Skip to main content
banner image
venafi logo

Win-win Policies that Simplify Your Machine Identity Management

Win-win Policies that Simplify Your Machine Identity Management

simplify certificate management
March 12, 2019 | Mark Sanders

In my last blog, I discussed how implementing policies for machine identities can actually help you avoid insider threats that result from employees taking shortcuts that leave your organization exposed. Before I share more about the power of policies, let me give you a few more examples of the hazards of your users pushing the easy button for their keys and certificates.

Imagine if I used the same SSH key across different cloud systems because I just wanted to make that easier on myself. Copying one key onto another system would not only be easier for me, it would be easier for cyber criminals. Or, let’s say for convenience I create a machine identity on one cloud system, then clone it or otherwise duplicate it onto several new systems. And now those same machine identities are being replicated across multiple cloud instances with identities they shouldn't be using.

Another big one is reusing the same private key. When a certificate is going to expire, technically you can reuse the same private key when you renew the certificate. That is certainly not the best practice, which is getting a new key when you renew the certificate. But if someone is pressed for time, they can just change out the certificate without modifying the keys. In that case, you have a bad problem with man-in-the-middle, because if someone has the private key and you don't change the private key then they can still decrypt your data.


As I’ve written before, there’s an easy way to avoid these types of problems. When you craft policies that support business goals and objectives as opposed to hindering people, you actually make it easier for everyone to be secure. To illustrate how this works, let me share an example from a large financial services organization that I’ve been working with.

This organization had already established a series of policies that governed machine identities. But they were having trouble getting their users to comply with those policies. Like I often say, "If you can’t enforce policies, you don't actually have policies. You have recommendations." One of the policies that this financial services organization was struggling with was one that forbid the use of wildcard certificates. But they had no way to enforce this policy, so people ended up doing whatever they wanted to anyway. And they would use wildcards because they were fast and easy, and following policies against wildcards would just slow these users down.

Venafi helped this organization put together policies that made it very easy for users, while ensuring that they were using the most secure machine identities. The new policy was actually simpler as well as stronger and easier to enforce. It simply requires that whoever you are, you're going to get a certificate in one of two ways: If you’re a person, you get this machine identity through a self-service GUI (that enforces strong security attributes) and if you’re a machine, you get it through an API. 

The message to users was welcome, if not long overdue: "We've made it super simple for you. You no longer need to generate keys, you no longer need to generate a CSR. We have a policy and procedure that does all that for you. So it’s a win for you, the user, because you don't have to do all that manual slow stuff that you don't like to do. And it’s a win for us, the security team, because now you're following policies and procedures that are very secure."

Building policies into these automatic processes simplifies something people have to do anyway. It makes it easy for them. They don't have to do all these steps, they don't have to think about it, they don't even have to understand what they need to do. It's all automated for them. And your machine identities are automatically more secure as well.

Are you ready for win-win automation for your machine identities?


Related posts

Like this blog? We think you will love this.
Featured Blog

Cost of a Machine Identity Data Breach with Yahoo!

Consequences from the Yahoo Data Breach

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Mark Sanders
Mark Sanders
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more