Skip to main content
banner image
venafi logo

Management Mayhem, Part 1: How Many Machine Identities Do You Need to Protect?

Management Mayhem, Part 1: How Many Machine Identities Do You Need to Protect?

cyber security risks, iot security challenges, certificate compromise
October 30, 2018 | Terrie Anderson

One of the questions I am commonly asked by CIOs is why they need to spend money on a platform that will help them manage their machine identities. More often than not, they believe that their PKI team, whose primary task is to manage the lifecycle of certificates, is already doing everything necessary to safeguard keys and certificates for their organizations. Indeed, PKI teams are often the unsung heroes of security. But they are only humans, faced with a super-human challenge.

To help CIOs realize the scope of their challenge in managing machine identities, I like to ask them three questions:

  1. How many machine identities do you have in your organisation?
  2. Are you 100% sure they are all compliant to policy, have the right business owners and are not copied to unknown locations?
  3. Do you know where they are all located and who’s using them?

The answers to these questions are quite telling. Most CIOs do not realize the extent of their exposure and what a Herculean task they are faced with in managing the mayhem of the challenge once they understand the full scope.

Usually, CIOs are only aware of a subset of their full certificate inventory. They defer to statistics on how many certificates they have paid for. And more savvy CIOs will also include the number of certificates that have been issued by their internal Microsoft Certificate Authority (CA). But they are almost always unaware of certificates that may have been issued by unauthorized CAs in siloed business units. Many have a low to medium confidence about whether their certificates comply to policies and best practices. And most have no confidence in where all their certificates reside.

If CIOs are confident they have accurate information about their machine identities, I ask them if they have had any outages, near misses or certificate expirations in past 12 months. That’s when the cloud usually forms over their faces. In fact, to date, only once has anyone ever answered no.

At this point, I like to take CIOs on a journey through their environment and help them start to think about how many machine identities they really have. They already know about the usual suspects like VPN, SFTP, BYOD, servers and network devices, even if they are not confident about exactly how many they have. But most do not realize that these machine identities are just the tip of the iceberg.

When I introduce the concept of identifiers for Cloud, DevOps environments including identities for containers and microservices, algorithms and code signing CIOs eyes often widen a bit. Then I ask them about industry-specific devices such as point of sale (POS) terminals, and other direct income streams such as auto billing systems. That’s when they really start paying attention.

I explain that every single one of these identities, has (or should have) a certificate attached as an identifier, or what we call machine identities.

CIOs rarely consider all the “hidden” yet very dangerous identities that may have privileged or even unlimited access to other intelligent machine identities that are encrypted in the dark. I remind them that their intelligent domestic devices such as refrigerators, and vending machines are active, along with printers and seemingly innocuous devices that employees bring in like Alexa or sound systems. All of these machines are busy working away in the background, performing tasks even whilst the humans are not working. Using quiet periods on the environment these machines perform routine and scheduled tasks.

This is the point where CIOs begin to realize that they will need help in managing this very large number of non-human identities that have intelligence and access. As qualified and dedicated as they are, their PKI teams simply cannot (and do not) have the ability or capacity to manually control this environment, or even manage a number of subordinate systems creating air gaps.

A global platform for machine identity protection will give CIOs the intelligence they need to tame their machine identities and safeguard machine-to-machine communications.

How much intelligence do you have about your machine identities?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

machine identity security automation

Are You Leaving Your Machines Naked and Afraid?

certificate management costs

Management Mayhem, Part 3: How to Avoid the Hidden Costs of Certificate Management

Australia encryption backdoor law

Australia’s New Encryption Laws Are Disappointing

About the author

Terrie Anderson
Terrie Anderson

Terrie is Country Manager (ANZ) for Forescout Technologies Inc., and a speaker and futurist in Digital Enterprise Leadership, Cyber Security Strategy and Workplace of the Future.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat