Enterprise environments are changing at an unprecedented pace. Digital transformation initiatives, such as migration to cloud platforms and complex software supply chains using DevOps processes, require more and more machines—all of which must be able to communicate securely with one another. And just as human identities must be secured with passwords and biometrics -- machine identities, SSL/ TLS certificates, SSH keys and code signing keys and certificates must also be properly managed and secured.
But who in your organization is responsible for machine identity management, particularly in these modern and constantly evolving cloud environments? And who should be responsible for managing machine identities in the cloud and beyond?
Accelerating digital transformation has evaporated traditional corporate boundaries, making legacy network perimeter security obsolete. Enterprise environments increasingly are made up of cloud instances, containers running in Kubernetes and software-as-a-service (SaaS) accessed through APIs, as well as an array of applications running in data centers. It can take thousands of machines to create smooth customer experiences, making old ways of managing them unusable.
Machine identities now outnumber human identities in business environments. Increased connectivity and more devices on the network mean more challenges for CISOs, CIOs and security leaders tasked with protecting them. But in general, the security industry has focused on developing authentication methods for validating human identities and more or less ignored machine identities despite the meteoric growth of them. To increase the pace of innovation and secure cloud-first initiatives, organizations need to establish systems and policies to secure their machine identities—or risk leaving their businesses vulnerable.
Unfortunately, many organizations leave their valuable machine identities vulnerable, which cybercriminals then exploit. Jeff Hudson, CEO at Venafi, notes that “Attacks and vulnerabilities that leverage machine identities have grown 478% over the last five years, and annual worldwide economic losses due to poor protection of machine identities are estimated to reach $71.9 billion.”
Protecting machines identities has become so important that Gartner has identified machine identity management as a “high benefit” technology in the 2021 Hype Cycle for Identity and Access Management report. And machine identity management, particularly in multicloud environments, require a new model of responsibility that goes beyond traditional InfoSec paradigms. It must be shared across the organization.
In a traditional, on-premises data center model, the organization is 100% responsible for security across the entire operating and computing environment. This includes applications, physical servers, user controls and even physical security.
In contrast, cloud providers like AWS, Azure and GCP (Google Cloud Platform) adhere to what’s known as a “shared security responsibility” model. The cloud provider takes responsibility for some aspects of security, with the organization being responsible for the remainder. But often it’s unclear where a provider’s responsibility begins and ends—and figuring this out is key to a successful cloud security implementation.
For example, AWS states that they are responsible for “security of the cloud”:
“AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.”
Figure 1: The Shared Responsibility Model per AWS. Source: AWS.
On the other hand, the cloud service customer is responsible for security in the cloud. No matter what your computing environment is, you are always responsible for securing what’s under your direct control. This includes:
Data: By retaining control over your data, you control how and when your data is used. The cloud provider has zero visibility into your data, and you maintain all access to your data.
Applications: Your proprietary applications are yours to secure and control throughout the entire application lifecycle—from development to testing and deployment.
Identity and Access: You are responsible for all facets of your identity and access management (IAM) program, including authentication and authorization mechanisms, machine identities, single sign-on (SSO), multifactor authentication (MFA), access keys and credentials.
Platform Configuration: When you deploy cloud computing environments, you control the configuration of the underlying operating environment. Platform configuration varies based on whether your instances are server based or serverless.
There you have it—when it comes to machine identity management, you are on the hook for establishing and enforcing policies and controls that protect machine identities. You may be able to outsource your infrastructure, but you don’t get to outsource the impact and the legal consequences of a data breach because of poor or weak security controls.
That’s why CIOs are looking for a machine identity management partner that engineers integrated, automated processes that are simple, secure, and consistent across environments and platforms. They’re also looking for a partner that can deliver guaranteed outcomes—especially for certificate outages, the most common symptom of weak machine identity management.
Venafi is the world’s leading provider of software and cloud services that manage and protect machine identities. From Kubernetes in the cloud to VMs in the data center, Venafi has longstanding partnerships with industry leaders like Hashicorp, Google, Amazon, Microsoft, CyberArk, Citrix, Palo Alto Networks and IBM, among others. And Venafi has built an extensive ecosystem that allows the platform to seamlessly integrate with more than a thousand technologies, such as those from F5, Check Point and Gigamon, to name but a few.
If you’re interested in finding out more how to begin managing your machine identities at scale, click here.