SSL/TLS certificates issued by trusted Certificate Authorities (CAs), either public or private, are used to authenticate a single domain in public facing websites. Organizations with a handful of public domains and subdomains would have to issue and manage an equal number of digital certificates, increasing the complexity of certificate lifecycle management. The good news is that there is a solution to bypass this burden.
Wildcard certificates promise simplicity, but are they the solution to all our prayers?
Over the past few years, we’ve witnessed a huge uptick in the number of internet-connected devices. In fact, by next year, connected devices will outnumber humans three to one.
When we talk about machines, though, we don’t just mean the physical devices on your network. Today, machines include everything from connected IoT and mobile devices to software-defined applications, cloud workloads, virtual machines (VMs), containers, and even the code running on them.
Much like human identities (usernames and passwords) that we use to access the apps and devices we use every day, machines also use a set of credentials (in the form of cryptographic keys and digital certificates) to authenticate and communicate securely.
However, with the proliferation of machines, the sheer number of these keys and digital certificates has grown exponentially, creating a serious machine identity management problem. More on that later.
What Are Machine Identities?
First, let’s discuss what we mean by machine identity.
Before you reached this blog, you probably jumped on a device of some sort, and logged on with a username and password. However, machines can’t enter a username and password. Instead, they use a set of credentials better suited for highly automated and connected environments – these include:
- SSL/TLS Server Certificates establish trust in your public-facing websites and applications, which are deployed on things like web servers, app servers, and load balancers. Without proper visibility, these certificates expire unexpectedly and trigger costly application outages.
- SSL/TLS Client Certificates are used to authenticate the identity of users, web services, or machines to one another. These have become much more prevalent with the explosion of DevOps, mobile and IoT devices, cloud and microservices. They typically outnumber server-side SSL/TLS certificates by a factor of 1,000 or more, but are often a ‘blind spot’ for organizations, increasing the likelihood of an outage.
- Code-Signing Certificates verify the authenticity and integrity of scripts, executables and software builds. However, most companies still use manual and insecure signing methods that just don’t work for today’s distributed development teams, nor do they protect sensitive code signing keys from misuse or theft.
- SSH Keys provide users, typically system admins, with secure privileged access to critical systems. They also secure various automated processes and machine-to-machine transactions in enterprise networks. Unlike SSL certificates, SSH keys don’t expire, meaning thousands often sit dormant or forgotten across the network, leaving the door open for SSH-based attacks.
- Cryptographic Keys (also known as symmetric keys) typically protect data-at-rest on endpoints, databases, and cloud workloads, but disparate key management tools across different virtual and cloud platforms make it difficult to maintain centralized visibility and control over keys.
What is Machine Identity Management?
Gartner introduced machine identity management to the market in their recent 2020 Hype Cycle for Identity and Access Management – the report states:
“This is a new profile that reflects an increased need to manage the cryptographic keys, X.509 certificates and other credentials that are used to establish trust in the identities of machines, such as IoT devices, virtual machines, containers and RPA bots.”
Up to this point, most organizations have been using disparate toolsets and manual spreadsheets to manage and keep track of their machine identities. However, these methods quickly fall apart at scale, and far too many have fallen victim to outages, breaches and audit failures as a result.
Why Machine Identity Management is Critical
According to Gartner, “Machine identity management encompasses a number of technologies, that today remain mostly siloed (i.e. X.509 certificate management, SSH key management, as well as secrets and other crypto-key management).”
Despite varying different use cases for machine identities across organizations, the challenges related to managing them are consistently the same:
- Visibility: When we talk to companies – regardless of size or industry – the overwhelming response is that they don’t know how many keys and certificates they have, who they belong to, what policies they comply with, or when they expire.
- Governance: The next problem is lack of ownership and control. This is particularly true for SSL/TLS certificates and SSH keys used by various teams across the organization, often without consistent policy or oversight over how they are issued, who has access, when to rotate or renew, etc.
- Protection: Machine identities are based on a model of trust. X.509 certificates must be issued from a trusted certificate authority (CA). Private keys must be stored and protected against compromise. If these protections aren’t in place, machine identities can’t be trusted.
- Automation: Manual processes aren’t just time-consuming, they’re also prone to error and ineffective at scale. For example, handling the lifecycle of certificates – from servicing requests to issuance and installation, and eventually revocation or renewal – is often entirely manual, creating hours of work for admins and users alike.
The role of machine identity management is to handle the discovery, management, and automation of credentials used by machines. These solutions should also be designed to address the scale and complexity of modern IoT, application development (or DevOps) and multi-cloud use cases.
Legacy vs Modern Machine Identity Management
Watch out for legacy solutions. Unlike modern tools, traditional machine identity management vendors often don’t provide the deployment flexibility, pricing model, or product architecture that modern enterprises need to effectively manage all of their machine identities.
At Keyfactor, we believe there are no second-class keys or certificates. Every machine identity matters. Our platform was built from the ground up to handle millions of machine identities with a focus on enabling visibility and control over every one, without unnecessary costs or complexity.
Here are some key differences between legacy vs modern solutions:
- Middleware vs modular architecture
- Per-certificate fees vs unlimited licensing options
- On-premise vs cloud-first deployment
- No PKI backend vs fully hosted PKI as-a-Service
Find out why managing machine identities is the next priority for security and IAM leaders. Get insights from more than 1,100+ IT and security professionals in the first-ever State of Machine Identity Management Report.