Management Mayhem, Part 1: How Many Machine Identities Do You Need to Protect?

To help CIOs realize the scope of their challenge in managing machine identities, I like to ask them three questions:

1. How many machine identities do you have in your organisation?
2. Are you 100% sure they are all compliant to policy, have the right business owners and are not copied to unknown locations?
3. Do you know where they are all located and who’s using them?

The answers to these questions are quite telling. Most CIOs do not realize the extent of their exposure and what a Herculean task they are faced with in managing the mayhem of the challenge once they understand the full scope.

Usually, CIOs are only aware of a subset of their full certificate inventory. They defer to statistics on how many certificates they have paid for. And more savvy CIOs will also include the number of certificates that have been issued by their internal Microsoft Certificate Authority (CA). But they are almost always unaware of certificates that may have been issued by unauthorized CAs in siloed business units. Many have a low to medium confidence about whether their certificates comply to policies and best practices. And most have no confidence in where all their certificates reside.

If CIOs are confident they have accurate information about their machine identities, I ask them if they have had any outages, near misses or certificate expirations in past 12 months. That’s when the cloud usually forms over their faces. In fact, to date, only once has anyone ever answered no.

At this point, I like to take CIOs on a journey through their environment and help them start to think about how many machine identities they really have. They already know about the usual suspects like VPN, SFTP, BYOD, servers and network devices, even if they are not confident about exactly how many they have. But most do not realize that these machine identities are just the tip of the iceberg.

When I introduce the concept of identifiers for Cloud, DevOps environments including identities for containers and microservices, algorithms and code signing CIOs eyes often widen a bit. Then I ask them about industry-specific devices such as point of sale (POS) terminals, and other direct income streams such as auto billing systems. That’s when they really start paying attention.

I explain that every single one of these identities, has (or should have) a certificate attached as an identifier, or what we call machine identities.

CIOs rarely consider all the “hidden” yet very dangerous identities that may have privileged or even unlimited access to other intelligent machine identities that are encrypted in the dark. I remind them that their intelligent domestic devices such as refrigerators, and vending machines are active, along with printers and seemingly innocuous devices that employees bring in like Alexa or sound systems. All of these machines are busy working away in the background, performing tasks even whilst the humans are not working. Using quiet periods on the environment these machines perform routine and scheduled tasks.

This is the point where CIOs begin to realize that they will need help in managing this very large number of non-human identities that have intelligence and access. As qualified and dedicated as they are, their PKI teams simply cannot (and do not) have the ability or capacity to manually control this environment, or even manage a number of subordinate systems creating air gaps.

A global platform for machine identity protection will give CIOs the intelligence they need to tame their machine identities and safeguard machine-to-machine communications.

How much intelligence do you have about your machine identities?

Related posts

• Would You Know If Attackers Are Hiding on Your Network?
• 4 Misconceptions about PKI that Deserve to be Debunked
• Will the Rise of DevOps Lead to a Decline in Machine Identity Protection?
• 5 Ways You Can Protect Machine Identities in 2018

Terrie Anderson

One of the questions I am commonly asked by CIOs is why they need to spend money on a platform that will help them manage their machine identities. More often than not, they believe that their PKI team, whose primary task is to manage the lifecycle of certificates, is already doing everything necessary to safeguard keys and certificates for their organizations. Indeed, PKI teams are often the unsung heroes of security. But they are only humans, faced with a super-human challenge.