Securing PKI and Machine Identities in the Modern Enterprise – Security Boulevard

Contact Sales[emailprotected]+1-216-931-0465

When attempting to manage and secure company identities and credentials, you may think predominantly in terms of people and their roles within an organization. How do we make sure that Janet from Quality Assurance has the credentials to access the needed assets, and how do we make sure that no one else can access those credentials?

But human identities are only one piece of the security puzzle. While employees, partners, vendors, customers, and consultants might be some of the most crucial sources of security vulnerabilities in your organization, the volume of machine identities is increasing, creating additional points of entry for hackers and malware.

The 2022 State of Machine Identity Report from the Ponemon Institute (from which we get the statistics below unless otherwise noted) reveals the latest data on just how complex machine identity management can be.

Machine identities are the digital keys, secrets, and certificates that establish the validity of digital transactions. They include X.509 certificates, SSH and encryption keys, and code signing certificates for secure communication between servers and VMS, workstations, scripts and bots, applications, services, etc.

With the adoption of remote work, cloud-based services, IoT, and Zero Trust initiatives, the number and importance of public keys and certificates being used by organizations is increasing rapidly. The days of one or two CAs behind the four walls of the data center are behind us, and managing machine identities should be at the forefront of your security posture. In the Gartner Hype Cycle for IAM report in 2021, Gartner Managing VP Tricia Phillips said:

Digital transformation has led to an explosion in the number of machines such as workloads, code, applications, and containers that need to identify themselves and communicate.

Some of the most common elements of PKI include:

Making sure machine identities are protected is becoming a costly and time-consuming task. The majority of organizations say that the growing use of keys and certificates has significantly increased the operational burden on their IT teams and that theyre concerned about the increased workload and risk of outages due to shorter TLS cert lifespans.

Additionally, over half of the organizations polled say their organization doesnt even know exactly how many keys and certificates they have.

If neglected, machine identities can create huge gaps in your security, as any vulnerabilities can enable a threat actor to move laterally from one system into others on the network.

In the last two years, over 95 percent of organizations have experienced all three of the following PKI-related issues:*

Because they can bring operations to a halt, certificate outages tend to receive the most focus. Nearly 40 percent of outages take over four hours to identify and remediate, which can be costly and damaging to a companys reputation. The Lets Encrypt outage in September 2021, for instance, affected operations at major corporations like Cisco, Palo Alto, Bluecoat, AWS, Auth0, Fortinet, Heroku, and others.

But outages are just the tip of the iceberg, indicating bigger risks below the surface that need to be addressed, including manual processes, wildcard certificates, weak cryptography, and misconfigured or exposed CAs.

The number of machines (workloads and devices) now outnumbers humans by an order of magnitude, and organizations must establish tooling and processes to control those identities. Gartner: Managing Machine Identities, Secrets, Keys and Certificates, Erik Wahlstrom, 16 March 2022

If you dont feel like you have a good grasp of how to secure your public key infrastructure, youre not alone:

Additionally, about 40 percent of organizations have only a limited PKI strategy for specific applications or use cases, and 16 percent dont have any strategy at all.

You have to know what certificates youre using to effectively secure them. Discovering and creating an inventory of your certs and CAs will give you an overview of which ones have the highest priority.

Create a cross-functional working group to establish ownership for tools, processes, and strategy and to provide oversight and bridge gaps between business units. Then define machine identities for your organization, identify use cases for your PKI and machine IDs, and analyze your existing identity fabric or toolset.

The more identities and sources of information you have, the more possibility for mistakes and/or vulnerabilities. Once you have a good handle on what PKI management tools are at your disposal, pare them down. Ask yourself questions like:

You need to define policies and best practices for your public key infrastructure.

Most security teams spend at least 50% of their time on maintenance and operational tasks. The key is to automate, automate, automate. Automation decreases risks related to human error and misconfiguration and ensures that you can scale with new demands. Additionally, automation enables integration with existing DevOps and cloud workflows.

Security threats adapt quickly to security controls, so you have to be ready to adapt just as fast. To maintain operations and prevent incidents related to PKI, you need to constantly educate yourself and maintain a crypto-agile security posture:

Check out the2022 State Machine Identity Management report to stay informed of the latest cybersecurity data and analysis. With an in-depth analysis of the threat landscape for PKI and machine IDs at your disposal, you can make informed decisions about what security measures to put in place to keep your organization safe and operating at full capacity.

You can also watch our webinar on demand for additional insights from Keyfactor leaders: The State of PKI and Machine Identity Management