If your organization has rolled out or is starting to implement a machine identity management program, well done. Machine identities protect the machine-to-machine communications that authorize and validate machine access to valuable data, so protecting those identities is important.
And if you’re new to machine identity management, you might wonder what’s the best way to measure progress and success of your program. Machine identity management is still relatively new so there aren’t as many resources and guides as there are for things like identity and access management programs that protect human identities. Plus, there’s not a single set of metrics to track. We know from experience that machine identity management goals and objectives vary at different organizations and different objectives should be measured in different ways.
Measuring the success of your machine identity management program
New Statistics Viewer in the 21.4 release makes it easier to understand the Venafi Platform and how the product is used
When thinking about measuring success, setting the goals and objectives for your machine identity management program is the right starting point. For many organizations (and the majority of Venafi customers), their initial machine identity management goal is to stop application outages that happen when TLS certificates expire. These outages result in lost revenue or brand damage to the organization, low morale for the teams involved and are often a cause of friction between teams responsible for machine identities and application owners.
Outages aren't the only thing making organizations look to machine identity management. Massive increases in software supply chain attacks are causing people to look closer at code signing certificates and SSH keys to make sure they're not susceptible to misuse. And many organizations are building machine identity management from the ground up for infrastructure-as-code and policy-as-code design patterns that give developers the speed required to innovate while using machine identities that stay safely within the guardrails established and supported by security and compliance teams.
New statistics viewer in the Venafi Trust Protection Platform 21.4 Release
For Venafi Trust Protection Platform customers, the 21.4 release includes a new statistics viewer to visualize key statistics and metrics within the Venafi Platform and products. This data is useful for tracking ROI for products, monitoring performance, throughput and resources—as well as for troubleshooting purposes. Many of the metrics are also very helpful in measuring the success of your machine identity management program.
Since the statistics viewer can use multiple data sources from the Venafi Platform and associated products, let’s look at a few examples of where you could use that information to measure the success of your machine identity management program.
Measuring success in stopping outages
If your machine identity management program goal is to stop application outages caused by expired TLS certificates, some of the most important metrics to track for stopping outages are the ones you would track outside of the statistics viewer, like the number of outages and the number of near misses. Fewer outages (ideally none) mean less downtime and outage costs (both operational and opportunity).
That said, the statistics viewer can display additional data that shows if the Venafi Platform and TLS Protect are being used successfully to manage TLS certificates, which reduces the risk that certificates will expire and cause an outage. Examples of indicators you could track from TLS Protect and the Venafi Platform to determine progress in meeting this “stop outages” goal include:
- Number of automated certificates enrolled – A key strength of TLS Protect is its ability to automatically renew and install the new certificate on an application (or multiple applications if the same certificate instance is being used in multiple locations). The more certificates automatically handled this way means fewer opportunities for them to expire and cause outages.
- Net new certificates discovered – The Venafi Platform can discover all certificates in an environment, not just those issued from the platform. For example, if you're continuing to discover certificates that come from external sources and could easily be orphaned, eventually expire, and could cause outages.
- Number of daily validations – When the Venafi Platform validates certificates, it verifies that they're properly installed and that their settings comply with settings configured in the Venafi Platform. Seeing this number increase is a good sign that more certificates are being managed in compliance with industry regulations and corporate policy.
Measuring success in preventing machine identity misuse
You can eliminate risk by discovering unknown or hidden machine identities and machine identities that don't meet security policies and by ensuring valid machine identities are being used as designed.
Within the Venafi Platform and products, there are many indicators to track the progress being made to prevent machine identity misuse. Examples include:
- SSH certificates issued – While we recommend using SSH certificates as a more secure alternative to SSH keys (more on that here), it is still critical to know when these certificates are being issued and to whom – information from SSH Protect that is easily tracked in the statistics viewer.
- Code signing data – Code signing is important to verify the identity of a software publisher and confirm the integrity of code from the time the code was signed to the time it was downloaded. Without an enforced enterprise security policy on code signing, it is easy for developers to use code signing misconfigurations, which will contribute to risk. For example, the new statistics viewer can track configuration options, such as if a time stamp was included in the code signing operation or not.
Measuring success in securely accelerating development
Organizations with a goal to develop modern applications quickly while ensuring they are secure need to optimize machine identity services for developers—so they do not have to scope and build services themselves and are standardized across all development environments. An example of how to track progress towards this goal include:
- Number of non-compliant certificates discovered – Venafi TLS Protect discovers all certificates, not just ones issued by the product itself. Tracking for non-compliant certificates is a good indicator if developers are working outside of or may not know about the Venafi Platform.
We’re just scratching the surface here when it comes to metrics that can be tracked and shared using the new statistics viewer in the Venafi Platform. If you’re a Venafi customer, I’d encourage you to talk to your solution architect to learn more about it or upgrade to the latest release and try it out yourself. There’s also much more that’s new in the 21.4 release so visit docs.venafi.com and check out the latest release notes.
If you’re not currently a Venafi customer and want to find out more about our award-winning machine identity management platform, Venafi Trust Protection Platform, click here.