In my first few blogs, I explained the need of visibility for all security professionals. In this analogy, visibility was the cake, and intelligence was the cream on the cake. So, here we are Ladies and Gentlemen! We already have a well-cooked. beautiful cake with cream. Now let’s talk about how to top it off with the right kind of cherry. Of course, by cherry, I mean automation—the last step in our Machine Identity Management journey.
Prep with visibility and intelligence over your machine identities
As I wrote in my first blog, before thinking automation you must have the foundations in place. And those foundations are visibility and intelligence. Assuming you have passed those two steps, you can think about the cherry. Yes, we can think about how automation will save money, increase efficiency, reduce burden, strengthen defenses and the list goes on and on.
Hey, you didn’t spend all that time mastering visibility and intelligence only to stop before you were able to see result of your efforts.
But before talking about benefits, just a reminder about automation: it’s not so easy and it’s not always possible, but benefits are tangible and almost immediate.
The payoff: Automation of certificate lifecycle management
For Machine Identity Management, automation means a lot of things. But I would say that it’s primarily the orchestration of the life cycle of the machine identities. With that being said, it’s important to understand that automation is useful everywhere
- Automating inventories: Ideally, you don’t want visibility to be a one-time event, but continuous. To accomplish this, you should automate your inventories and discovery—in frequency, in strategy as well as in their scope.
- Automating analytics: As I said in my previous blog <link>, inventories will bring you information that automatic filtering and placement rules will help you to categorize.
- Automating policy management: You will want to automatically apply your policies to any new request but also to the legacy certificates.
Allow me to develop this last item, as you could say that this mention of policies is a bit generic, and you are right. So before you decide to debate on that without me, I prefer to develop this point: Policy management usually means you can design your policies, but it also means you have a way to enforce them.
For me, policy management is the design of the policies within the context of an applicable workflow to decide which one is applicable or not. But once they are defined, you will need to enforce these policies at two levels:
- For a machine identity requested or delivered to any human or application.
- For installing and managing the compliant machine identity on the machine itself in alignment with all best practices and rules.
Very often, the famous cherry—of automation—is associated with all manual tasks on machines, such as installing, renewing or revoking a certificate or SSH key (SSH keys are, by the way, not revoked as often as they should be). Automation of manual tasks? Yes and Yes again. This is a big benefit to everyone, mainly the operational IT teams. But automation offers much more value than just streamlining manual task. Don’t be tempted to reduce automation to that only.
"teams were complaining about the time spent to manage the requests for machine identities"
In most of my customers, the security teams were complaining about the time spent to manage the requests for machine identities. Because of low PKI expertise of the requester, 50 to 80% of the requests include erroneous information, such as bad CSR, no OU, bad domain, and so on.
By automating self-service for certificate requesters, you can automatically include the majority of cryptographic information in a request portal, which ensures that critical information (by policy application). By using this, you can reduce the impact on your security team and streamline a process: tell me who you are and I will tell you what policy applies to you. It will guide you through the request, asking you the minimum amount of information.
Automation is beneficial everywhere for sure, but let’s get back the main cherry. Automating machine identities is definitely more complex than usual, because of the volume of the machines and because of the various technologies deployed in your IT. Plus, each technology has its own way to manage identities. For example, compare Apache and F5 from an SSL certificate perspective. On Apache, certificates are stored in a folder. For F5, certificates are stored in VIP.
Automate your integrated workflows: Cloud, DevOps and beyond
But that is not the only complication. If the machine is in the cloud, you may be tempted to leverage existing Azure Vault, AWS ELB and so on to manage the machine identities. Plus, if you involve DevOps, you have to work through their existing automation and integrate your process in theirs or vice versa. In addition, you’re using an HSM, then there will be different ways of generating key pair you need to manage and orchestrate too.
In this sense, automation is often associated with integration.
To realize the full benefits of automation—without spending years on a project—it’s better not to do it by yourself. It’s much more efficient to use off-the-shelf connectors for orchestration, simplifying the integration of technologies, but also accelerating the process of automation.
In these conditions, automation is a real cherry—and a big one believe me. Otherwise, it remains an objective that is difficult to reach—especially if it’s not backed by the proper visibility and intelligence.
Venafi automates while you focus on priorities
Now you have a nice cream cake and a cherry (or cherries) on it. You can enjoy it while you focus on other high-priority projects. I can share the secret now, Venafi is the name of the Cake, the Cream and the Cherry.
- Why Automation Is the Mantra of the New IT
- Why You Need Automation for Certificate Management
- Automate Key and Certificate Management for Optimized Application Delivery
- 5 Technologies that Work Better When You Orchestrate Machine Identities