Managing machine identities in a trustless world

Businesses are struggling to manage the identity of the rapidly evolving machine their organizations create. Existing methods do not scale to secure them.

Typical businesses have 45 time more computer identities than human identities — and many organizations don’t even know exactly how many identities they have. More than six out of 10 businesses are uncertain about their organization’s number of certificates and keys, up 17% from last year.

That’s why it’s so hard for many CISOs to control their machine’s identity. The typical business has 250,000 of them to manage by 2021, expected to double that 500,000 won via 2024.

Ponemon of the institute every Tuesday Status Machines Identity management reportpublished by Key factorsprovides an accurate view of the current state of machine identity management — and why distrust is very important to get it right.

The CISO told VentureBeat that managing the vast amount of machine identities created by applications, containers, cloud services, scripts, virtual machines (VMs), and mobile devices and laptops is the hard part. It is most difficult to get the identity and access management (IAM) aspect of the trustless framework right.

Adding to the challenge is the need to manage the lifecycle of machine identities.

Getting started with an enterprise-wide strategy for managing public key infrastructure (PKI) is at the core of this effort.

How to manage untrusted support machine identity

A combination of factors is increasing the urgency of making PKI a core part of an enterprise’s strategy. machine identity management (MI M) strategy: Businesses are pursuing trustless frameworks. They are expanding their IoT network. And they are pursuing more cloud services.

But CIOs and CISOs told VentureBeat that their teams have thinned, while the PKI infrastructure has grown more complex as machine identities have evolved. Pull in two directions, IT and network security teams are finding it increasingly difficult to keep up.

“PKI infrastructure certificates simply confirm the identity of a system. It’s looking at a system and saying, ‘I’m giving you a certificate as proof of your identity’… When that certificate is presented, it’s essentially asking for access to a resource,” said Kapil Raina, vice president of Zero Trust, Identity. cloud and visibility at The crowd goes on striketold VentureBeat in a recent interview.

CrowdStrike has implemented its identity segmentation to comply with the guidelines NIST SP 800-27 . Untrusted Architectural Standard. “The idea of ​​identity segmentation does exactly that. We rely on identity to identify areas where our clients want to limit lateral movement or damage,” says Kapil.

To help organizations overcome this challenge, identity and access management (IAM) platforms need to continue to improve machine lifecycle management tools for applications, custom scripts, containers, virtual machines, IoT, mobile devices, etc. including Akeyless, Amazon Web Services (AWS), AppViewX, CyberArk, CrowdStrike, Delinea, Google, HashiCorp, Keyfactor, Microsoft and Venafi.

Enforcing least privileged access and enhancing the way every machine is authenticated in real time allows machine identity management to become the foundation of any trustless security framework. Comparing how MIM functional areas help improve zero trust highlights why using lifecycle-based machine identity views and controlling key management is core to increasing strengthen the trustless security framework across the enterprise.

Managing machine identities is a multifaceted challenge

Another factor that makes it difficult for CISOs to manage machine identities is the diverse needs of DevOpsteams, cybersecurity, IT, IAM and CIO. Each has their own preferences for apps and tools. However, CIOs told VentureBeat that cross-functional teams are important to balance centralized governance and operations.

Requires senior management and ideally a problem-solving C-level executive is essential to progress. The good news is that senior management is stepping up and taking ownership. 36% of businesses say lack of executive support is a serious problem in 2021. That number dropped to 22% last year.

Ponemon finds that CIOs are facing new, more complex challenges to protect the identity of their rapidly evolving machine. Here are the key insights gleaned from Ponemon’s latest report:

PKI for IoT and DevSecOps is one of the fastest growing use cases today

Future Guarantee and many clouds configured as part of a broader technology stack that requires PKI to protect the many new machine identities that are created daily. Many things are temporary or used for a relatively short period of time, creating an automated approach to PKI for container and virtual machine table shares to stay consistent with a zero strategy trust.

Research shows that DevSecOps and IoT environments are becoming more and more important as the top trends driving the increasing adoption of PKI infrastructure. The importance of IoT as a top trend has increased from 43% in 2021 to 49% in 2023. DevSecOps has grown from 40% in 2021 to 45% this year.

Zero-reliability improvement requires certificate authority (CA) control and extends PKI

From internal CAs and self-signed certificates to cloud-based PKIs and DevOps engine-integrated CAs, PKI permeates larger-scale enterprises. According to survey respondents, the average business uses nine CA and PKI solutions.

In 2023, the machine ID management teams made it a priority to reduce the complexity of the PKI infrastructure to regain control and prevent the spread of non-compliant and untrusted CAs. Controlling the scalability of CAs and KPIs is imperative to improving untrusted security across the enterprise.

CISOs have difficulty recruiting PKI specialists and many are already understaffed

Labor shortages affect PKI and machine identity strategies for CISOs and security teams. Respondents said the most important challenges facing their team were 1) lack of skilled workers and 2) too much change and uncertainty. 53% of respondents, up from 50% in 2022, said they lacked the staff to deploy and maintain their PKI.

KPI certificates are being generated faster than the current system can track

Internally trusted certificates (i.e. certificates issued from an internal private PKI) have grown for the third year in a row, from 231,063 in 2021 to 255,738 in 2023. PKI teams are having a hard time managing manage this growing number of certificates; 62% of respondents do not know how many keys and certificates they have, up from 53% in 2021.

Outages due to certificate expiration occur more frequently, affecting customer relationships

Applications and services stop working if the certificate expires unexpectedly. For 77% of respondents, at least two such incidents have occurred in the past 24 months. 55% of respondents said the certificate-related outage has severely disrupted customer services. And half say these events have caused significant disruption to internal users or a small group of customers.

Machine recognition is the core to distrust

The fastest-growing threat surface in many organizations today comes from thousands of machine identities created by deploying new IoT networks, extending cloud services, and creating new containers and virtual machines to support them. Devops and DevSecOps support.

Facing this reality at scale is a challenge faced by CIOs and CISOs, who often lack a PKI specialist on staff or one willing to devote full-time to the process.

To improve its trustless posture, any organization needs to start by adopting a more data-driven approach to managing PKI infrastructure and machine identities at scale.

(Story updated on 4/13/23 at 4:10 p.m. ET with corrected title for Kapil Raina.)