Automating your management and security processes is the most effective way to build and maintain a successful Transport Layer Security (TLS) machine identity management program. Automation allows you to orchestrate a set of rapid actions that can be focused on a single machine identity or an entire group of identities at machine speed. These actions can be scheduled in advance or they can be triggered by a specific set of conditions. Benefits include:
Life cycle automation
Using manual processes to deploy, install, rotate, and replace machine identities is inherently error-prone and resource intensive.
To manually deploy a new certificate, an administrator must, for example:
- Generate a new key pair.
- Generate a certificate signing request (CSR).
- Submit the CSR to a Certificate Authority (CA).
- Install the certificate and CA chain.
But by automating the entire machine identity life cycle, you can:
- Ensure that all tasks are performed consistently across the enterprise, no matter how many machine identities or how many different uses of these machine identities are employed in your organization. Decommission machine identities quickly to prevent unused machine identities from being exploited by cybercriminals.
- Improve security by removing administrator access to keystores.
For the best results, automated policy enforcement should drive every aspect of your machine identities, including configuration, issuance, use, ownership, management, security, and decommissioning. With these capabilities, you can quickly and automatically revoke and replace any machine identities that don’t conform to appropriate policies. Plus, you’ll have the flexibility to enforce machine identity policies in a variety of ways: globally, by logical group, or by individual identity.
And security teams can leverage automation to deliver secure machine through certificate-as-a- service. This approach allows your system administrators to easily manage the machine identities they control.
Automation gives you the agility you need to rapidly respond to critical security events such as a CA (Certificate Authority) compromise or zero-day vulnerability in a cryptographic algorithm or library. For example, if a large-scale security event occurs, automation is the only way you can quickly make bulk changes to all affected certificates, private keys, and CA certificate chains. Automation is also the fastest way to remediate more focused security events, such as replacing a compromised certificate that’s used across multiple machines.
Validating the installation and proper use of machine identities is complicated because they’re stored and used across a diverse range of devices, applications, and containers.
Automation can solve these problems by validating that every machine identity is installed properly and working correctly. Ongoing validation ensures that your machine identities continue to be effectively managed and secured. Validation is also useful when you’re grappling with large-scale security events. For example, when responding to a CA compromise or vulnerable algorithm, you need to have an accurate assessment of the progress of machine identity replacement across the enterprise.
Machine identity intelligence loses its value if it only represents a single point in time. Automating your intelligence gathering is the only way to continually monitor the security and health of your machine identities. Plus, when your intelligence is automatically updated, you can generate alerts when anomalies or vulnerabilities are detected.
Without continuous monitoring, it’s easy to miss the changes that are common to machine identities:
- Rapid changes on cloud and virtual servers and the applications that run on them
- Software update failures that cause configurations to be rolled back, overwriting a new certificate with an old, potentially vulnerable, or expired certificate
- The deployment and use of certificates from an unauthorized CA
- Insecure development test certificates that are inadvertently rolled out to production
(This blog has been updated. It was originally posted by Scott Carter on October 6, 2021.)