Any time you switch from a homegrown internally developed application to one that is purchased off the shelf from a vendor, you’re going to face a challenging task. Based on my own experience, this is especially true when the application you’re replacing is used to manage digital certificates. Most large companies initially created their own certificate management application because in the early days there was a lack of mature tools in the commercial space. This is no longer the case and more and more companies are moving towards an off-the-shelf solution. I’d like to offer you some practical advice on how to make that transition as smooth and productive as possible as you migrate to mature machine identity protection.
First of all, the transition itself needs to be well thought out and communicated prior to execution. If you don’t do this, the migration will end up as a disaster. Administrators will be hesitant to move to a new tool because they are already familiar with the current tool and the processes that surround it. To minimize this resistance, you will need to have a comprehensive training strategy for getting them familiar with the new tool prior to them actually migrating to it. You need to show them that the new tool will provide better automation, more efficiency, and basically that it will make their jobs easier. Conducting multiple short duration (2-4 hours) sessions seems to work well. This gives the people time to digest the information previously provided and to bring questions in the next session. You don’t want a long period of time between sessions though, as many people may forget what you taught them previously. Also, if you give administrators the opportunity to actually log in and use the tool in a nonproduction system, you’ll see a huge benefit. There is nothing better than actual hands-on training.
Now it’s time to move up the ladder. Getting leadership onboard is another key factor to success. You need to communicate about the new solution in terms of reducing risks associated with certificate management. If you have metrics showing system outages due to expired certificates, or certificates that weren’t properly replaced, it helps make the case for why the switch needs to occur. By implementing a tool that can provide better automation and efficiency, your number of outages will decrease. That is, of course, as long as you have the automation set up correctly. Never let outages go to waste, use them to your advantage for implementing change.
Prepare to pull the trigger, but aim carefully before you fire. There are a lot of factors you need to consider when planning the transition to automated machine identity protection. If you can time the transition to leverage a large-scale certificate replacement event, that helps. Otherwise think about transitioning in logical groups as certificates expire. It helps make the transition easier since you will already be touching the systems holding the certificates anyway. Also make sure you fully think through the certificate policies and how they are configured in the new tool versus how you had them configured in your homegrown system. There is a high likelihood that they won’t be exactly the same. So, you want to make sure that all of the configuration items in the new tools are set up and ready to go before you start migrating and managing certificates from them.
When it comes to deploying agents onto servers, I would recommend performing a mass deployment and then going back and getting each of the agents configured specifically for that server. This approach enables you to leverage some basic functionality across a large footprint, such as certificate discovery, while the unique configuration work is taking place over a longer period of time.
When you are adding automation to your certificate management, I recommend using a crawl, walk, run approach. Depending on the level of automation you have with your existing tool, start out with something similar or slightly more advanced. In the case of the Venafi platform, I’d start with monitoring and enrollment and then work your way up to full provisioning. This also gives your administrators time to become more comfortable with the tool before you implement more far-reaching changes. Don’t be in a rush to get everyone to full automation right away, that could induce problems and create a negative view of the tool.
I hope that following some of my recommendations will make your transition easier for all of the teams that will be impacted. Of course, people will be quick to say the old way was better whenever any obstacles arise. Plus, there are bound to be some bumps along the way—no migration is ever flawless. So, make sure that you set expectations appropriately. With proper planning and patience through the actual migration, you can minimize the bumps along the way and get to a lower risk certificate management posture.