I have been talking to many organizations in Germany about how they extend machine identity management into their hybrid cloud environments. What many of them don’t realize is that they will have the same responsibility for managing machine identities in the cloud as they have in their on-premises environments.
Some of the organizations I speak with assume that cloud providers will take care of a wide range of PKI functions. They think that they won’t have to care about PKI any more because they turn over responsibility to the cloud service provider to take care of everything. And that's just not true.
"They think they won't have to care about PKI anymore...and that's just not true"
In terms of machines, they do operate the same in the cloud as they do on premises. But that also means that you will be responsible for the same machine identity management in the cloud. Why? Cloud services are much the same as other managed services. It's just another kind of infrastructure that organizations can leverage. But would you feel comfortable giving your keys to a managed service provider without some level of control? It’s the same thing with the cloud.
When you move to the cloud, that will require access to your keys. But you will want to think hard about how to maintain ownership over your keys in the cloud, just as you do on premises. Basically, you have to make sure that the cloud instance is available and that there's no issue with its machine identities. You still have to provision the certificates, you have to review them, and you have to revoke them. Just like you do on premises.
And that process will work even better if you can get a consistent view of machine identities across cloud and on-premises. But many organizations aren’t thinking that way yet.
I was recently speaking with an organization that wanted to move to the cloud. They talked to their cloud provider and said, "Hey, we need some cloud instances from you and we need to secure the communication. So we need certificates.” And the cloud provider said, "Oh yeah, we’ve got certificate management. No problem.” So I asked this this organization, “Where are the private keys located, how many are they using on cloud servers, and who's taking care of the certificates there?” They couldn't tell me. They had no idea where their keys were and who owned them in the cloud.
I mean, do you really want to give up responsibility of your PKI and control of your keys? Ideally, the keys from the cloud are part of your complete machine identity inventory. That way you will know where they are installed and who owns them.
"The keys from the cloud are part of your complete machine identity inventory"
Granted, most companies understand that there are risks that they might not have considered when moving to the cloud. But most have already dealt with similar issues for managing machine identities in their on-premises infrastructure. And taking it to the cloud only adds complexity. Because most organizations use a hybrid or multi-cloud approach, it may be difficult to maintain consistent visibility and protection across all instances.
My objective is to make these organizations understand that cloud instances are just an extension of their on-premises infrastructure and should be treated just the same in terms of managing machine identities. They need to secure their keys and certificates in the same way everywhere. They still want to be able to enforce security policies, automate the certificate lifecycle and monitor all machine identity usage and behavior—just as they do in physical infrastructures.
- The “Egregious 11” Have Spoken: Machine Identities in the Cloud Need to Evolve
- Why Zero Trust in the Cloud Requires On-demand Machine Identity Management
- Want a More Secure, More Effective Cloud? Watch Your Machine Identities.
- Dynamism in the Cloud Complicates the Task of Securing Machine Communication