This week hundreds of leading organizations gathered at Machine Identity Management Global Summit 2022 to share perspectives and learn new strategies.
Over three days, attendees got actionable advice from over 50 presentations with industry-leading executives and access to the latest advancements from Venafi partners and developers.
Below is a brief compilation of comments from speakers and attendees that represent some of the best insights from the Summit.
Zero Trust
Comment: This is what Zero trust requires: it requires machine identities that you can trust. That have gone through the tasks: Lifecycle and authentication and authorization.
Comment: You can’t do zero trust unless you trust machine identities.
Comment: It’s nothing new. What has changed is development and dev cycles. The changing perimeter is real, but there are still some walls out there. There is also politics...
Comment: Some folks would say ‘zero trust…I don’t trust anything.’ [But] your responsibility…is to establish and maintain digital trust in your humans and your machines. You can take a zero trust mindset…but you need to figure out a way to establish and maintain that trust.
Comment: In a way Zero Trust is an architectural imperative. Much like how good software architecture makes it easier to write better code faster, a good architecture for Zero Trust will help scale these Zero Trust to all parts of the organization.
Machine Identity Security Architecture
PKI
Comment: I get VERY generic when telling someone who has no knowledge of PKI what I do for a living. ‘Protect your Internet traffic’ is about as deep as I usually go.
Comment: Putting yourself in the shoes of a developer really makes you consider how PKI policies are implemented!
Comment: As certs eventually become almost ephemeral we'll have some decisions to make in terms of our PKI architecture to support that growth.
Comment: In practice, when you're up to thousands of certs, with domains scattered across registrars globally, etc, getting DCV completed on 180 or 90 day cycles is tough.
Comment: To me this underscores the need to be agile in managing trust - not just the products of the PKIs (certs) but the trust they imply has to be managed also.
Comment: Distributed issuance is not your father’s PKI. The ability to give issuance to a local developer. They can install it anywhere. They can install locally on their machine. But…it’s managed by our control plane…either TPP or the VaaS solution. That in policy is being enforced. It is a sub CA. We can create sub CA certifcates. And we can apply policy to it. And we can apply policy even further down.
Comment: And PKI is like a lot of bobbing nucleic cells, we now need to go multi-cellular, which is where you get the controlling entity for the organism in general. The cloud is the soup within which this needs to happen, but its all going pear shaped at the moment. But there are possibilities, I think...
Control Plane
Comment: Simple to complex. First principle of any evolution that occurs. Complexity is our kryptonite. The goal is for humans and machines coexist peacefully and improve the human condition. Complexity is the killer.There is a proven antidote to complexity. The control plane.
Comment: The control plane, if it’s designed right, delegates a lot to what’s happening locally. But it’s under the control of policies. So that the control plane knows what’s happening locally and is completely consistent with the policy of the organization. And that’s how you get better security and better reliability.
Comment: Observability, consistency, intelligent control is what happens when a control plane is put in place.
Comment: And the Full Control Plane Integration roadmap theme is our North Star to guide integration between different aspects of machine identities, including in clusters, data center and on cloud.
Machine Identity Management Architecture
Comment: If you don’t develop, diagram, describe the organization-wide architecture, you will end up with a number of groups buying products and you end up with massive duplication of effort, no consistency, and complexity that destroys reliability, security and slows everything down.
Comment: All Venafi customers need to document (diagram and describe) their machine identity management architecture. Venafi has a generic architecture developed with many successful customers that is a powerful starting point.
Comment: An inherited architecture is by definition yesterday’s architecture. That is why a new architecture including classic data center and modern is required.
Comment: I have had to deal with confusion on who manages and lack of understanding of the architecture due to inherited architecture.
Comment: I've seen time and time again, customers that have clearly documented designs, both for their current architecture and the architectures they want to move to, are the customers that see greatest success.
Comment: It's all about the people. There is a reason certs get messy. It's a people problem. Self-signed certs are a problem because either teams don't know how to get a real cert, it's difficult to do so, or don't understand why it's a problem. Certs are a very simple technology. It's the management of people that makes it hard. Which is another reason why automation makes sense.
Comment: If people can’t work effectively, they will find a way around security controls that will be less secure than the very ones implemented in the first place.
Comment: Wrapping all of these together with a Lifecycle Management solution such as Venafi to provide reporting and the 'single pane of glass view' into ALL certificates in use across the enterprise... a management dream.
Why Do You Need a Control Plane for Machine Identities?
Related Posts