Skip to main content
banner image
venafi logo

Why Zero Trust Requires Machine Identity Protection

Why Zero Trust Requires Machine Identity Protection

Why Zero Trust Requires Machine Identity Protection
May 9, 2019 | Ivan Wallis

What is Zero Trust and how can machine identities play a pivotal role in protecting dynamic new systems?

CSO sums it up Zero Trust with this bite-sized nugget: “Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”

In a theoretical Zero Trust environment we make no assumptions, and we don’t compromise trust to make it easier for systems to authenticate. This has become increasing complex in environments, such as cloud computing and extended partner networks, which blur traditional notions of internal vs external trust—especially in terms of perimeter security. For all intents and purposes, the security perimeter has evaporated.

So, we can no longer rely solely on perimeter-oriented security to protect our machines, many of which now reside outside of that perimeter. Instead, we must increase our focus on protecting the machines themselves, wherever they may reside. And we need to do it every time that a connection is initiated to or from any machine that is in any way affiliated with our organization. So, instead of controlling access to the perimeter, we have to control access to each individual machine.

In other words, we need some type of on-demand validation of a machine’s identity, regardless of location. This type of on-demand access requires strong authentication backed by cryptographic systems.

In Zero-Trust environments, each machine needs to have its own identity and there needs to be a way to verify that that the machine identity is valid for every transaction. Cryptographic keys and digital certificates are used to identify a machine and determine specific levels of trust. But this only works if you have a way of ensuring the integrity of those machine identities.

To understand that better, let’s look at how machine identities would be used for remote access to critical infrastructure in a Zero Trust environment. SSH is the industry standard for securing access to Unix-based systems within a peer-to-peer trust model. That makes SSH machine identities a prime example of the Zero-Trust model. SSH host keys are bootstrapped on initial OS configuration. User keys require a mapping of trust between clients and servers. When you stand up a server using SSH, it has a host key and that host key is uniquely created on that server. And that key has to relate to the client. The client has to log in and say do I trust this public key? And if they want access into that server then have to do the same thing. They create their key pair. And they have to upload it.

How do we incorporate that concept into building out trust to the rest of the organization? And how can we ensure visibility into that environment to avoid misuse? It's definitely a hard problem to solve. But with the proper visibility, intelligence and automation of your machine identities, you can ensure the security of machine-to-machine connections and communications.

Is your organization ready to protect machine identities in a Zero Trust environment?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

cloud cyber security, cloud security, zero trust security
DevOps

Why Zero Trust in the Cloud Requires On-demand Machine Identity Protection

About the author

Ivan Wallis
Ivan Wallis
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat