Identity and access management (IAM) is not a new concept for IT and security leaders. But IAM today looks very different from even five years ago.
That was the premise behind Keyfactor and Ponemon Institute’s second-annual State of Machine Identity Management Report, which takes an in-depth look at the role of PKI and machine identities, such as X.509 certificates, in securing modern enterprises. The report is based on survey responses from over 1,200 global IT and security leaders across 12 industries.
Here, we highlight three key takeaways that underscore the impact of cloud and zero trust on IAM. These points tell an important story about where the future of IAM is heading and the critical forces driving us there.
42% have an overall strategy for Machine Identity Management that gets applied consistently across the organization
Quite simply, machine identities are the next frontier for IAM strategies.
For years, IAM has focused on the identity of users (aka human identities) across the organization. However, in 2022 and beyond, human identities will comprise only a small portion of what IAM needs to cover.
Modern workplaces now rely on dynamic and cloud-based workloads, which has introduced the concept of machine identities. Much like humans, these machines need to be identified, authenticated and authorized to maintain security – otherwise they become enormous vulnerabilities. The idea of this is nothing new, but the number of machines and the pace at which they’ll continue scaling is unprecedented.
As a result, having a clear overarching strategy for machine identity management that gets applied consistently across the organization will be crucial going forward. This makes it no surprise that 42% of organizations are already moving in this direction, a 5% increase compared to 2021.
As more and more security teams seek to implement this type of strategy, the biggest roadblocks are typically “too much change and uncertainty” (41%) and “lack of skilled personnel” (41%). Investing in crypto-agility can help organizations prepare for more constant changes to overcome these challenges, which is why it’s a top strategic priority for 57% of organizations.
54% say zero-trust security strategy is the top trend driving deployment of PKI, keys and certificates
The zero-trust security principle is based on the fact that the traditional perimeter no longer exists and, therefore, every identity must be regularly validated, authenticated and authorized to connect (and re-connect) to data and systems, regardless of who, what or where they are. Importantly, it applies to both humans and machines, and identity sits at the core of this model.
The rise of the remote workforce over the past two years has accelerated this strategy, and more than half of organizations say zero-trust is the top trend driving their deployment of PKI, keys and digital certificates – which enable easy identification and authentication of machine identities.
Another 49% say cloud-based services are the top trend driving their deployment of these machine identities. This aligns deeply with the fact that enterprises are increasingly moving to a cloud-based environment, and these services help create dynamic workflows that rely on machines.
Notably, other trends like remote workforces (45%) and IoT devices (44%) are also critical factors in driving PKI deployments, and they tie directly into the need for a zero-trust security strategy and cloud-based services – which ends up creating more machine identities.
Overall, this inevitable cycle makes the shift to creating and authenticating machine identities through PKI (including the use of keys and digital certificates) inevitable for modern organizations that continue to scale these strategies.
1/3 are shifting to a cloud-based PKI solution, whether it’s a CA in the public cloud or fully managed SaaS PKI
Finally, the cloud is not only impacting the volume of machine identities, but also how and where organizations deploy PKI.
Currently, 36% of organizations now use a managed or SaaS-delivered PKI, while another 31% use a private CA service from a public cloud service provider like AWS or GCP. That said, we can expect these numbers to increase significantly as more and more workloads move to the cloud and as organizations grapple with PKI skills shortages – 50% of respondents feel they don’t have enough personnel dedicated to deploying and managing PKI. The fact that 52% have six or more full-time equivalent (FTE) staff working on PKI demonstrates the level of support required.
Shifting PKI to the cloud, particularly with a fully managed SaaS PKI, can help ease this challenge and position organizations to effectively scale their PKI programs to support zero-trust strategies for the growing number of machine identities.
Beyond reducing time spent managing the program, this shift to the cloud for PKI will also be essential to support increased speed and scale. This scalability will make it possible for organizations to issue certificates for new machine identities quickly, in contrast to on-premises solutions, which can be slower and more expensive to scale.
What else is in store for IAM in 2022 and beyond?
These findings from the 2022 State of Machine Identity Management Report clearly illustrate the impact of cloud and zero-trust on IAM, as both of these factors are not only increasing the significance of PKI, but also affecting where and how organizations structure their PKI programs.
This blog highlights only a few of many trends surfaced in the report. We’ll take a look at several of the most important findings in the next blog post, including a look at the machine identity attack surface.
Can’t wait for more? For a deeper look into these trends and more that are impacting machine identity management, click here to download the full report.