Currently two high-impact transformations are taking place within IT: containers and cloud. Both of these transformations force many companies into a mode which is uncomfortable for them. Most companies are accustomed to moving methodically in under a carefully calculated long-term plan. But current development strategies that leverage containers and cloud force Slow IT departments to work with people which were referred to as Shadow IT in the past. But those Shadow IT folks who used to work outside of the system, now ARE the system.
Indeed, development for cloud and DevOps, now commonly referred to as Fast IT, may be on a road to overtake the IT power of traditional IT teams, aka Slow IT. Because of the rapid results that Fast IT consistently delivers, the cloud and DevOps teams wield incredible power in organizations and can even call many of the IT shots, as my colleague Terrie Anderson wrote about in a previous blog.
In particular, I’d like to explore how Fast IT challenges many of the conventions that have previously governed strategies for machine identity protection. Machine identities are a combination of keys and certificates that create secure machine communication, providing the mechanism for authentication between machines, and ensuring the confidentiality and integrity of data in motion. In general, nobody outside of the PKI team cares all that much about these machine identities until something happens to them.
Machine identities may also refer to SSH keys, which are used to safeguard administrative user-to-machine and automated machine-to-machine functions. SSH is a Swiss Army knife, used in most Companies by both Slow IT and Fast IT departments.
So, what is the impact of Fast-IT on machine identities?
Slow IT had the possibility to gather all machine identity information in house. In early days, they could even collect manually, and manage them from a spreadsheet. When many saw the limitations of that, they developed their own homegrown scrips and other methods to improve management. But none of these were quite ready for the onslaught of machine identities that would result from cloud and containerization. Now, more and more applications are no longer protected by a traditional perimeter. And this causes multiple problems for the protection of machine identities. Here are some challenges I’d like to highlight:
Where are the keys and certificates located for cloud and containers and who has access to them? Are they accessible by all your IT staff, both internal as contractors? What is the process to revoke access to these keys? Can an (external) cloud or container platform provider actually ensure there is no access by their employees?
Usability.Does Slow IT have tools that can speak the right API to integrate authentication, authorization and accounting (AAA) information with Fast IT platforms? In the past when certificates had a lifetime of multiple years, it was quite possible to create and rotate machine identities following a well-defined manual process. Now that the average container lifetime has shrunk to hours (or less), automating management and protection is fundamental.
Visibility.How can PKI or cloud administrators report on the certificates that are used across different clouds or in containers? How can they create a single pane of glass for keys and certificates across multi-cloud installations? Different kind of APIs may be needed to integrate information from multiple cloud and container platforms into tools that were previous used to control machine identities running on premise.
Management.Most cloud and container platforms prefer that organizations use the platform’s native certificate authorities (CAs) and key management systems. But these platforms do NOT provide the same capabilities to manage keys and certificates. Certain functionality or characteristics may be different, or even missing, from provider to provider.
All of these factors challenge Slow IT departments. How can they comply with internal policies if the platform (internal/hybrid/external)—most likely chosen by Fast IT and without involving Slow IT—cannot provide the capabilities needed for compliance.
And all of this is complicated enough for business as usual. The challenges are compounded significantly when something goes wrong. Let’s say a (cloud) CA is compromised, as this has happened multiple times in the past. What tools does an administrator have to quickly migrate away from the preferred and fully integrated (cloud/container) internal CA when it is no longer trusted? The only way to successfully mitigate these types of events in a timely manner is to be prepared for any eventuality.
Organizations should create an abstraction layer around internal CA systems like the one from Microsoft, external CAs like DigiCert, and cloud CAs like the AWS Certificate Manager (ACM). This layer would integrate all CAs into a global management platform that provides consistent capabilities across all environments. This has become the driving force for all machine identity related management and protection.
With a comprehensive platform for machine identity protection, organizations can maintain a consistent policy for authentication, authorization and accounting, which results in the same high level of control for both users and machines. This means that machine identity and compliancy audits are no longer a problem.
Using a global platform for protecting machine identities, Slow IT can show that it is in control of life cycle management for machine identities. With a single view for all certificates and keys, reporting will show Slow IT which certificates are used where, when they expire and so on. Preferably the platform should be integrated with the ITSM solution, in order to follow the same process as any other IT request in the organization.
Not only should the platform support auto-rotation and remediation on traditional appliances and Webservers, it should also support Fast IT to ensure that they no longer need to bypass it. Get one platform that does both Fast IT and Slow IT and you’ll maintain consistent security across all of your environments.
Is your machine identity program ready for the transformation of cloud and containers?