Skip to main content
banner image
venafi logo

Solving for Machine Identity Visibility [Venafi + Palo Alto Networks]

Solving for Machine Identity Visibility [Venafi + Palo Alto Networks]

palo-alto-venafi-certificate-management-integration
November 11, 2021 | Paul Cleary

The ability to discover ALL machine identities belonging to an organization has always been a bit of a challenge. There is a LOT to consider when attempting to build a complete and accurate inventory. Organizations must consider factors, such as unreachable network segments, air-gapped environments and/or other blockers that limit Venafi’s built-in discovery functionality—all of these should be accounted for during the initial discovery phase. As our industry has seen time and time again, it only takes one misconfiguration or one expired certificate to bring down an entire application, potentially impacting not only revenue, but also brand reputation.

There is some good news, though. The process doesn’t have to be complex. Using Venafi and Palo Alto Coretex Xpanse together, organizations can ensure they’ve got a comprehensive inventory of ALL machine identities used throughout their infrastructure. And, with the full inventory imported into Venafi, automation can be configured and tested and ultimately replace manual, error-prone processes that lead to those certificate misconfigurations that cause outages and result in lost revenue and damaged reputation.

Click Here to Discover More Partner Integrations in the Venafi Ecosystem!
Where Are All My Machine Identities?

Consider a public facing web application utilizing a TLS machine identity to secure traffic. For this example, let’s say that web application is https://bank-app.com. As an end-user of that application, you’re presented with the TLS machine identity for “bank-app.com” when you visit the proper URL. Behind the scenes, that application may be served to you by a stand-alone web server (unlikely), or it may be fronted by a load balancer, WAF, proxy, etc. (more likely). In the latter case, the “bank-app.com” machine identity is presented to you, the end-user, by the load balancer and that’s all you see from an end-user perspective.

On the back-end, additional machine identities may then be used to secure the connection between multiple web server nodes and the load balancer itself. These TLS certificates (appserver1.bank-app.com and appserver2.bank-app.com, for argument’s sake) may not be important to you as an end-user, but they are vitally important to the application itself. If just one of those machine identities is mis-configured or isn’t renewed and put in place before an expiration, a certificate outage will happen.

Another, related risk is unnecessary certificates which are left exposed, but which no longer serve a purpose. Consider the same infrastructure from above. There are only two web server nodes currently serving the load balancer. Last month there were three, but a decision was made that the third server was an unnecessary expense. There’s only enough traffic to warrant two app servers, and so the order was given to spin down appserver3.bank-app.com. The team responsible for the load balancers removes the third server from the configuration and so it’s no longer serving traffic to end users. BUT, the infrastructure team is busy and doesn’t get around to decommissioning the server for a few days…a week…or maybe it’s forgotten about completely. What that leaves behind is a legitimate TLS machine identity that belongs to the organization and is still active, but which is left vulnerable due to an incomplete or manual remediation process.   

It’s those unknown or lesser-known machine identities that usually catch organizations off-guard, and that makes sense when thinking about things from an operational perspective. It’s very likely that the team managing the load balancers is not the same team who’s responsible for the application servers. If the company utilizes traffic inspection devices to monitor and prevent threats hiding in encrypted traffic, there’s another, separate team. The InfoSec team who is responsible for creating and providing machine identities to these teams, different still.  For the record, that’s four different teams, all responsible in one way or the other for the security of the application and the users. In that scenario, it’s easy to see how manual or siloed processes can cause issues—and that’s only considering a single application. How many organizations can you think of that only have one application?

Attack Surface Management: Discover, Automate, Repeat

Palo Alto Cortex Xpanse is an automated attack surface management (ASM) platform that provides a complete and accurate inventory of an organization’s global internet-facing assets, including TLS machine identities and, more importantly, any misconfigurations associated with them.

When Venafi’s built-in discovery capabilities are augmented with data from Xpanse, it ensures organizations have a comprehensive inventory that includes all internet-facing AND internal-only machine identities. With the complete picture, it’s easy to see every machine identity associated with an application and ensure that they are all managed securely with the same level of importance and urgency.

Full automation is the final piece of the puzzle and should be the target end state for every organization. With the combined solution in place, ALL TLS machine identities for the organization are renewed according to policy before they expire and provisioned down to the end devices that utilize them to secure traffic and communications, without the need for any hands-on keyboards.

Venafi + Palo Alto Networks Integration

Good automation saves companies time and resources by removing manual process from what should be hands-off operations. Misconfigurations become a thing of the past since the entire process has been tested and automated—normal human errors like typos and accidentally missed notifications simply disappear. What would you do if you didn’t have to worry about manually managing machine identities for your application? Most people’s answer: “Literally anything else.”

Let us help you get there! If you are attending Palo Alto Networks Ignite 2021, November 15-18, come stop by the Venafi booth and speak to one of our representatives. You can also learn more about the Venafi and Cortex Xpanse integration on the Venafi Marketplace.
 

This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.
 

Related Posts

Like this blog? We think you will love this.
Featured Blog

Moving PKI to the Cloud: Overcoming 3 Tough Challenges [Axiad and Venafi]

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Paul Cleary
Paul Cleary

Paul is an experienced Solutions Architect with a demonstrated history of working both with technology partners and end users in the data security industry. He currently works to architect Venafi's expanding ecosystem of partners. Protecting machine identities for the Global 5000, his skillset includes Customer Service, Sales, Software Implementation, and Project Planning & Management.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more