Once relegated to the realms of the back office, PKI administration is now getting a lot more high-profile attention. This is largely due to radical increases in the number of machines that organizations are using—and the need to protect the identities of these machines at a more transactional level.
Prior to the accelerated digital transformation of organizations and the adoption of digital-first business models, executives were mostly preoccupied with making decisions on budget allocations and future project timelines. Security was a siloed process, and security teams were largely left to handle PKI issues alone.
However, considering the explosion of machines and associated machine identities—keys and certificates—executives are now beginning to understand that machine identity management is now affecting overall business risk. And as such, the management of machine identities is put directly under the auspices of business leaders at the highest levels.
Remote work has changed security priorities
Prior to the pandemic, an identity management project would not have been considered a top priority. Now, McKinsey reports, “[a] software company rerouted resources that had been designated for a security-automation project to cover gaps in multifactor authentication (MFA).” Additional cuts were seen in other businesses to be able to invest in a VPN or tighten up remote security.
Securing the digital frontier became so top of mind that although “[m]any CISOs’ fiscal 2020 budgets had already been allocated before the pandemic... to cover the cost of addressing the crisis, they … put other projects on hold.” These changes belie a changing viewpoint in C-level priorities, which now include PKI security and machine identities management.
Increased attacks demand C-level attention
Since the rapid advancement of the digital revolution, the threat environment has changed dramatically. There are now two types of companies: those who know they’ve been attacked and those who do not yet know.
The World Health Organization (WHO) reported a five-fold increase in cyberattacks last year. Election security was a top target and countless healthcare attacks were successfully launched. Risk Based Security reports there were an unprecedented 36 billion records compromised in the first three quarters of 2020 alone.
Last year saw breaches in the U.S. government via SolarWinds, bitcoin ransoms paid by Colonial Pipeline in exchange for getting their services back, and advanced adversaries continuing to target high-revenue corporations.
What was once an inconvenient PKI issue of a certificate expiring is now of mission-critical importance to executives, investors and owners alike—as the resulting downtime caused by certificate-related outages can have a direct impact revenue and productivity. Not only has the digital age brought new security challenges, but it offers a revealing glance at how fundamental machine identity management is to any enterprise that wants to stay competitive today.
PKI and co-located workspaces
In a business environment that can’t seem to retain workers, having seamless cybersecurity options for employee devices—both in and out of the office—might be seen as a basic measure to address fatigue or burnout. As departments increasingly purchase, install and deploy their own SaaS solutions, we see the creep of Shadow IT, making secure identity management an even trickier game.
Given the landscape of increased attacks, more widely dispersed workers and less uniform devices, it also makes connecting to data exponentially riskier. Each device, user, remote employee, admin, API, app, piece of software, container, digital solution or end-point is now a liability. When securely managing your PKI can influence your ability to attract, employ and retain workers, then it’s easy to see why machine identity management is ranking higher on executive-level agendas.
While the presence of bring-your-own-devices is increasing rapidly, this personalized arm of the IT infrastructure might be best with limits. The National Cyber Security Center advises “If you’ve given BYOD users admin access to company resources, revoke that access immediately.” It then makes clear that “New BYOD deployments require planning” and “Existing BYOD deployments need review.”
Shadow IT presents many security risks since these devices and their associated machine identities go unmanaged. Since BYOD policies affect all employees, companywide, it is no longer just the responsibility of the PKI admin to roll out these changes. Top level leadership is expected to lead out in the continuation of everyday IT advancements in the workforce.
There is at least one good reason why business leaders must spearhead projects relating to machine identity management: successful companies are those that invest in protecting machine identities. Each element of an organization possesses an identity that needs to be protected—whether human or machine. And no software decision, hardware decision, hiring decision or menial transaction can be made without assigning and managing a verifiable identity.
Executives at any organization need to be aware that they are responsible for balancing the relative value of new technological developments and their inherent security challenges. Failure to do so will only create risks to the overall enterprise that have the potential of becoming disastrous.
Organizations require successful machine identity management for security strategies to keep pace with not only the sheer volume of machine identities, but also the types of machine identities. And machine identity management programs need to be highly automated. Manually managing machine identities is a complex task, prone to human error, which can lead to the organization being at risk from bad actors.
To ensure your company has a smooth digital transformation, talk to your business leaders about investing in cyber security solutions such as the Venafi Control Plane for Machine Identities to fully automate the process of machine identity management.