About 30 years back, I was watching a movie that said, there’ll be a time when the number of machines will be more than the number of humans. At that time, I thought it will not happen in my lifetime. But time proved me wrong.
Machine in this conversation can be a computing machine, like a computer, a server, a laptop, a phone, or it could be any operational technology devices like a smart meter or smart devices, smart TV – it can represent any device that communicates with other devices.
Today, each person has a laptop and a phone. Many have smart watches, smart homes, smart TVs, smart home appliances etc. Hence, the number of machines today have exceeded the number of humans. And it continues to grow rapidly with each passing day.
Before we go into details about machine identity management, we need to understand what are these machine identities.
Machine identities can be of multiple types. It may be simply a serial number on any machine. But, when it comes to communication, these machines have digital certificates. The digital certificate is used as an identity, as well as for encrypting and decrypting communication between two devices.
In this post, we are going to talk about those identities that are used for communication between devices. Typically, they remain in the form of digital certificates. These certificates are generated using public key cryptography technology.
Machine Identity Management
While these keys and certificates provide us with security for communication, these keys must be managed well. They should be regularly updated for security standards to avoid data breaches. Moreover, they should be updated/renewed well before expiry dates to avoid any sudden outages of application where they are being used. Today modern teams work under huge pressure of demand from users and need business agility and fast response. But, they need to balance between speed and security operations. They need to move away from legacy methods of operating manually or with point products and embrace comprehensive centralized automation.
Elements of Comprehensive Next-Gen Machine Identity Platform
For a machine identity platform to be called comprehensive and next-gen, it has to fulfil certain expectations as explained in Figure 1.
To be comprehensive, the platform should support all functions where digital certificates are involved – servers certificates, client certificates, code signing certificates, IoT device certificates or SSH certificates. From the functionality point of view, it should provide support for discovery of certificates, creation of inventory, analytics and lifecycle management of existing certificate as well as issuance of new certificates.
Another important aspect for such a comprehensive nature is end-to-end automation. The completeness in automation is achieved when the platform has native integrations with various components needed for lifecycle management of different types of certificates.
- For enrolling certificates, the platform needs to integrate with major public and private certificate authority (CA) services.
- For storing keys and other sensitive data, the platform needs to integrate with HSM or KMS.
- For discovery and provisioning certificates into network devices like load balancers, firewalls etc., and web, app servers like NginX, Weblogic etc., it needs to integrate with all major vendor products in the market.
- For discovery and provisioning into modern cloud and container environments, it should integrate with various popular cloud environments like AWS, Azure, Google etc. and also with container management systems like Kubernetes.
- For managing certificates of enterprise mobile devices or IoT devices, it should integrate with EMM/MDM products.
Integrations are the basic building blocks of automation. Simplification of operation happens when dedicated workflows are created for common tasks and their trigger point is exposed via custom landing pages for each user roles. With single sign-on, these workflows, landing pages and associated policies, certificate distribution is decentralized, yet controlled. Users get access to only authorized functions and all complexities remain hidden from them. Users get all required certificate operations done with minimal input while the management platform and administrator of the platform automate everything else.
A comprehensive platform can’t be called next-gen unless it has the ability to be deployed anywhere, is secure, is able to scale with load and has self-healing capabilities for enhanced availability without requiring additional resources. Running on hardened Linux operating system in Kubernetes environment with microservices architecture provides the platform with all next-gen features and capabilities.
Before and After Scenarios
First scenario is from a typical IT organization. They have load balancers firewalls and other applications in their network. Devices are managed by separate teams. Each team decides on their own CAs and enrolls certificate from that respective CA. Public Key Infrastructure (PKI) processes in this case are fragmented and not centrally managed. The entire process in this case is manual and requires a lot of effort from team members.
With a comprehensive platform in place, all certificate requests flow through the central platform and are triaged as per the corporate PKI policies. The certificates may still come from multiple different CAs, but there is always clear visibility about security standards, expiry date, deployment locations and costs, which might be missing in the manual process. End-to-end automation also simplifies operations and makes teams efficient and agile.
Next, we look into typical IoT scenarios. The situation is similar here. The manufacturing line, device management (MDMs/EMMs) and the sophisticated devices who can enroll their own certificates typically connect to different CAs – automation exists because of auto-enrollment protocols, but central policy and control remain missing.
Again, with the introduction of a centralized platform, all certificate requests flow through the platform enabling enterprises to control them via policy. This also provides visibility, analytics and alerts about certificate security issues and expiry to eliminate data breaches and outages.
Having a comprehensive next-gen machine identity platform helps enterprises in many ways from a security as well as an operations point of view. Manual methods or point products are miles away from a centralized platform when it comes to governance and agility.
Visibility of entire PKI information at one place is the cornerstone of protection and simplification. This visibility can help organizations take corrective actions ahead of time to avoid any security breach or outage. Integrations, workflow automation and granular control enable self-service and agility.
When security is coupled with simplicity, organizations tend to have a holistic security approach and security implementations become more than just compliance checkmarks.