How important do you think identity is? If you’re a country, identity is pretty important. It is the foundation of what it means to enable citizenship, and whether it be a passport, social security number or license plate, you have all manner of ‘identifiers’ to prove your identity and citizenship.
But what about your internet identity? This is a bit more complicated as your identity is not only created and managed by you, but also a vast variety of online vendors and social media companies. You might for example have an email address, a bank account, a username, a profile page.
In both cases, we are applying ‘human identities’ to solve a problem, and that problem is one of trust. Identity is a foundation of trust, and therefore a foundation of security. “Can I trust this person is who they say they are before I interact with them via this Whatsapp profile?.”
By this point, human identities are a relatively well understood domain, but if we go one step further, how can I trust the machines that are associated with my data? When you think about it, you begin to understand that your personal identity, your messages, your images, and increasingly your life is stored somewhere in a datacenter on a computer controlled by someone else.
Which country is that machine in? Who has access to it? How is it secured? How is it being used for AI? Even if it’s data sitting on your phone, how do you make sure that someone else doesn’t have access?
These can be troubling thoughts, especially for someone like myself who has been on the wrong end of identity fraud. The deeper you think about this, the more you realize the protection of these machines becomes a critical part of protecting your human identity, and we need to seriously consider how to entrust our increasingly valuable data by safeguarding those machines.
In the past, companies thought about protecting machines by building ‘a wall’ around them, often via a firewall. But as the internet has driven connected devices that talk to each other across the globe in a variety of formats, you can no longer think about ‘siloing’ your machines and protecting them by putting them all in one place. You have to get used to them being connected to at all times in any place using all manner of technologies. On top of this, identity was typically only distributed using a digital certificate to workloads on a "needs must basis" - say if it's a server workload that has been configured to insist clients encrypt all traffic to it. This occasional need for encryption means we are left in a situation where we don’t have encryption everywhere between every machine.
So what the heck do we do about it?
This is where the implementation of a good machine identity management strategy comes in. Thanks to the work we’ve done with cert-manager and the control plane that Venafi has built, we have come a long way over the last 10 years on our mission to enable this.
But given some big movements in the cloud native ecosystem, we’re reaching a watershed moment in our mission to build out the next level of trust in our machines. Thanks to the development of new types of machine identities (also referred to as workload identities), we now have more fine-grained and consistent identities which are used to provide deeper levels of trust for workloads.
Imagine if every single machine in the world could carry its own ‘passport’. This would enable every machine to only interact with other machines once they’ve seen the other's passport and checked that it comes from a place that is trusted, and that the other machine has the appropriate authorization (e.g. holds the correct visa).
This has some pretty unique benefits, including better developer experience, more trust of your machines, and possibly even the death of everyone’s least favorite thing - passwords! We’re fast approaching a place that makes this possible.
If machines can learn, what else do they have the ability to do? Before we explore, let’s start out by giving them a passport and use the trust that comes with that to help protect our more fleshy human selves’.
If you want to learn more, sign up for the Machine Identity Management Summit 2023, where we will have talks from:
- Can SPIFFE Help You Solve ‘Secret Zero’?, Mattias Gees, Director of Tech at Venafii
- Tales from the Field: Implementing Zero Trust Architecture at Fortune 500 Companies, Varun Talwar, Co-Founder of Tetrate and Co-Creator of Istio and gRPC
- Whodunnit: The Role of Machine Identity in Supply Chain Security, Dan Lorenc, Co-founder and CEO of Chainguard
- Effortless Mutual Authentication with Cilium, Liz Rice, Chief Open Source Officer at Isovalent