internet of Things (IoT) devices, containers, and other machine-based resources contribute to more administrative workload for these teams. In managing those devices, IT and security personnel might make mistakes that leave their organizations vulnerable to attack—especially if they rely on manual processes.

Teams don’t always have visibility over all their machines either. In the age of hybrid and remote work, employees can introduce new machines and IT assets into their employer’s environment without the knowledge of IT and security. Individual users may also deploy their own keys and certificates for shadow IT outside the guidance of security personnel, thereby increasing the organization’s risk of an outage or compromise.

If security and IT don’t have the requisite levels of visibility, their machine identities could end up in the wrong hands. Malicious actors could then leverage those assets to insert themselves into encrypted communication, evade security controls, impersonate trusted services, or conceal their attack attempts, all for the purpose of moving to critical assets and exfiltrating victims’ sensitive information.

So, where does this leave machine identity management?

It’s a bit complicated. The problem is that machine identities have become so numerous that they are exceeding many organizations’ management capabilities. Machine identities are not just growing comparatively more quickly than human identities. They’re also increasing in number as the definition of ‘machines’ expands beyond just servers and PCs to include applications, containers, cloud instances, APIs and others. Each one of those machines requires its own identity so that IT and security teams can establish identity and authenticity. Subsequently, organizations typically use anywhere from thousands if not millions of certificates and keys across their environments.

Let’s put this growth into perspective with just one element of machine identity growth. According to Forbes, there were 2.25 million robots used by the global workforce in 2019. That’s twice as many machines as there were in 2010. Looking ahead for 2022, approximately a third (32%) of global infrastructure decision-makers said that they expect to leverage robotic process automation (RPA).

Machine identity management solutions

As they acknowledge the challenges they face when managing their machine identities, it is essential that organizations consider employing an automated certificate management platform. Such a solution will help organizations to manage their machine identities across their entire lifecycles without human error. These types of tools can help to reduce staff time and operational costs as well as enhance availability, capability and scalability. In the process, they can prevent a certificate outage, thereby reducing the risk of digital attack and protecting an organization’s brand reputation in the process.

Learn more about Venafi’s machine identity management platform here:

Related Posts

Like this blog? We think you will love this.
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more