Visibility into machine identities—such as digital certificates and cryptographic keys—helps to anticipate workload, outages, identified weak machines identities, vulnerabilities, and risk exposure. It’s an operational and vital security question.
Visibility is no longer a "nice to have”, it is a “must have.” And time is of the essence.
Would you go to an unknown city by road without a map (paper or digital)? Certainly not if you want to be efficient. You would at least take high level map to know what direction to take or a detailed one to follow the most straight forward road.
“Easy comparison Stéphane”, a CISO once said to me, “but in real life, it’s not so easy to get a mapping of the machines identities…”
Really, have you tried to do this ? For a long time now, you have had this map of your users, and yet you may not have done anything regarding the machines in your business. Yet the number of machines in your company is 10 times greater than the numbers of users; these machines which are effectively running your business, ensuring your compliance and managing and securing your data and finances.
"The machines are here to stay and we can’t continue to ignore them."
Referring back to my previous analogy about the cherries on the cake, you are often tempted to be more focused on the cherries (governance and automation) without first focusing on your cake (visibility).
When I talk to CISOs (or RSSI in France), the majority of them suggest that I talk to their IT team or SecOps because machines identities are not in their scope. Ah ? A CISO doesn’t deal with security or doesn’t provide governance? Yes, of course they deal with security but most of the time CISO actions are focused on humans/users
So I go and speak to their IT departments and meet with SecOps, PKI teams, production, network, the security architect, Devops etc etc. In short, it is rare for these security experts to have even a vague idea about all their machines and machines identities, and most had no idea at all. I asked them a simple question, “Are we secured (because I’m one of your customers)? Their answers usually go something like this,
"We think we are [secured], because we have deployed machine identities thanks to our PKI - but not on all machines, and we don’t know what, or when or where machines are deployed."
Ok guys, you have scared me enough, you’re currently blind but that doesn’t matter for now. The important question is: “Do you want to stay like this and wait to be hacked (like Equifax or Marriott). Do you want to see outages increasing because more and more certificates are expiring which you are unable to anticipate?” I’m not talking about automation, governance, risk assessment, Crypto agility, SHA1 SHA2 migration. All of those are cherries on the cake.
We need to focus on the cake first, which is visibility.
And visibility is simple, oh yes it is … It’s mainly a question of priority and willingness from your side, and having the right tool to give you that visibility. What if I were to tell you that you could easily have the visibility you need of all your machine identities? With Venafi, you can.
You can create an inventory of all your certificates and keys which are currently active on your network (whether issued by you or not).
In addition, you can have a list of all the illegitimate certificates affiliated with your company on the Internet.
Sure, it is likely you will get thousands and thousands of machines identities, with all the ‘’crispy’’ details, such as expiration date, issuer, crypto characteristics, number of duplicate identities, where installed and more. Would you like some great cake?
Just imagine how many cherries you add to this type of visibility? With the extensive visibility capabilities enabled by the Venafi, you get your cherries and your cake. We do understand however the need to first use the visibility capabilities to understand about your machine identities before you can take further actions
So we have decided to let you use our platform to gain your visibility, build your inventories, identify your vulnerabilities and know the volume of your machines identities. You will be able to identify where they are, who they are and take appropriate action when required.
You will know what your exposure is, and once you know that you can act. Armed with that information, you will be able to build strategy based on your quantified risk assessments and then decide to govern, control and automate this world: the cherries.
We'll be there for the cherries, but let's start with the cake.
In my next blog, I will tell you how to bake the cake. If Visibility is the cake, Intelligence is the baking. And all of this needs to happen before you apply the cherries of Automation and governance. I’m French and I like patisserie. I know that a badly made cake will never be any good, no matter how good the cherries are. And everybody wants to eat a good cake with good cherries.
So we’re not yet at the cherry level, but with good baking, you will have a great cake worth putting cherries on.