PKI professionals and my grandmother would have a lot to talk about. They both have a lot to keep track of: machine identities for one and birthdays for the other.
My grandmother has 6 children, 26 grandchildren and 12 great-grandchildren. That’s 44 birthday calls to make a year, not including in-laws. For as long as I can remember, she’s hardly missed a one.
Her solution? Not one calendar per family, or one for the grandchildren only, or one for each month. It’s a simple, integrated solution – an exhaustive audit of family dates that she vigilantly enforces on nearly every week of the year. 44 points of data go in, are organized, orchestrated and monitored. It’s a manual process. But it works for her.
The challenges presented to my grandmother are the same as those that large organizations face in defending the cryptographic keys and digital certificates that comprise their machine identities. These challenges are namely: integration, enforcement and comprehensiveness. But it is nearly impossible for PKI professionals to do this manually, especially at the speed and scale of today’s machine identities.
While there are volumes of anecdotal evidence about PKI challenges such as manual management, Venafi wanted something more substantial to document these challenges. So we commissioned an analyst study. The results have been published in "Securing The Enterprise With Machine Identity Protection", a June 2018 commissioned study conducted by Forrester Consulting on behalf of Venafi. The study includes responses from 350 senior IT security professionals who are responsible for their organizations’ identity and access management from the U.S., U.K., Germany, France and Australia.
The study found that 50% of companies experience problems protecting machine identities. According to the study, “companies see machine identity protection capabilities as important, but the majority struggle to execute on those capabilities.”
It all boils down to two main issues: machine identities not being tracked, and insufficient tools to protect them once that are. The scope of the problem is just so much bigger than before. With the rise of IoT devices, new DevOps initiatives and cloud, companies can hardly keep up with what, or where, to protect the growing population of machine identities. According to the Forrester study, “Without the right technology solutions in place, — such as enforcing policies, routine machine identity life cycle management, and responding to machine identity security incidents at enterprise scale — this rapidly fluctuating environment can be perilous.”
Traditional certificate management doesn’t seem to be up to the rigors of protecting today’s avalanche of machine identities. The study noted that “orchestrating the creation, provisioning, rotation, renewal, and replacement of machine identities tasks manually is nearly impossible, given the rapid increase in volume of machine identities and the velocity of changes affecting them.” So the only clear answer is to automate. It’s like buying my grandmother an Alexa device that would automatically send birthday calls 44 times a year. According to the study, “Moving forward, firms need fewer tools that do more …and tools that deliver the comprehensive intelligence required to drive automated protection and response.”
Nobody wants to keep track of thousands of certificates by hand. Not my grandmother. Not Gary in IT. And since when did millions of revenue and reputational dollars rest in those hands? Again, just ask the guys at any company that has suffered a breach and they’ll tell you, you can’t automate enough.