Skip to main content
banner image
venafi logo

Where Zero Trust Relies on Machine Identity Management

Where Zero Trust Relies on Machine Identity Management

September 29, 2021 | Diane Garey

Zero Trust is a strategy that basically shifts the focus of security from a perimeter to each individual connection point. In essence, this places the burden of authentication on the device, rather than the network. In a recent Venafi blog, Anastasios Arampatzis shared Why You Can't Achieve Zero Trust Without Machine Identity Management.  Today I will build on this idea by sharing a few more examples of where Zero Trust and Machine Identity Management need to come together for both to be successful.

Let’s look at the four Zero Trust principles and then explain how they relate to machine identity management, and dig a little deeper into why they are so important.

  • Default Deny: Assume everyone and everything is a threat.
  • Context Is Everything: Trust is based on the situation and setting.
  • Granularity: All users, machines or applications seeking access to a particular part of the enterprise need to be trusted.
  • Dynamic: Change when necessary.
Learn more about Machine Identity Management with our free e-Book!
Zero Trust Principal 1: Default Deny

Zero Trust changes what in the past has been a “trust but verify” security model to a model whereby default connections are denied. Every time a connection is needed, the identity (person or machine) needs to be authenticated.

While the number of people accessing networks is fairly static, the number of machines making connections on networks is exploding.  As new technologies have been adopted, the definition of machines has expanded—from physical machines, such as servers and PCs, to mobile devices, applications, cloud instances, containers, microservices, clusters, APIs, and smart algorithms. Each of these machines needs a machine identity to establish identity and authenticity.

The number of machine identities used by a small enterprise is typically in the thousands. Global 5000 organizations tend to use millions of machine identities. Effectively managing these thousands or millions of machine identities so they can ensure trusted communications absolutely requires a machine identity management strategy and program.

Zero Trust Principal 2: Context is Everything

Context is extremely important in a Zero Trust world. As an employee of Venafi, I should be trusted to log in to the Venafi network from my home in Houston. But I probably shouldn’t be trusted if I’m logging in from somewhere in Europe or Asia. Context is equally important when machines are connecting to networks or each other. What's granted for one particular machine identity should not necessarily be granted for all machine identities.

Let’s take Secure Shell (SSH) as an example. SSH is used by IT administrators to create secure connections between machines on unsecured networks. It’s a powerful protocol used widely in corporate networks to provide secure access for users and automated processes, facilitate interactive and automated file transfers, issue remote commands, and manage network infrastructure and other mission-critical system components.

The context of where SSH keys are used for machine identities should matter very much for how SSH machine identities are managed. In connections that have a high-risk context, say connections between build machines or the CI/CD pipeline, we might configure SSH to establish limits on things like port forwarding, source control (only accept SSH connections that come from a named source), passwords and automated keys.

Zero Trust Principal 3: Granularity

If an application is trying to access data in a database, in a Zero Trust environment that application needs to be validated using certificates and public key infrastructure (PKI) to determine that it is an approved app accessing an approved database. As application architectures get more granular, so does the need to ensure trust between all the components. That has a big impact on machine identity management.

An application architecture from a few years ago might have required just a few TLS certificates to encrypt communications. Maybe one certificate on a load balancer, another one on a web server and two more for the backend application and database servers. Those TLS certificates would have had two- or three-year lifecycles so you wouldn’t have had to think about renewing them that often.

Fast forward to today, where applications are developed with microservices in mesh architectures and are much more compartmentalized. In Zero Trust, these more granular connections all need to be trusted, so the four TLS certificates I needed a few years ago will need to be multiplied to accommodate all the new components. Add on the fact that as of September 2020, TLS certificates have a lifespan of just over one year, means a machine identity management strategy and program is critical for dealing with the increased number of TLS certificates that need to be renewed more frequently. 

Zero Trust Principal 4: Dynamic

Zero Trust relies on continuously verifying the trustworthiness of every device, user, and application in an enterprise. Since these devices, users and applications can be highly dynamic, the approach to ensuring their trustworthiness needs to be dynamic as well.

For machines, it means their machine identities need to be created and spun up rapidly, disabled and revoked rapidly, and then reconnected and redesigned. None of these actions can easily be done manually which is yet another reason why machine identity management is critical for Zero Trust.

The Takeaway: Zero Trust and Machine Identity Management Belong Together

Machine identity management programs provide organizations with the visibility, intelligence, and automation they need for the thousands or even millions of machine identities used in their organization. The bottom line: Zero Trust programs won’t succeed if they don’t synchronize with an organization’s machine identity management program.


Related Posts

Like this blog? We think you will love this.
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Diane Garey
Diane Garey

Diane is on the product marketing team at Venafi and loves sharing how the Venafi Platform helps organizations protect their machine identities.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more