You might be surprised to discover how many TLS machine identities, or TLS certificates, you have in your organization. In a study of 1,000 CIOs by market research firm Coleman Parkes Research in early 2022, across companies of all sizes, the average number of machine identities per organization at the end of 2021 was nearly 250,000. Larger organizations (>10,000 employees) estimated they had 320,000. The study also suggested these numbers are going to grow. Large company CIOs expect their volume to more than triple to around 1 million machine identities by 2024.
You might also be surprised at the types of machines needing TLS machine identities. Even short-lived machines like cloud native entities, microservices, containers and APIs all need an identity to connect, authenticate, and communicate securely.
With all these identities used across different types of machines, building and maintaining an accurate inventory is challenging, especially if you’re attempting to do so manually. Let’s look at a few examples from the NIST Special Publication 1800-16 of what should be included for each machine identity.
- The issue and expiration date. Being able to identify TLS machine identities that are nearing expiration is critical for avoiding outages that happen when they expire. Trying to track this manually is tough – you likely have many unknown (shadow) TLS machine identities, there are different validity periods, and different groups likely have different processes for creating them.
- The identity owner. This is the person (or ideally the group) responsible for the machine that needs the identity and the go-to when there’s an issue or incident with an identity. Tracking owners in any size organization is practically impossible to do manually – people change roles within and outside companies all the time.
- The issuing Certificate Authority (CA). CAs are trusted issuers of machine identities and most organizations engage with multiple public CAs and leverage one or more private CAs for issuing TLS machine identities on internal networks. Most organizations also have machine identities issued from unapproved CAs which can lead to increased cost, trust issues, security risk and unexpected incidents.
We developed this short video to show how with TLS Protect Cloud, you can start building an inventory of TLS certificates on your public and private networks within minutes of starting a free 30-day trial.
Internet-based discovery is a powerful capability unique to TLS Protect Cloud that starts building an inventory as soon as you sign up. When you sign up for a trial, it automatically extracts the domain from the email address you registered with and begins searching for public-facing certificates on that domain. You can also easily enter other domains to search.
Without having to do anything else, you immediately take the first step to getting full visibility of TLS machine identities. Here’s a few examples of what you’ll see immediately:
- Certificates and certificate metadata such as CN, SAN, Chains and expiration dates.
- Number of installations of that certificate and the IP addresses and ports where it’s installed.
- Which CAs issued the certificates – useful for identifying any certificates issued from unapproved CAs.
- What’s remaining in the validity period – useful for flagging certificates that are coming up for renewal.
If you navigate to view certificate installations, there’s even more information immediately available.
- Validation status to determine if there are any configuration errors such as incomplete chains or certificates that fail to align with DNS information which may cause disruptions to service.
- Chain validation, so you can easily flag things like incomplete chains or self-signed certificates that may/may not fit within your organization’s policy.
- The TLS protocol(s) to readily identify insecure configurations and mitigate potential audit findings.
All of that, and more, is available immediately from an Internet discovery. For TLS certificate discovery inside your company's network, TLS Protect Cloud can also quickly find privately issued certificates, without requiring access from the internet, even across distributed and segmented networks. You can try it for yourself by signing up for a free 30-day TLS Protect Cloud trial.
If you don’t have full visibility of your TLS machine identities, you will be exposed to risks like outages when unmanaged certificates expired. Fortunately, TLS Protect Cloud makes visibility easy, by providing rich information within minutes of starting a free 30-day TLS Protect Cloud trial.
- Why It’s Dangerous to Use Outdated TLS Security Protocols
- Stop Certificate Outages from Increasing in Frequency and Severity
- All TLS Certificates Are NOT Created Equal [What You Need to Know]