Your organization’s security is only as successful as your people. Granted, while administrators are responsible for the infrastructure and possibly even the policies that govern machine identities, they rarely create that policy, request the infrastructure, or install the software.
Lately, my team has been doing a lot of talking about service ownership and how it relates to Public Key Infrastructure (PKI) and machine identities. This is a topic that very strongly resonates with me. Having been a Service Owner twice and having worked closely with other Service Owners, I tend to look at things a bit differently than do my peers who are more experienced on the vendor side. What I’ve experienced firsthand is often 90 degrees different than some of the product-focused thinking that actively happens within many security vendors.
Let me put it this way. When Venafi CEO Jeff Hudson says that the perimeter is done, he may be thinking about it from more facets than many folks realize. It’s easy to think “perimeter” and associate “firewall” to it. But in today’s mega corporations, you have these “companies inside the company” that are in essence unique technology shops with their own internal customers. The roles and responsibilities of a Service Owner, depending on how it is described in terms of people and interactions, is almost analogous to a CEO type of role for a startup. The customers are the internal Business Units, and their requirements vary widely.
In a large financial organization, for example, the asset management group, the consumer banking group, and the capital markets group may all be different ‘customers’ to an internally provided technology service. Some of these different major groups are enthusiastic about machine identity protection, and others may say, “I need these 20 things before we can even think about machine identity protection.”
Service owners are thinking about things like: How is the service definition evolving—what’s a SKU and what’s a feature underneath of a SKU? What’s the roadmap? How much does it cost to produce the service and what are the economics that go with it? How is communication happening to the users and what’s the feedback loop? Yes, Net Promoter Score (NPS) may matter there too.
When we assure these Business Units that using a platform for machine identity protection lets them get more done, they get onboard more quickly. Some Business Units need more convincing. But ultimately, having Visibility into the inventory of machine identities, Intelligence to know which ones comply with security policy, and Automation is a win-win-win. Human error is reduced, security is increased, and the efficiency gains translate to money that can be re-invested in your core business.
How complete is your Machine Identity Protection?