One of the top reasons why security professionals come to Venafi is because their organization is plagued by outages on systems, applications and/or infrastructure caused by TLS machine identities that expire or are misconfigured. These outages can be incredibly disruptive, resulting in lost revenue, misallocation of resources, negative brand impact, poor team morale, and more.
When we talk about what's required to stop outages, much of the conversation is about getting real-time visibility into where TLS machine identities are in use in your organization, getting intelligence about them (such as when they are going to expire) and then automating management of them. In this blog, I want to drill in on the third component – automation – to highlight why it’s important and how automation will help you stop outages in your organization.
Why do outages keep happening?
You’d think with TLS machine identities, and their predecessor SSL certificates being around for the better part of 30 years now, we’d have ample time to figure out how to avoid them expiring and causing an outage. However, there are many forces at work that make managing TLS machine identities challenging still … and ways that automation can help overcome these challenges.
- TLS machine identities are a shared responsibility and it’s not always clear who’s responsible for what. Most organizations have a small team responsible for machine identities (sometimes called certificate services or PKI teams) but much larger teams responsible for all the systems, applications and devices where TLS machine identities are deployed. For organizations managing TLS machine identities manually, it’s challenging for small machine identity teams to work with hundreds or thousands of system owners.
- System, application and infrastructure owners are constantly changing positions. It’s hard to keep track of all the places certificates are used and who’s responsible for them without some level of automation. Automation forces staff to track where certificates are installed in code or central repositories, so you always know where certificates are installed.
- There is exponential TLS machine identity growth. A key finding in a recent survey of 1000 worldwide CIOs is that the average number of machine identities on enterprise networks will triple by 2024. Organizations with more than 10,000 employees are estimated to increase from on average 320,000 machine identities in 2022 to around 1 million by 2024. Automation is critical to keep up with that volume, as well as the velocity that machine identities are needed in modern cloud and DevOps environments.
- TLS machine identity lifespans are getting shorter. TLS machine identities used to have a lifespan of 2 or 3 years. More recently that has been reduced to just over 1 year. These more frequent renewals cause more work if done manually and the risk of missed renewals that result in outages.
Three prime candidates for TLS machine identity automation include:
- Keeping an accurate inventory of all deployed TLS machine identities. There are hidden or unknown TLS machine identities in most organizations. Maybe a developer is using Let's Encrypt because it’s faster than asking the machine identity team. Or maybe there are private certificates on the internal network that were deployed and then forgotten when a system owner moved on. Automating discovery of machine identities provides a complete and accurate inventory of what you need to manage all certificates to ensure no outages happen because of expirations.
- Enabling self-service for machine identity owners. You can streamline ownership and pre-empt potential problems with an automated, technology-based service that gives individual machine identity owners a frictionless way to manage their own machine identities. It’s the best way to ensure they’re using machine identities that are visible to machine identity services teams and adhere to all corporate policies. This service should let machine identity owners perform most tasks pertaining to the TLS machine identity lifecycle without having to depend on the actions of others.
- Eliminating manual machine identity related tasks. The obvious benefits of automation are enrollment, installation, monitoring and replacement of TLS machine identities. However, when it comes to stopping outages, automation can also ensure TLS machine identities are renewed before they expire and cause an outage. Automation of these tasks also has the additional benefit of being more efficient and less error-prone than performing these tasks manually.
The value of stopping outages
The value of stopping outages caused by expired TLS machine identities is significant. Really. Any outage is costly. According to Gartner, the average cost of IT downtime is $5,600 per minute. If the outage enables a breach, the cost can get even higher.
If you want to learn more about stopping or preventing outages, we’ve collected some best practices and materials to help you get started. And if you’d like to see for yourself how to automate discovery, self-service and machine identity management, sign up for a free 30-day trial of our TLS Protect Cloud solution today.