Machine identities are exploding in the enterprise. Look no further than Gartner’s 2022 IAM Summit for proof.
And just like human identities, these machine identities require proper management of secrets, keys, and certificates to maintain security. But unlike human identities, these machine identities require an additional focus on ownership, automation, discovery, and better developer relations.
Quite simply, organizations need a clear enterprise-wide strategy for machine identity management. However, different teams will have different needs and preferences around tooling and best practices. So how should these decisions get made?
The answer is a machine identity management working group.
What is a machine identity management working group?
A machine identity management working group is a cross-functional group with stakeholders from IAM, Security, DevOps, Infrastructure & Operations, and Cloud teams that meet regularly to establish ownership, make policy and tooling decisions and create guidance around machine identity policies.
This working group is the next iteration of a Crypto Center of Excellence (CCOE) and is designed to move past the idea that one team can successfully manage this strategy for the entire organization. Instead, a working group recognizes that no one team has the expertise to manage all machine identities or represent varied interests across the organization.
Why do organizations need a working group to support their machine identity management strategy?
One of the primary challenges to developing an effective machine identity management strategy is organizational alignment.
A machine identity management working group can help overcome this challenge by creating a single group that represents varied interests across teams and has clear authority over:
- Best practices, process development, and tooling
- Decision-making when machine identity-related conflicts arise
- Answers to questions from users across the business
As a result, giving this group the responsibility to lead machine identity management helps create alignment without centralizing authority to one single department.
What are the responsibilities of a machine identity management working group?
Key responsibilities of a machine identity management working group include:
- Establish a mission: The group must align on how they will support machine identity management across the organization. Their mission should outline how they will centralize decision-making while working in a more decentralized way to share new guidelines across the organization over time. An important part of this mission should be setting expectations with relevant teams about how the group will function, what their responsibilities are, and how and when to engage the group.
- Define best practices: Defining best practices for the entire organization will empower individual teams to move quickly around machine identity management because they can refer to those practices rather than having to consult the working group with every question or initiative that arises. Additionally, these best practices will ensure each team takes a standardized approach. Key areas for best practices are:
- Tooling decisions
- Discovery processes
- Ownership definitions
- Compliance requirements
- Usage of libraries to interact with machine identities
- Act as a single point of contact: The working group must be a single point of contact for users from various teams across the organization for any questions or issues that arise around machine identity management. Regardless of where any questions originate, the group must give a single answer through a standardized process to avoid discrepancies across the organization.
- Conduct research: The machine identity management space is evolving quickly, with protocols and technologies changing on a very regular basis. It’s up to the working group to regularly research these changes and understand their impact so they can adjust best practices and processes as appropriate to stay on pace with or even ahead of market trends.
- Deliver thought leadership: Machine identity management is becoming increasingly critical to an organization’s overall security practice. As a result, the working group must do more than just deliver actionable recommendations. They must also stay at the forefront of trends to deliver thought leadership around innovative practices and upcoming changes in the space.
- Own strategic decision-making: The working group will need to own strategic decision-making around machine identity management policies, particularly when it comes to tooling. For example, the group should provide clear guidance around what type of tooling to implement in different situations and how to handle aging legacy systems.
- Assign ownership: Importantly, the working group doesn’t have to actually own all of the machine identity management tooling – they just have to own the policies and decision-making around that technology. This includes determining which teams should own different solutions and how they should handle the management of those tools.
What should organizations consider when establishing a machine identity management working group?
Establishing a machine identity management working group is an important step in developing an enterprise-wide strategy – and being a part of one is a responsibility members must take seriously.
With that in mind, key considerations for successfully starting such a group include finding the people with the necessary skills and ensuring representation from various teams and business units, many of which may have conflicting objectives. In assembling these people, the goal should be to bring together a group of representatives that offer a good mix of skills, experiences, and understanding of different parts of the organization.
Beyond the people who will make up the working group, it’s also essential to consider hybrid and multi-cloud environments as well as any other security frameworks (like zero-trust) already in place and the identities currently in use across the business.
Overall, it’s important to empower the group to proactively guide strategy and decision-making, rather than serving as a reactive body.
What are the phases of a continuous machine identity management strategy?
A continuous machine identity management strategy is one that evolves alongside the organization’s needs and environmental trends. The machine identity management working group can help guide this strategy through the following key phases:
- Initiate: Introduce a strategy to improve guidance, meet security requirements, and consistently scale the adoption of security tools across the organization.
- Define: Clearly define what a machine identity is (vs. a human identity), including categorizations for device identities and workload identities.
- Establish: Appoint a team responsible for owning the machine identity management strategy, aka a working group with representatives from across the organization.
- Decide: Choose the right tools to manage machine identities for each use case the organization encounters.
Beyond those initial phases, there are several other phases to consider for each use case:
- Discover: Identify machines that need to be managed and controlled.
- Assess: Use data to measure success, report on those efforts, and adjust as needed.
- Align: Define best practices for everyone in the organization to follow.
- Fix: Adjust non-compliant systems and remove unused machine identities.
- Automate: Introduce automation for identity lifecycle management.
- Enable: Empower stakeholders to follow set best practices to scale machine identity management.
Ready to uncover more insights on machine identity management?
Machine identity management is set to become even more important in the coming year. As a result, it’s critical to ensure your organization has a clearly defined, well-aligned strategy in place sooner rather than later. And the best place to start is with a machine identity management working group.
Of course, there’s quite a lot that goes into managing machine identities in the long term. To learn more about what’s at stake and how Keyfactor can help, contact us here.