In May 2021, the White House published its Executive Order (E.O.) on improving the nation’s cybersecurity. We noted at that time how Section 3 of the mandate, entitled “Modernizing Federal Government Cybersecurity,” emphasized the need for Federal Civilian Executive Branch (FCEB) agencies to transition to a Zero Trust Architecture (ZTA). The E.O. specifically referenced the standards and guidance outlined by the National Institute of Standards and Technology (NIST) as a means by which FCEB agencies could migrate to a ZTA.
Examining one of NIST’s migration steps
No doubt the Executive Order was referring to Special Publication (SP) 800-207. Released by NIST in August 2020, the document lists several core components that organizations can use to adopt a zero trust architecture. Among them is enterprise PKI. As quoted from the publication:
"This system is responsible for generating and logging certificates issued by the enterprise to resources, subjects, services and applications. This also includes the global certificate authority ecosystem and the Federal PKI, which may or may not be integrated with the enterprise PKI. This could also be a PKI that is not built upon X.509 certificates."
As part of their use of enterprise PKI, Federal Civilian Executive Branch agencies, critical infrastructure organizations, and other entities need to make sure they are managing their certificates across their entire lifecycle. If they don’t, they could increase their exposure of an attack.
This is especially pertinent for organizations’ machine identities. These resources are growing twice as fast as human identities, according to Forbes. This makes the task of machine identity management more difficult for IT and security teams. More Internet of Things (IoT) devices, containers, and other machine-based resources contribute to more administrative workload for these teams. In managing those devices, IT and security personnel might make mistakes that leave their organizations vulnerable to attack—especially if they rely on manual processes.
Teams don’t always have visibility over all their machines either. In the age of hybrid and remote work, employees can introduce new machines and IT assets into their employer’s environment without the knowledge of IT and security. Individual users may also deploy their own keys and certificates for shadow IT outside the guidance of security personnel, thereby increasing the organization’s risk of an outage or compromise.
If security and IT don’t have the requisite levels of visibility, their machine identities could end up in the wrong hands. Malicious actors could then leverage those assets to insert themselves into encrypted communication, evade security controls, impersonate trusted services, or conceal their attack attempts, all for the purpose of moving to critical assets and exfiltrating victims’ sensitive information.
So, where does this leave machine identity management?
It’s a bit complicated. The problem is that machine identities have become so numerous that they are exceeding many organizations’ management capabilities. Machine identities are not just growing comparatively more quickly than human identities. They’re also increasing in number as the definition of ‘machines’ expands beyond just servers and PCs to include applications, containers, cloud instances, APIs and others. Each one of those machines requires its own identity so that IT and security teams can establish identity and authenticity. Subsequently, organizations typically use anywhere from thousands if not millions of certificates and keys across their environments.
Let’s put this growth into perspective with just one element of machine identity growth. According to Forbes, there were 2.25 million robots used by the global workforce in 2019. That’s twice as many machines as there were in 2010. Looking ahead for 2022, approximately a third (32%) of global infrastructure decision-makers said that they expect to leverage robotic process automation (RPA).
Machine identity management automation: experts weigh in
As they acknowledge the challenges they face when managing their machine identities, it is essential that organizations consider employing an automated certificate management platform. Such a solution will help organizations to manage their machine identities across their entire lifecycles without human error. These types of tools can help to reduce staff time and operational costs as well as enhance availability, capability and scalability. In the process, they can prevent a certificate outage, thereby reducing the risk of digital attack and protecting an organization’s brand reputation in the process.
"If you aren’t considering how to securely connect your public key infrastructure to machine identities throughout your organization, you aren’t serious about zero trust," said Greg Crabb, Strategic Cybersecurity Advisor & Retired CISO of USPS and a speaker at the Venafi Machine Identity Management Summit 2022.
"NIST Special Publication 207 details the importance of an enterprise’s public key infrastructure to zero trust architecture. As the leader in Machine Identity Management, Venafi provides the best solution to connect your public key infrastructure to the machines in your organization. In this NIST publication, machines are referred to as 'resources, subjects, services and applications.' Venafi stops certificate related outages, fully automates, and secures your machines from misuse and compromise," Crabb said.
"The fact that these certificates are inextricably woven into all aspects of digital life presents an increasingly large operational challenge to enterprises because they must be properly managed at scale," Mahdi said.
He continued. "While digital certificates are often manually managed in spreadsheets, this can create a management problem. Without proper automation and management, costly service and business outages can and have occurred. While some enterprises have been investing in certificate authorities (CAs) and certificate lifecycle management (CLM) solutions to overcome the issues they face with digital certificate and machine identity management, it's important that enterprises do their research and look for solutions that are open and interoperable with their growing tech stacks."