Last week the world’s leading experts in machine identity protection assembled (online) to hear the latest rumblings on NIST, data breaches and post-COVID 19 cyberwarfare. Venafi’s second annual Customer Global Summit was underway with seminars on everything from a new machine identity threat model to code-signing-as-a-service to the sleeping dragon of SSH and what Venafi does for multi cloud environments.
To create even more excitement during the event, Venafi CEO Jeff Hudson announced in his keynote address that Venafi had acquired DevOps startup Jetstack, the UK based tech company behind the Kubernetes certificate management controller. Punching above its weight, Jetstack adds a much-appreciated developer’s viewpoint into what experts are starting to label an “essential service” and what we have always called machine identity protection.
It’s also important to note that during the event, we made an effort to protect underserved communities as well as machine identities. Thank you to our customers whose participation helped us donate thousands of meals through Feeding America. Together, we were able to feed those in need and expand the global knowledge base of Fortune 5000 machine identity experts.
In a crisis, would you keep your machine identity protection service running? Given the exponential increase in cyberattacks over the last few months of quarantine, you should. Here’s what we heard about that topic:
“We must begin to position machine identity protection in terms of an essential service.”
“Your keys and certificates—what systems are critical? If you can’t answer that, talk to Venafi...”
“Machine identity management ... is an essential service...It spans all of IAM, you can't digitally transform without it.”
“We have to look at [SSH] as a particularly powerful but potentially dangerous protocol we use everyday on an ongoing basis.”
As we rely more on machines to replace functions that were previously conducted within the physical domain, the importance of protecting machine identities becomes paramount. Here’s what we heard about that topic:
“If automation was a side topic for you, it’s going to be a prime topic for you now... These machine identities will not be manageable by a human...and this will position you for the digital transformation.”
“It’s about products, not projects anymore.”
“Onboard discovery collects data that you’ll ultimately need when you choose to implement automation later.”
In the words of Matt Barker, CEO and co-founder of Jetstack, “Nowadays, business success depends on how quickly you can respond to the market. This reality led us to re-think how software is built and Kubernetes has given us the ideal platform to work from. However, putting speed before security is risky.” Here’s what we heard about that topic:
“Building PKIs and CAs is hard. It requires an expertise that is not common with DevOps personas. You have to define certain policies in terms of how to access private keys, as well as auditing requirements and compliance.”
“Even if you use any of the existing PKI solutions out there, they don’t naturally fit with the API and modern experiences that DevOps require. So a lot of customization is needed.”
“Developers are turning to ad hoc manual certificate processes out of sheer desperation because they have no other alternative.”
“You have got to ask yourself the question, ‘In the worst-case scenario, if your key was compromised what would you do?’ If you cannot answer that question properly or accurately, then you really could be in trouble.”
“Developers can be resistant to change; how do you suggest getting them started following a code signing policy or process?”
“Indeed, the best way is to integrate [security] within the current developer’s tool chain and make it as easy as possible to do.”
“Someone in the organization wanted to sign code. They asked the PKI team to provide the needed keys and certificates similar to TLS certificates, the key and cert were generated and provided to the person wanting to utilize them. What seemed like a simple action to get a developer what they needed quickly ended up putting the organization at risk because they’ve lost control of the key and have no idea what’s being signed with that.”
At the Global Summit, NIST advisor Paul Turner, outlined new NIST guidelines for TLS management and what they would mean for security executives. Here are a couple of interesting questions that he answered during his workshop:
Question: “Besides cooperation from the certificate owners, can you share other critical success factors in order to succeed implementing a centralized certificate management solution?”
Answer: “Quickly: You need executive support. You need a strong technology platform. You need a self-service portal that provides all of the information and functionality for certificate owners to be successful.”
Question: “In your experience, how often do you see our customers already have a tool and/or process in place?
Answer: “Many organizations do not have a tool for managing the processes, or even their certificate automation. Because those certificate owners are often busy with other things, they don't always provide sufficient time or access to their resources.”
A big thank you to our guest speaker from Gartner, the amazing experts at Jetstack and our machine identity customer partners. We look forward to an increased awareness of machine identity protection over the coming year—driven by trial and crisis, but a wake-up call to the industry, nonetheless. As Venafi continues its mission to help security leaders protect all machine identities from outage, compromise and attack, we hope to see you at our next customer summit. Learn more about us.