Every day we see new technologies designed to make our lives better, safer and more efficient. All of these technologies rely on machines, such as cloud workloads, IoT devices, applications, containers, code and more. To operate securely, each of these machines need a unique identity that allows users (or other machines) to determine whether they should be trusted. This is the same for all machine identities, whether they are TLS keys and certificates, SSH keys or code signing certificates.
To further complicate matters, the lifespan of TLS machine identities, in particular, is becoming shorter and shorter. The validity period of a public facing certificate has decreased from five years to just one year. But it’s radically shorter for cloud instances. Twenty days for a VM. One day for a container. And one hour for Lambda.
With development cycles on overdrive, we’re seeing an explosion of machine identities that need to be retired or renewed ever more frequently. Plus, there are new technologies that are changing the way that we define machines. In the midst of this rapid evolution we wanted to understand which new technologies drive the need for machine identity management. So, we asked key developers in the Machine Identity Management Development Fund. Here are their answers.
“One of the issues is that there is no standard interface to acquire IoT machine identities with Message Queuing Telemetry Transport (MQTT) and other protocols. Most often, manufacturer or IoT platform defaults are used, and the use of these defaults makes it easy for hackers to compromise the identities and trigger network disruptions with far-reaching effects. Even if strong machine identities are created and updated, device authentication—the ability to verify its identity—remains elusive. I believe that a comprehensive security solution is needed that provides all IoT devices with secure, verifiable and authenticable identities throughout the entire life cycle of a device.”
– Kamal Khan, Global Director – IoT Security, Intrinsic ID
“I think the traditional concept of machine identities is being challenged by non-traditional infrastructure, such as serverless. As enterprises flock toward cloud technologies like this, it's becoming much easier to run applications without traditional infrastructure, but with a greater need for security. This expanse has a two-tiered effect in that the responsibility of securing the application is shifting left while also proliferating the number of endpoints that need to be secured and by association, can be compromised. A centralized approach to awareness and visibility of protection at this level is increasing in need and technologies that manage this protection are required to evolve as quickly as the technologies to make these new approaches more widely available.”
– David Found, VP Engineering at ShuttleOps
“According to the 2020 Flexera ‘State of the Cloud’ report, “Cloud spend is rising as organizations adopt multi-cloud strategies and put more workloads and data into the cloud”. In addition, 93% of responding enterprises reported having a multi-cloud strategy which could include multiple private and multiple public clouds. The report also states that security is the top challenge for enterprises. I think this accelerated multi-cloud adoption drives the need for a centralized machine identity management strategy. We’ve seen this with our own clients as they attempt to address this by forming centralized governance teams or turning to managed service providers for assistance.”
– Sharyl Jones, DevOps Services and Customer Success Manager at Indellient
“Quantum computers will enable threat actors to compromise the security and integrity of the devices and machines organizations rely on for their business operations. To protect systems against quantum-enabled attacks, post quantum cryptographic solutions are required. NIST is currently standardizing a suite of post quantum algorithms which organizations can use alongside new paradigm methodologies to defeat these next generation threat actors.
Ideally, organizations would be able to smoothly upgrade all of their digital certificates and machine embedded cryptography to include post quantum protections. Unfortunately, making such a transition is non-trivial in reality, and the difficulty and complexity increases with the size of the organization. A quantum-safe migration requires organizations have a deep understanding of not only their internal security posture, but also of how their security posture is controlled or influenced by things such as their vendors or suppliers.”
– Angelo Fasulo, Director of Strategic Partnerships, ISARA
"Organizations that implement containers often ask about using a service mesh layer. While this isn’t obligatory by any means, there are many benefits to running service mesh that make it the sensible choice when seeking security, efficiency, and reliability. The advent of cloud-native applications and containers created a need for a lightweight and agile service that can deliver vital application services such as load balancing, traffic management, routing, health monitoring, security policies, machine identities and user authentication, and protection against intrusion and DDoS attacks.
The concept of the mesh comes from the numerous proxies in the data plane that connects the many disparate containers, clusters, and layers that make up the complex cloud-native environment. With so much communication between microservices, solid encryption for example, becomes a pillar of network security. Service mesh manages machine identities—such as keys, certificates, and TLS configuration—to ensure continual encryption that doesn’t fail on you."
- Ariel Shuper, VP of Product at Portshift
As the number of machine identities that your organization relies on continues to grow exponentially, you’ll need to find new ways to automate their availability to critical systems. It will become increasingly important to integrate machine identity management with the new technologies that are driving digital transformation—for cloud workloads, IoT devices, smart machines, applications and containers. To this end, Venafi has gathered the world’s foremost experts to develop solutions that make it easier for our customers to orchestrate machine identities across network and security infrastructures.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.