Skip to main content
banner image
venafi logo

Why Zero Trust Requires Machine Identity Management

Why Zero Trust Requires Machine Identity Management

Why Zero Trust Requires Machine Identity Management
May 9, 2019 | Ivan Wallis

What is Zero Trust and how can machine identities play a pivotal role in protecting dynamic new systems?

CSO sums it up Zero Trust with this bite-sized nugget: “Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”

In a theoretical Zero Trust environment we make no assumptions, and we don’t compromise trust to make it easier for systems to authenticate. This has become increasing complex in environments, such as cloud computing and extended partner networks, which blur traditional notions of internal vs external trust—especially in terms of perimeter security. For all intents and purposes, the security perimeter has evaporated.


So, we can no longer rely solely on perimeter-oriented security to protect our machines, many of which now reside outside of that perimeter. Instead, we must increase our focus on managing and protecting the machines themselves, wherever they may reside. And we need to do it every time that a connection is initiated to or from any machine that is in any way affiliated with our organization. So, instead of controlling access to the perimeter, we have to control access to each individual machine.

In other words, we need some type of on-demand validation of a machine’s identity, regardless of location. This type of on-demand access requires strong authentication backed by cryptographic systems.

In Zero-Trust environments, each machine needs to have its own identity and there needs to be a way to verify that that the machine identity is valid for every transaction. Cryptographic keys and digital certificates are used to identify a machine and determine specific levels of trust. But this only works if you have a way of ensuring the integrity of those machine identities.

To understand that better, let’s look at how machine identities would be used for remote access to critical infrastructure in a Zero Trust environment. SSH is the industry standard for securing access to Unix-based systems within a peer-to-peer trust model. That makes SSH machine identities a prime example of the Zero-Trust model. SSH host keys are bootstrapped on initial OS configuration. User keys require a mapping of trust between clients and servers. When you stand up a server using SSH, it has a host key and that host key is uniquely created on that server. And that key has to relate to the client. The client has to log in and say do I trust this public key? And if they want access into that server then have to do the same thing. They create their key pair. And they have to upload it.

How do we incorporate that concept into building out trust to the rest of the organization? And how can we ensure visibility into that environment to avoid misuse? It's definitely a hard problem to solve. But with the proper visibility, intelligence and automation of your machine identities, you can ensure the security of machine-to-machine connections and communications.

Is your organization ready to manage machine identities in a Zero Trust environment?


Related posts

Like this blog? We think you will love this.
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Ivan Wallis
Ivan Wallis

Ivan Wallis, is a Sr. Solution Architect with Venafi. He brings over 20 years of cryptographic systems engineering, key management, and security training experience towards enabling customers and partners to effectively architect and deliver data security solutions for enterprise customers. Past experience includes lead Solution Architect role at Thales e-Security and SSH Communication Security, as well as Solution Architect at Entrust. Based in the San Francisco Bay area, Ivan is an active member of the local ISSA and ISC2 security community. Ivan holds a Bachelor of Computer Science and Information Systems from Carleton University, in Ottawa, Canada.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more