A Look Across the Machine Identity Management Tool Landscape

Enterprises are often challenged with defining what “machine identity” means within their security strategy. This misunderstanding trickles down to DevOps, security, IAM and I&O, and other business units that then struggle to figure out the best approaches to machine identity management. Each group has a variety of needs and preferences for tools and a cross-team approach around a centralized strategy often helps to balance the expectations of each unit.

According to Keyfactor’s State of Machine Identity Management report, 18% of respondents said their organization does not have a strategy for managing cryptography and machine identities, and 42% have a limited strategy that is applied only to certain applications or use cases.

Perhaps most importantly, 23% revealed that the biggest challenge in setting an enterprise-wide machine identity management strategy was inadequate or fragmented management tools.

There is no one-stop solution for managing an enterprise’s machines and their keys, secrets, and certificates. Vendors interpret the meaning of machine identities and tools in their own unique ways, but this only adds to the confusion when it comes to selecting solutions that will best meet your needs.

This post serves to add clarity and give direction across the machine identity landscape. It provides an in-depth overview of some of the tools available for machine identity management, guidance on the use cases and capabilities of each, and details on some of the leading vendors in the space.

First things first, it’s important to start by understanding that managing machine identities is equally important as managing human identities. However, machine identities are entirely different from human identities in form, factor, and function.

Machine identities can be divided into two subgroups: device identities and workload identities. Devices are physical machines and can encompass mobile, IoT, operational technology, or desktop computers. Examples of workloads include containers, virtual machines, applications, and services.

Use these subgroups as a jumping-off point for creating a clear definition of what “machine identity” means within your organization so you can set distinct expectations that will influence your strategy.

Then take an audit of your existing machine identity management practices to determine where the gaps are. This will help you find the tools and processes that fit the unique requirements of the various teams within your company.

Investing in the right machine identity management toolset can lead to improved security and more automated processes. It can aid your organization in expanding visibility, accelerating incident response, and achieving better productivity.

Gartner’s Managing Machine Identities, Secrets, Keys and Certificates report identifies seven tools that manage workload identities that range from built-in functionality in IaaS provider platforms to third-party software and hardware modules.

There is a continual convergence of these tools, and they often intersect at various points for managing different types of machine identities. For example, all major IaaS providers offer secrets management capabilities to help store the secrets for the workloads running on their platforms. Here we dive into the details of each of the seven tools and elaborate on their capabilities and potential use cases.

HSMs are tamper-proof FIPS 140-compliant components used to secure trust anchors and keys. They are the one tool on this list that converges with all the others. This is because they can be used to securely generate and store secrets with all the other tools when high assurance is required.

HSMs range from physical hardware appliances, virtualized / distributed modules (vHSM), and cloud-based modules (HSM as a Service) that generate and store cryptographic keys and execute cryptographic operations to encrypt and sign data.

Organizations with data encryption needs have been using key management systems for a long time. KMS tools, also known as enterprise key management (EKM) systems, handle the life cycle of keys and are typically used to store and manage cryptographic keys used for data at rest.

KMS tools manage and enforce the protection of keys to a wide set of different applications and provide mechanisms to audit the usage of keys. They are mostly used for the management of symmetric keys with the help of the built-in support (KMIP) in popular databases for key management, and the life cycle of keys used in IaaS providers through the usage of their built-in KMaaS offering.

Unlike X.509 certificates, SSH keys don’t expire. This makes them valid until they are actively removed and can result in key sprawl. SSH keys management entails discovery, analysis, reporting, rotation, and the brokering of SSH keys to eliminate the risk of key sprawl.

SSH key management tools are typically offered as software or as a service. These tools discover ghost SSH keys within network and cloud infrastructure and are capable of building trust graphs for the handling of manual and automatic key rotation of SSH keys.

SSH certificates are increasingly leveraged as a more flexible and secure alternative to SSH keys, since they can easily be renewed with set validity periods. However, usage is not yet widespread and management tools are not mature.

Secrets managers store, issue, and rotate the keys, secrets, and certificates used by applications. Their main use cases are for storing secrets used in DevOps/DevSecOps and CI/CD pipeline scenarios. For example, the issuance of identities to containers, IaaS workloads, and for securing application layer credentials, such as database keys and OAuth 2.0 client credentials.

Secrets managers are offered as software or as a service. Besides their capabilities for the vaulting of secrets, they also provide integrations for a hybrid and multi-cloud environment using built-in support for third-party credentials as a mechanism to seamlessly authenticate to the secrets manager.

With the growth of PKI, more machines than ever are using certificates to encrypt communications and to authenticate each other. Certificate management systems have also changed how organizations control and monitor the issuance across multiple CAs.

PKI and certificate management offerings can be deployed as software, virtual or hardware appliances, or as a service. PKI providers integrate with secrets managers for the issuance of certificates for DevOps scenarios. They perform certificate discovery and provide a single pane of glass of certificates across hybrid multi-cloud and multi-CA environments.

Recent research found that IT and security pros identified scalability and performance (53%) and support for multiple CAs (45%) as critical capabilities for PKI and certificate management.

PAM tools broker privileged access with the help of agents, APIs, and proxies, allowing organizations to secure privileged access and prevent “privilege creep” by managing and monitoring privileged accounts and access, often including SSH keys and credentials.

These solutions can also be used for the discovery of identities and credentials in server infrastructure and code and application-to-application password management (AAPM). It is also helpful when just-in-time (JIT) access, privilege session management, or privilege elevation on the target systems is needed. Increasingly, PAM offerings have been providing secrets management capabilities.

Infrastructure as a service (IaaS) providers, such as AWS, Google Cloud Platform, and Microsoft Azure, offer built-in capabilities to store secrets, keys, and to issue identities to the workloads running within their cloud services. IaaS capabilities range from built-in KMS capabilities, cloud-based HSMs, secrets managers, and certificate issuance and management services.

According to Forrester, machine identities are growing twice as fast as human identities. Organizations normally have more machines to manage than they have humans. The number of workloads increasingly exceeds the number of devices that need to be managed, and companies frequently must turn to vendors for extra help.

There are multiple vendors with machine identity management capabilities. When vetting vendors, consider their abilities to meet the specific needs of your industry, company size, devices, and user base.

You may need to work with several businesses to address all your requirements. You also want partners that have the flexibility to adapt to your organization’s changing needs and can manage the entire lifecycle of your machine identities.

Here is a closer look at a few of the leaders in the machine identity management space. Each specializes in one or many of the various tools we’ve listed.

Tools: Keyfactor PKI as a Service, Keyfactor Command, Keyfactor Control, PrimeKey (by Keyfactor) EJBCA, PrimeKey (by Keyfactor) SignServer, KCrypt Key Manager

Overview: Keyfactor is the leader in cloud-first PKI and machine identity management, providing an end-to-end Crypto-Agility Platform for enterprises and IoT manufacturers. Keyfactor recently merged with the most widely adopted PKI solutions provider, PrimeKey, to become the industry-first provider of a combined platform for highly scalable certificate issuance and lifecycle automation.

Deployment: Managed, SaaS, Software & Appliance

Highlights: Keyfactor, initially a leading PKI consulting company, shifted to a SaaS platform in 2014 and has since experienced 300%+ growth and ranked on the Inc. 5000 fastest growing companies in 2020 and 2021.

Key considerations: Keyfactor offers multiple, flexible solutions for combined PKI and certificate lifecycle automation as a service, software, or hybrid deployment. It also offers SSH key management, secure code signing, and encryption key management add-ons. Ensure that you carefully consider how you’d like to deploy and which features you’ll need to start vs in the future.

Tools: Akeyless Vault

Overview: Akeyless Vault is a SaaS-based platform that combines secrets management (for workload identities) and secure remote access. It automatically manages secrets for DevOps tools and cloud platforms to protect credentials, tokens, API keys, and passwords.

Deployment: SaaS & Hybrid

Highlights: Akeyless is an Israeli-based company founded in 2018 that uses a unique patented FIPS 140-2 certified technology, known as “distributed fragment cryptography” (DFC), to protect and secure secrets. They recently raised $14M in Series A funding.

Key considerations: Do not use certificate issuance capabilities of secrets managers without contols. Secrets managers should be integrated with trusted PKI issuers (public or private CAs) and certificate management systems to ensure every certificate is trusted, compliant, and valid.

Tools: AppViewX Cert+

Overview: AppViewX is a network automation vendor which offers certificate and SSH key management capabilities with AppViewX Cert+. They also integrate with third-party cloud vendors, such as Google Cloud Certificate Authority Service, to provide “PKI as a Service”.

Deployment: On-Prem & SaaS

Highlights: AppViewX is a U.S.-based company with R&D and Support teams based in India. While they do not offer a managed PKI service, AppViewX recently partnered with Google Cloud Certificate Authority Service (CAS) to offer PKI as a Service alongside their Cert+ platform.

Key considerations: When evaluating certificate management tools, ensure that you thoroughly test integrations, use cases, and ease of installation. If you bypass proof of concept (PoC), you could face a lengthy rollout, cost inflation, even service disruptions. If you’re looking for a SaaS-based solution, ensure functionality is equivalent to on-premises offerings.

Tools: AWS Secrets Manager, AWS CloudHSM, AWS Certificate Manager (ACM), ACM Private CA, AWS Key Management Service (KMS)

Overview: AWS offers a variety of built-in tools for secrets management, key management, HSM protection, PKI and certificate management for services running within AWS.

Deployment: Cloud / IaaS

Highlights: AWS is widely considered a leader in IaaS security. They introduced AWS Private Certificate Authority (PCA) in 2014 to issue private certificates within AWS services.

Key considerations: Built-in IaaS tools are well-integrated to workloads running on, or controlled by, the IaaS provider. However, they can create siloes in multi-cloud scenarios and lack third-party integrations and lifecycle automation capabilities. We recommend using a CA and cloud-agnostic PKI and certificate management tool to centralize visibility and control.

Tools: Azure Dedicated HSM, Azure Managed HSM, Azure Key Vault

Overview: Azure currently does not offer PKI. However, it does provide multiple options for HSM protection, as well as key and secrets management with Azure Key Vault.

Deployment: Cloud / IaaS

Highlights: Microsoft Azure continues to introduce new security features in an effort to catch up to other IaaS leaders. In 2020, Azure and Intel committed to delivering a next-generation confidential computing leveraging Intel SGX.

Key considerations: Built-in IaaS tools are well-integrated to workloads running on, or controlled by, the IaaS provider. However, they can create siloes in multi-cloud scenarios and lack third-party integrations and lifecycle automation capabilities. We recommend using a CA and cloud-agnostic PKI and certificate management tool to centralize visibility and control.

Tools: BeyondTrust Password Safe, BeyondTrust DevOps Secrets Safe

Overview: BeyondTrust is an industry leader in privileged access management (PAM) with integrated products and a platform that enables organizations to shrink their attack surface.

Deployment: SaaS & On-Prem

Highlights: BeyondTrust is a leader in the PAM space, trusted by 20,000 customers worldwide, including half of the Fortune 100. Bomgar acquired Lieberman, Avecto, and BeyondTrust in 2018, and introduced the new BeyondTrust in 2019.

Key considerations: PAM tools are powerful for the discovery and management of privileged access to systems and just-in-time (JIT) access. These tools do not address PKI and certificate management, however, in some cases, they may offer SSH key management.

Tools: CyberArk Privileged Access Manager

Overview: CyberArk’s Identity Security Platform combines IDaaS and strong authentication with privileged identity management. It’s innovative Blueprint tool can be used to create highly customized security roadmaps.

Deployment: Self-Hosted / SaaS

Highlights: Founded in 1999, CyberArk is widely considered a pioneer and leader in PAM. They were also recently named a leader in The Forrester Wave: Identity as a Service (IDaaS( for Enterprise, Q3 2021.

Key considerations: PAM tools are powerful for the discovery and management of privileged access to systems and just-in-time (JIT) access. These tools do not address PKI and certificate management, however, in some cases, they may offer SSH key management.

Tools: DigiCert CertCentral, DigiCert Enterprise PKI Manager

Overview: DigiCert is a leading SSL/TLS provider that also offers PKI and certificate management solutions within the DigiCert One platform.

Deployment: SaaS, Hybrid & On-Prem

Highlights: In 2020, DigiCert introduced their new DigiCert ONE platform, including IoT Device Manager and Enterprise PKI Manager, in an effort to expand beyond SSL/TLS issuance into certificate management.

Key considerations: CA-provided tools offer limited discovery, automation, and out-of-the-box integration capabilities. They also lack support for multi-CA and multi-cloud environments. Organizations should use a PKI and certificate lifecycle automation tool that can integrate with multiple issuers (public, private, cloud-based, and DevOps-embedded CAs).

Tools: Entrust Certificate Hub, Entrust Security Manager, Entrust PKI, nCipher nShield HSMs

Overview: Entrust is a global leader in trusted identities, payments and data protection for financial institutions, governments, and other organizations.

Deployment: SaaS, Hardware & On-Prem

Highlights: Entrust Datacard re-branded to Entrust in 2020. They have a strong focus on expansion through acquisition, with recent acquisitions of Antelope, WorldReach, HyTrust in 2021, and nCipher in 2019.

Key considerations: CA-provided tools offer limited discovery, automation, and out-of-the-box integration capabilities. They also lack support for multi-CA and multi-cloud environments. Organizations should use a PKI and certificate lifecycle automation tool that can integrate with multiple issuers (public, private, cloud-based, and DevOps-embedded CAs).

Tools: Fortanix Data Security Manager (DSM), Fortanix DSM SaaS

Overview: Fortanix is a data-first multi-cloud security platform that uses it’s unique runtime encryption technology built upon Intel SGX to decouple security from infrastructure.

Deployment: SaaS & On-Prem

Highlights: Fortanix is a disruptor in the traditionally hardware-based HSM space, delivering modern software and SaaS-based HSM and confidential computing solutions that leverage Runtime Encryption with Intel SGX.

Key considerations: Not all HSMs are built the same. Consider deployment models (hardware, virtual, or cloud), FIPS-140-certification levels, volume/performance, and pricing models when evaluating vendors. Emerging SaaS-based and distributed virtualized HSMs offer an enticing alternative to traditional hardware HSMs.

Tools: GCP Certificate Authority Service (CAS), GCP Secrets Manager, GCP Cloud Key Management Service (KMS), GCP Cloud HSM

Overview: Google Cloud Platform rounds out the top three IaaS providers, alongside AWS and Azure. Google recently announced the release of Certificate Authority Service (CAS) as a built-in private CA service, putting it ahead of Azure when it comes to PKI and certificate issuance.

Deployment: Cloud / IaaS

Highlights: Google Cloud continues to roll out new security features and services, including the GA release of Google Cloud CAS in 2021.

Key considerations: Built-in IaaS tools are well-integrated to workloads running on, or controlled by, the IaaS provider. However, they can create siloes in multi-cloud scenarios and lack third-party integrations and lifecycle automation capabilities. We recommend using a CA and cloud-agnostic PKI and certificate management tool to centralize visibility and control.

Tools: HashiCorp Vault, HCP Vault

Overview: HashiCorp is a generation-defining infrastructure software company, focused on multi-cloud infrastructure, security, networking, and orchestration. HashiCorp Vault is a powerful secrets engine that allows organizations to tightly control access to tokens, passwords

Deployment: Open-Source, SaaS & Self-Hosted

Highlights: HashiCorp recently introduced the SaaS-based version of its Vault secrete engine, HashiCorp Cloud Platform (HCP) Vault, with hosting locations in Dublin, London, and Frankfurt to comply with GDPR requirements.

Key considerations: Do not use certificate issuance capabilities of secrets managers without proper controls. Secrets managers should be integrated with trusted issuers (public or private CAs) and certificate management systems to ensure every certificate is trusted, compliant, and valid.

Tools: Thales Data Protection on Demand (DPoD), Thales Luna HSMs, CipherTrust Manager, CipherTrust Cloud Key Manager

Overview: Thales is an industry leader in data protection, offering FIPS 140-compliant hardware-based (Luna) and cloud-based (DPoD) HSM solutions, as well as encryption key management with CipherTrust and Vormetric. Their HSMs are cloud-agnostic and the HSM of choice for Microsoft, AWS and IBM.

Deployment: Hardware & SaaS

Highlights: Thales offers a wide range of integrations with most of the tools on this list, including Keyfactor, HashiCorp, and CyberArk. They also recently introduced a new Double Key Encryption feature for Microsoft 365.

Key considerations: Not all HSMs are built the same. Consider deployment models (hardware, virtual, or cloud), FIPS-140-certification levels, volume/performance, and pricing models when evaluating vendors. Emerging SaaS-based and distributed virtualized HSMs offer an enticing alternative to traditional hardware HSMs.

Tools: Thycotic Secret Server, Thycotic DevOps Secret Vault

Overview: Thycotic is a PAM leader that offers multiple solutions to manage privileged access, secrets, and access control. Thycotic is the only enterprise-grade PAM solution available both in the cloud and on-premise.

Deployment: Hardware & SaaS

Highlights: In April 2021, Thycotic merged with Centrify, a leading provider of PAM solutions to over half of the Fortune 100, under the new brand name ThycoticCentrify.

Key considerations: PAM tools are powerful for the discovery and management of privileged access to systems and just-in-time (JIT) access. These tools do not address PKI and certificate management, however, in some cases, they may offer SSH key management.

Tools: Venafi Trust Protection Platform (TPP), Venafi as a Service

Overview: Venafi provides machine identity protection solutions, including PKI and certificate management and SSH key management, within Venafi Trust Protection Platform (TPP). In 2020, Venafi acquired Jetstack, the startup behind cert-manager for Kubernetes.

Deployment: On-Prem & SaaS

Highlights: Venafi recently introduced Venafi as a Service, a cloud-based tool to provide visibility (OutagePredict) and DevOps integrations (DevOpsAccelerate). This is Venafi’s first move toward the cloud, however, the platform is still far from feature parity with Venafi TPP (on-premise) at this time.

Key considerations: When evaluating certificate management tools, ensure that you thoroughly test integrations, use cases, and ease of installation in a proof of concept (PoC). Legacy on-premise architectures likely will not support modern multi-cloud and DevOps environments. If you’re looking for a SaaS-based solution, ensure functionality is equivalent to on-premise offerings.

If you’re looking for the right PKI and machine identity management solution, we’ve got just the right thing. Download these buyer’s guides to get started.

Download Buyer’s Guide for Certificate Lifecycle Automation →

Download Buyer’s Guide for PKI as a Service →