Some sources say that machines already outnumber humans by 40 to 1. (Some estimate a lower 10 to 1, but that’s still a wide margin). With the advent of cloud native and modernization, both of these estimates probably fall short. But regardless of what the number is, the population of machine identities that need to be securely managed is astronomical. Think hundreds of thousands to millions in large organizations.
Not only are there vast numbers of machine identities constantly at play, the speed of development has shrunken their lifecycles to days, hours, or even minutes. To support the speed and scale of modern and cloud native environments at a global scale, enterprises now require geographically distributed subordinate certificate authorities to rapidly issue ephemeral machine identities. And these ephemeral machine identities require that subordinate certificate authorities themselves must be ephemeral, lightweight, distributed and capable of fast, high-volume issuance.
To meet the need for rapid-fire access to secure machine identities, Venafi developed Firefly, a machine identity issuer that InfoSec teams can provide to developers to support secure, just-in-time issuance in highly dynamic, distributed environments. Firefly ensures that machine identities adhere to corporate policy and maintain enterprise trust through integration with approved Certificate Authorities.
Venafi Firefly Deployment Patterns
Here are 4 ways that an ultra-fast, ultra-lightweight issuer, such as Firefly, can help organizations like yours accelerate modernization.
1. Integrated federated issuer with enterprise Certificate Authorities
Some machine identity management use cases require a distributed PKI to satisfy security policies. In cases like this, Firefly can act as an extension of the enterprise PKI. For example, let’s say a large retail company decides that it needs to bolster security by frequently replacing certificates on Internet of Things (IoT) devices and sensors. To meet this mandate for a stronger security policy, the company would have to reissue certificates every seven days. They decide that the best way to accomplish this is for the issuer to be distributed—which means having a local Firefly in each of the thousands of stores where the IoT devices and sensors are deployed. They could then take advantage of the distributed deployment of Firefly to the local Kubernetes environment that already exists at each store location. But at the same time, they could maintain centralized control and issuance of certificates issued by Firefly, enabling better observability and auditing of short and long-lived digital identities.
2. Automate machine identity issuance and renewal for DevOps pipelines
DevOps pipelines are built for speed. And that speed creates an almost insatiable appetite for machine identities. One way to securely meet that need for speed is to integrate Firefly with DevOps pipelines to automate the issuance and renewal of certificates for applications and services. This approach is ideal for organizations that use a DevOps approach to software development and deployment and want to extend machine identity issuance control to developers in their environments. Let’s look at an example where a large organization plans to migrate the majority of their legacy applications to a modern architecture. This move would require the daily rotation of hundreds of thousands of certificates to match machine identity lifecycles to the development cycle. And that lifecycle needs to start when the application is deployed in any environment, including development and testing. To effectively use orchestration tools to deploy Firefly within different CI/CD pipelines in multiple locations, they would need the issuer must be lightweight, distributed and capable of fast, high-volume issuance.
3. Integrate SubCA with cloud providers and cloud-based applications
Many modern, cloud native environments require high-volume access to machine identities in extremely short timeframes. To ensure security as well as speed, they need a scalable and highly available machine identity solution that can be easily integrated with cloud-based applications and services. To accomplish this in a seamless fashion, Firefly can be deployed as a hybrid cloud PKI solution that integrates with cloud providers such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). For example, organizations in the banking or retail space may choose to simultaneously replace certificates on a hundred thousand or more Point of Sale (PoS) devices. The certificates would be valid for only one day and would need to be replaced in bulk via an orchestration tool—all at the same time. But speed and scale are not the only factors. Throughout the process, the company must make sure that the machine identities are managed and compliant with security policy. To that end, they would need to rapidly instantiate multiple Firefly issuers in Microsoft Azure and Amazon AWS so the issuers can be closer to the devices where the machine identities are needed.
4. Secure communication in microservices
In modern environments, organizations need a way to generate and control machine identities to secure cloud native communications. This is critical because microservices often communicate with each other over the network. Firefly can be used to issue machine identities for each microservice that enables secure communication between them. The machine identities ensure that communication is encrypted and that the services are communicating with the correct endpoints with controls applied. For example, a large organization may choose to use orchestration to better manage and deploy cloud-native applications. Their goal is to reduce costs and improve speed and efficiency and they need machine identities to be part of the core infrastructure that is being deployed, not an afterthought. To do that, their architecture requires application-to-application communication and mTLS certificates are required to secure that communication. Firefly can help them issue the 2+ billion uses a year they require—since the machine identities must expire and be reissued after 15 minutes.
Does your business require fastsecure machine identities?
Firefly is a lightweight service for locally issuing machine identities at turbocharged speeds. With nearly zero latency, you can use it in practically any environment—from the ground to the cloud, and everywhere in between. Sign up and try Venafi Firefly for free for 30 days.
See how easy it is to deliver trusted certificates at warp speed
Related posts
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.