Skip to main content
banner image
venafi logo

What Business Line Managers Should Know about Managing Machine Identities

What Business Line Managers Should Know about Managing Machine Identities

managing machine identities
April 26, 2019 | Wilson Yan

Many organisations do not know the full scope of their machine identity usage and exposure. Case in point, recently a colleague of mine asked a customer how many certificates they had. Their initial response was, "We have 1,200 certificates." And then they came back a week later and went, "Ah yeah, I spoke to somebody else in this other department and it looks like they've got about 6,000." Then within another week, they came back and said they actually had 25,000 certificates that they needed to manage and protect. Chances are they have even more.


No Central Ownership of Machine Identities

One of the reasons that it’s so difficult for organisations to nail down exactly how many certificates they have is that there is no central ownership of these machine identities. Because of the machine-to-machine communications and connections that they authenticate, machine identities are often seen as the responsibility of IT operations rather than security. As a result, certificate management can quickly become siloed by department or line of business. That means that machine identity security policies are often inconsistently applied and may vary widely by group.

But ultimately, it’s the business units that feel the pain of managing the bourgeoning number of machine identities (or the results of mismanaging them). They take the productivity hit when an expired certificate triggers an application outage. And, even more important to them, they take the revenue hit if certificates can’t be provisioned in a timely manner to support new products or promotions.

Yet, the ultimate danger in this distributed model is that the actions of any one group can impact the organisation as a whole in terms of system downtime or risk of infiltration and pivoting attacks. It’s the whole weakest link cliché.

But it’s a problem that’s not easily fixed. Let’s face it, there’s a shortage of PKI expertise throughout the industry. So, it’s more than likely that a business unit will assign the PKI function to an IT generalist. In my 20 years of experience, I’ve found IT project and security in general people have a somewhat hazy understanding of PKI. They may even have it listed on their CV, but they don't actually understand it. Consequently, even highly-qualified IT personnel may not be fully aware of the nuances of machine identity management and the risks of undermanaging machine identities. 




Who Controls PKI?

As in any function of the business, it’s the people with the money who are ultimately responsible for making the strategic decisions. PKI is no exception. And what seems to be happening more and more is that the money for PKI lies within the business units. Security operations are evolving to a consulting role where they give the advice and set the rules. But they don't have any authority to force somebody to follow them or to check up on somebody, other than in audits.

So, that leaves the PKI in the hands of the line of business owners, who know even less about PKI than their IT and security advisors. And this leads to a certain amount of schizophrenia when it comes to the management and protection of machine identities. At one large bank, all of the PKI expertise was consolidated into one operations position, whose job is to go out and teach the business units how to use it. The strategy was to have the businesses to be responsible for their certificates. As a result, they are moving responsibility out to the business units, but the business units are funding it back through operations. In the end, the security team will fund a very small piece of it.

A No Man's Land

Where does all of this leave machine identities? More often than not, in a no man’s land. Ironically, it’s a centralized platform for machine identity management that will empower the business units to act independently to accomplish their individual goals. Enforcing standard security policies for all machine identities enterprise-wide will reduce risk and liability. Maintaining a complete and accurate inventory of the location and ownership of all machine identities will streamline management. And enabling a secure self-service certificate model will accelerate provisioning to support rapidly changing business needs.

Related posts

Like this blog? We think you will love this.
 Bild eines verärgerten jungen Mannes, der mit dem Kopf in der Hand auf seinen Computerbildschirm starrt
Featured Blog

Erneuerung, Neuausstellung, Widerruf – so vereinfachen Sie das Zertifikatsmanagement

Nachfolgend finden Sie einige Informationen zu jedem dieser Verfahren.  

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Wilson Yan
Wilson Yan

A self-proclaimed "digital security problem solving zealot", Wilson is a Principle Consultant of Information Technology at Venafi. He is responsible for driving deployment of Venafi’s solutions across Singapore, Australia and Macau, and securing PKI certificates and keys.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more