Introducing the 2024 PKI & Digital Trust Report     | Download the Report

CISO Insights: Why you can’t ignore machine identities in IAM strategy

Machine Identity Management

This blog highlights the top takeaways for CIOs and CISOs from the 2021 State of Machine Identity Management Report.

2021 Ponemon Report State of Machine Identity Management

No matter the size of your company, no matter where you are in the business – CISO, architect, engineer, or developer – the way you work has no doubt changed. In a year defined by disruption, we’ve all been thrust into remote work, forcing our teams to bypass “walk-crawl-run” approaches to digital transformation and shift into high gear, whether we were ready or not.

That’s meant more devices, more connectivity, and ultimately, more challenges for CIOs and CISOs.

In a recent post by Smarter with Gartner, analysts highlighted that, “As the number of devices increases – and continues to grow – establishing an enterprise-wide strategy for managing machine identities, certificates and secrets will enable the organization to better secure digital transformation.”

So, what exactly are machine identities?

Machine identities: the next priority for IAM leaders

Identity and access management (IAM) is a key ingredient in enterprise security. That much we know. However, over the past decade, enterprise IAM strategies have focused almost entirely on human identities – the credentials your workforce uses to gain access to devices and apps they use every day.

There’s just one problem: human identities are only one cog in the IAM machine.

Today, your digital workforce is part human, part machine. In fact, the number of machines, such as containers, services, mobile and IoT devices, far outnumber humans in the typical enterprise. These machines have become critical to business operations – running websites and apps, connecting users to products, even making split-second decisions with RPA and AI-driven bots.

Just like humans, every one of these machines needs an identity (i.e. cryptographic keys, certificates and secrets), and every identity needs to be managed. Enter machine identity management.

Top 5 takeaways for CIOs and CISOs

We kicked off the first-ever State of Machine Identity Management Report with one goal in mind: drive executive awareness around the importance of managing machine identities in digital business.

Whether you’re a CISO actively pursuing a machine identity management strategy, or you’re barely familiar with the concept, the key takeaways below shed light on why machine identities matter, and how they impact your digital transformation initiatives.

Takeaway No. 1: Cloud and Zero-Trust strategies top the charts

First the good news: As companies shift to cloud-first and zero-trust strategies, teams are leveraging machine identities to enable growth and secure digital transformation. As business becomes more digital by the day, machine identities are securing thousands of connections and transactions every second, allowing us to move at unprecedented scale and speed.

According to the study, the top trends driving the deployment of public key infrastructure (PKI) and machine identities are cloud-based services, zero-trust strategies, and remote workforces. As the trend continues, the volume of machine identities will increase significantly.

2021 State of Machine Identities

Takeaway No. 2: Certificate outages are widespread

That brings us to the bad news. As the number of machine identities explodes, it becomes much, much harder to manage them. Meanwhile, shorter SSL/TLS certificate lifespans have essentially doubled the workload for PKI and security teams, and increased the risk of outages as a result.

The report findings show that the problem is widespread and it’s only getting worse:

  • Companies experienced an average of three outages caused by expired certificates in the past two years; 41% experienced four or more outages
  • 59% of respondents worry about increased risk of outages due to shorter SSL/TLS lifespans
  • 40% of respondents say they face a high likelihood of outages in the next 24 months

Already this year, we’ve seen just how disruptive and costly these situations can be, with Microsoft and Google both experiencing widespread outages due to mismanaged keys and certificates.

Takeaway No. 3: Bigger risks sit below the surface

High impact certificate outages may capture the headlines, but they are really just a surface-level symptom of a much bigger problem: lack of visibility and governance.

When security teams don’t have control over machine identities, it opens the door to potential attacks and audit failures that can be much more costly than an outage. This year’s report revealed the high risk and frequency of these incidents:

  • 53% of organizations do not know exactly how many keys and certificates they have
  • Failed audits and theft or misuse of keys and certificates are the most frequent threats
  • 75% of respondents say failed audits are a very serious incident, compared to just 34% of respondents indicating unplanned outages as a very serious incident


Takeaway No. 4: Machine identities are now a top priority in IAM

What does all of this mean? Machine identities have become a vital part of security strategy. In a recent report, Gartner highlights that “An enterprise-wide machine identity management strategy is now imperative.” CISOs and IT leaders are taking note, but there’s still work to do.

In the study, 40% of respondents say they have an enterprise wide strategy to manage machine identities. However, most companies either have no strategy (18%) or they have a limited strategy that is applied only to certain applications or use cases (42%).


Takeaway No. 5: Lack of skills, tools and processes hold teams back

It’s been said before, but it bears repeating: every machine identity must be managed and protected. Acknowledgement is a step in the right direction, but it takes people, process and technology to implement an effective enterprise-wide strategy.

Unfortunately, organizations face a number of challenges that keep them from putting plans into action. Here are just a few common barriers to success identified in the study:

  • 55% say they don’t have sufficient staff dedicated to their PKI deployment
  • 64% say they track certificates in spreadsheets, homegrown solutions, or CA-vendor tools
  • 57% do not have an accurate inventory of SSH passwords, keys, and certificates
  • 60% have no formal access controls and workflows for code-signing keys

Get the full 2021 report

Find out why managing machine identities is the next priority for security and IAM leaders. Get insights from more than 1,100+ IT and security professionals in the first-ever State of Machine Identity Management Report and share it with your team.