Skip to main content
banner image
venafi logo

Using Machine Identity Management to Extend Zero Trust to Partners

Using Machine Identity Management to Extend Zero Trust to Partners

zero trust for machine identities
September 3, 2019 | Ivan Wallis


In a Zero Trust security model, we assume some level of authentication for all connections,

whether they are from inside of our network or from outside. Indeed, the notion of internal versus external trust is becoming gory even in today's networks. We have systems that interact with the cloud (see my previous blog). And we haves all these different combinations of interactions are growing exponentially.
 

In theory, it would seem that the same authentication processes would work across the board. Users simply access the corporate network using domain credentials. That would seem to be the easy way, right? But the reality is that it’s never that simple. As we learned in the Target breach, we need to be especially careful when granting trust to partners who are accessing information within our networks.
 

“Companies don’t have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users—employees, partners, customers – accessing applications from a range of devices from multiple locations and even potentially from around the globe,” notes CSO.

 

 

 

Authorizing external partners adds a layer of complexity

Authorizing access is already challenging enough for organizations that are interacting with their own employees, their own systems, their own machines. I wrote about how machine identities contribute to that effort in a previous blog. But when you add different external partners you need to interact with, it adds new layers of complexity. So that trust model is even harder to control.
 

You need to have different levels of permissions for your internal consumer versus your external partners who need to be able to access segmented information in your environment.
 

As Cloudflare observes, “Zero Trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.”
 

To be effective, the scope of you need machine identity intelligence that goes beyond the machines within your organization’s direct control. To rely on the integrity of machine identities under the control of your customers and partners, you need to be able to monitor all machine identities that are connecting to your network.  
 

So, you have to be able to authenticate your users as well as your third-party providers. In other words, you need to have complete visibility into all machine identities that are being used to access your network, whether internal or external.
 

But first, you have to determine how that process looks from an internal perspective and from an external perspective. You may wish to have more control over the keys and certificates that authenticate your on-premises infrastructure, which you trust more.
 

How can you build trust in third-party environments?

But if you're hosting some of your critical applications in a third-party environment, you may have different expectations. How can you build trust in there? How do you authenticate between the network you control (your comfort zone) and something that's running in a third party, where they have their own assumptions around trust?
 

Zero Trust assumes that we don't have any built-in trust that we can use. You need a way to manage all these different credentials. For example, how will you protect all these different keys across different environments?
 

At the end of the day, the best security is minimal access security. And when I say that, I’m talking about privileged access. Taking your security strategy down to the foundational level of machine identities is a good place to start. A platform for machine identity management will help give you the visibility, intelligence and automation you need to effectively manage machine identities across your environment, whether it’s internal or external.
 

Are you concerned about third-party partners authenticating on your machines?


 

Related posts

Like this blog? We think you will love this.
orchestration-and-automation-machine-identities
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Ivan Wallis
Ivan Wallis

Ivan Wallis, is a Sr. Solution Architect with Venafi. He brings over 20 years of cryptographic systems engineering, key management, and security training experience towards enabling customers and partners to effectively architect and deliver data security solutions for enterprise customers. Past experience includes lead Solution Architect role at Thales e-Security and SSH Communication Security, as well as Solution Architect at Entrust. Based in the San Francisco Bay area, Ivan is an active member of the local ISSA and ISC2 security community. Ivan holds a Bachelor of Computer Science and Information Systems from Carleton University, in Ottawa, Canada.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more