Skip to main content
banner image
venafi logo

Machine Identity Protection: Evolving from Homegrown to Off-the-shelf

Machine Identity Protection: Evolving from Homegrown to Off-the-shelf

September 21, 2017 | Steve Jordan, Senior Vice President/Technology Area Manager, Wells Fargo

Any time you switch from a homegrown internally developed application to one that is purchased off the shelf from a vendor, you’re going to face a challenging task. Based on my own experience, this is especially true when the application you’re replacing is used to manage digital certificates. Most large companies initially created their own certificate management application because in the early days there was a lack of mature tools in the commercial space. This is no longer the case and more and more companies are moving towards an off-the-shelf solution. I’d like to offer you some practical advice on how to make that transition as smooth and productive as possible as you migrate to mature machine identity protection.

First of all, the transition itself needs to be well thought out and communicated prior to execution. If you don’t do this, the migration will end up as a disaster. Administrators will be hesitant to move to a new tool because they are already familiar with the current tool and the processes that surround it. To minimize this resistance, you will need to have a comprehensive training strategy for getting them familiar with the new tool prior to them actually migrating to it. You need to show them that the new tool will provide better automation, more efficiency, and basically that it will make their jobs easier. Conducting multiple short duration (2-4 hours) sessions seems to work well. This gives the people time to digest the information previously provided and to bring questions in the next session. You don’t want a long period of time between sessions though, as many people may forget what you taught them previously. Also, if you give administrators the opportunity to actually log in and use the tool in a nonproduction system, you’ll see a huge benefit. There is nothing better than actual hands-on training.

Now it’s time to move up the ladder. Getting leadership onboard is another key factor to success. You need to communicate about the new solution in terms of reducing risks associated with certificate management. If you have metrics showing system outages due to expired certificates, or certificates that weren’t properly replaced, it helps make the case for why the switch needs to occur. By implementing a tool that can provide better automation and efficiency, your number of outages will decrease. That is, of course, as long as you have the automation set up correctly. Never let outages go to waste, use them to your advantage for implementing change.

Prepare to pull the trigger, but aim carefully before you fire. There are a lot of factors you need to consider when planning the transition to automated machine identity protection. If you can time the transition to leverage a large-scale certificate replacement event, that helps. Otherwise think about transitioning in logical groups as certificates expire. It helps make the transition easier since you will already be touching the systems holding the certificates anyway. Also make sure you fully think through the certificate policies and how they are configured in the new tool versus how you had them configured in your homegrown system. There is a high likelihood that they won’t be exactly the same. So, you want to make sure that all of the configuration items in the new tools are set up and ready to go before you start migrating and managing certificates from them.

When it comes to deploying agents onto servers, I would recommend performing a mass deployment and then going back and getting each of the agents configured specifically for that server. This approach enables you to leverage some basic functionality across a large footprint, such as certificate discovery, while the unique configuration work is taking place over a longer period of time.

When you are adding automation to your certificate management, I recommend using a crawl, walk, run approach. Depending on the level of automation you have with your existing tool, start out with something similar or slightly more advanced. In the case of the Venafi platform, I’d start with monitoring and enrollment and then work your way up to full provisioning. This also gives your administrators time to become more comfortable with the tool before you implement more far-reaching changes. Don’t be in a rush to get everyone to full automation right away, that could induce problems and create a negative view of the tool.

I hope that following some of my recommendations will make your transition easier for all of the teams that will be impacted. Of course, people will be quick to say the old way was better whenever any obstacles arise. Plus, there are bound to be some bumps along the way—no migration is ever flawless. So, make sure that you set expectations appropriately. With proper planning and patience through the actual migration, you can minimize the bumps along the way and get to a lower risk certificate management posture.

Here’s to a highly pain-free transition!

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

About the author

Steve Jordan, Senior Vice President/Technology Area Manager, Wells Fargo
Steve Jordan, Senior Vice President/Technology Area Manager, Wells Fargo

Stephen Jordan is Senior Vice President/Technology Area Manager at Wells Fargo & Co. He currently manages the Cryptographic Services team, providing services and solutions within the banking sector.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat