Why Organizations Need to Care About Machine Identity Management

Machine Identity Management (MIM) is an essential component of an organization’s cybersecurity program. Machine identities come in the form of cryptographic keys and digital certificates that are used to identify and securely connect virtually everything in an organization’s network – workloads, services, devices, and more. Today’s modern enterprises rely on thousands of devices and applications to conduct day-to-day operations. Similar to the humans that make up an organization, each device needs its own identity, and security teams must properly manage and secure it. 

The major challenge with properly managing machine identities is that the lifespan of trusted certificates is only 13 months. Understandably, many IT teams don’t have the time or resources to track hundreds of thousands of certificates across an organization. However, when machine identities aren’t treated as critical infrastructure to the security of an organization, those organizations face the risk of outages. And in some cases, outages can cause irrefutable damage —not just to the business but to its brand reputation.

Yet many organizations are just catching on to the essential need for machine identity management. But why are companies starting to care more? And is your organization where it needs to be – before it’s too late?

In an episode of the EM360 Podcast, Editor Matt Harris spoke with Chris Hickman, Chief Security Officer at Keyfactor, about why companies are paying more attention to machine identity and the trends organizations need to capitalize on now to prepare for the future. Here are some of the insightful points from their discussion.

Chris Hickman: Most organizations have spent a lot of time and effort on streamlining their human identities. But now that they understand who people are, how they interact with each other, and how they securely authenticate, the time has come to start looking at doing that same approach with machines. 

Several initiatives, such as zero trust and moving to the cloud, are accelerating organizations’ need for machine identity management. Organizations are developing a stronger understanding of the security of the devices they are using, the communications between these devices, and the frontend and backend systems associated with them. They are realizing that machine identity can be effective, efficient, and agile from a lifecycle and incident management standpoint. 

Chris: Machine identity has come to the forefront because organizations are starting to consolidate the various teams that manage identity. For instance, PKI and X.509 certificates were traditionally the domain of a particular security group. But increasingly, we’re seeing the responsibilities for the issuance of the certificates falling under the identity management team. This shift to consolidation is driving the notion that identity is not just about security, and it’s causing companies to consider how they holistically manage identity within the business.

Chris: The commonality we’re seeing is that there is very little understanding of where credentials and identities live within an enterprise, so they can’t figure out how big the problem is. Organizations are struggling to answer questions like:

• How many certificates do I have in my enterprise?
• How many SSH keys do I have?
• Where do the certificates live? 
• What are they used for?
• Where are they issued from?
• Are the certificates up to the current standard? 
• Do they have a good lifecycle management protocol attached to them?

The answers to these questions compound as an organization continues to scale and more certificates are used. According to Keyfactor’s annual State of Machine Identity Management report, 70% of organizations say the growth of keys and certificates has increased operational burden. Enterprises are turning to automation to help ease this burden so they can keep growing their business.

Chris: We start with a complete inventory of an organization to get visibility of the foundation of the machine identity problem. Then we look at assigning ownership, creating cross-functional groups, and defining who owns the credentials, because a single credential may have multiple owners. For example, there may be a credential that represents a web server, but on that web server is also an application. If the server goes down, then the application will be down. So, the ownership may be spread across multiple different teams. 

Next, we gear policies and practices to the new structure to make this thinking part of the entrenched culture. Last but not least is to automate. Because once you have automation in place and you’re not manually renewing and deploying credentials, you put the organization in a much better position to scale and keep the business secure.

Chris: There are several things afoot right now, particularly with the evolution of quantum computing and the maturing of cryptographic standards. Quantum computing is becoming a reality to the point where it could break existing cryptographic algorithms. This quantum threat is still evolving, but it will soon require organizations to change how machine identities are derived using cryptography. The potential risk is driving a change to cryptographic standards and protocols that organizations must start preparing for now. Otherwise, they will be at a disadvantage and open to significant security risks.

More than one-thousand companies trust Keyfactor to issue, manage, and protect machine identities across their business. The Keyfactor platform is built to solve your present and future machine identity needs with integrated PKI, digital signing, and machine identity management.

Contact us today to learn more.