Many organisations do not know the full scope of their machine identity usage and exposure. Case in point, recently a colleague of mine asked a customer how many certificates they had. Their initial response was, "We have 1,200 certificates." And then they came back a week later and went, "Ah yeah, I spoke to somebody else in this other department and it looks like they've got about 6,000." Then within another week, they came back and said they actually had 25,000 certificates that they needed to manage and protect. Chances are they have even more.
One of the reasons that it’s so difficult for organisations to nail down exactly how many certificates they have is that there is no central ownership of these machine identities. Because of the machine-to-machine communications and connections that they authenticate, machine identities are often seen as the responsibility of IT operations rather than security. As a result, certificate management can quickly become siloed by department or line of business. That means that machine identity security policies are often inconsistently applied and may vary widely by group.
But ultimately, it’s the business units that feel the pain of managing the bourgeoning number of machine identities (or the results of mismanaging them). They take the productivity hit when an expired certificate triggers an application outage. And, even more important to them, they take the revenue hit if certificates can’t be provisioned in a timely manner to support new products or promotions.
Yet, the ultimate danger in this distributed model is that the actions of any one group can impact the organisation as a whole in terms of system downtime or risk of infiltration and pivoting attacks. It’s the whole weakest link cliché.
But it’s a problem that’s not easily fixed. Let’s face it, there’s a shortage of PKI expertise throughout the industry. So, it’s more than likely that a business unit will assign the PKI function to an IT generalist. In my 20 years of experience, I’ve found IT project and security in general people have a somewhat hazy understanding of PKI. They may even have it listed on their CV, but they don't actually understand it. Consequently, even highly-qualified IT personnel may not be fully aware of the nuances of machine identity protection and the risks of undermanaging machine identities.
Who Controls PKI?
As in any function of the business, it’s the people with the money who are ultimately responsible for making the strategic decisions. PKI is no exception. And what seems to be happening more and more is that the money for PKI lies within the business units. Security operations are evolving to a consulting role where they give the advice and set the rules. But they don't have any authority to force somebody to follow them or to check up on somebody, other than in audits.
So, that leaves the PKI in the hands of the line of business owners, who know even less about PKI than their IT and security advisors. And this leads to a certain amount of schizophrenia when it comes to the management and protection of machine identities. At one large bank, all of the PKI expertise was consolidated into one operations position, whose job is to go out and teach the business units how to use it. The strategy was to have the businesses to be responsible for their certificates. As a result, they are moving responsibility out to the business units, but the business units are funding it back through operations. In the end, the security team will fund a very small piece of it.
A No Man's Land
Where does all of this leave machine identities? More often than not, in a no man’s land. Ironically, it’s a centralized platform for machine identity protection that will empower the business units to act independently to accomplish their individual goals. Enforcing standard security policies for all machine identities enterprise-wide will reduce risk and liability. Maintaining a complete and accurate inventory of the location and ownership of all machine identities will streamline management. And enabling a secure self-service certificate model will accelerate provisioning to support rapidly changing business needs.