Introducing the Control Plane for Machine Identity Management

The emerging security foundation for digitally transforming organizations

By Jeff Hudson CEO Venafi

When we first coined the phrase “machine identity management” a new cybersecurity category was born. The fact that there are two actors on a network, people and machines had come into sharp focus for the pioneers in securing digital transformations. People use usernames, passwords, and biometrics to identify themselves to machines and machines then must identify themselves to other machines. Machines don’t use usernames and passwords; they use machine identities. Organizations spend over $20 billion in aggregate each year managing human identities and are just beginning to manage machine identities. The thing about identities is that they are the foundation of security. Decisions to allow or deny access are now identity based because the perimeter has all but disappeared. Allowing or denying access is the essence of security.

Software is rapidly eating the world.

Every aspect of human life is influenced and changed by machines — from visiting the doctor, to purchasing online, to accessing bank accounts, to flying on an airplane. We count on the digital world which consists of many millions of machines and machines are basically software1. Machines are like humans in that each one must have a unique identity.2 Also like humans, machines must be authenticated to be trusted. Once authenticated using their identity, the machine can then be authorized to access data or resources. This is the essence of security. Allowing access to that which is authorized and blocking access to that which is not.

Identities whether for humans or machines cannot be relied upon to allow or deny access unless they are managed. CEOs, Boards of Directors, CIOs, CTOs, and CISOs do not tolerate a world where the identities of their customers, workforce, or business partners (ie: human identity) are not secure because that means identity cannot be counted on to safely allow or deny access. The same is now true for the machine identities that have rapidly become the foundation of the modern business.

Failure to manage machine identities means that businesses fail. Machine identities expire and systems fail. Machine identities are stolen and used in cyberattacks. We have created a world that relies on machines and society is damaged when machine identities fail.

Vision of humans and machines cooperating

Venafi envisions a world where humans and machines work together in harmony to improve the human condition. For this vision to be realized we need to trust machines which means they must be secure. This is only possible if machine identities are managed and protected.

Managing machine identities

Machine identities must be orchestrated across many platforms — data centers, clouds, hybrids, and on the edge. There are many machine types and multiple machine identity types. 3 An organizing function is required. There are thousands of examples of attempts at organization at the individual machine or on a specific platform. 4 This results in massive duplication of effort, poor orchestration and visibility, fragmented control, highly inconsistent approaches, vulnerabilities, and reduced reliability. We see this playout frequently when major systems are hacked and compromised and when payment systems fail because of the absence of an organizing function.

The organizing function for machine identities is machine identity management. There are 4 fundamental tasks to be performed by machine identity management. They are similar to the tasks in human identity management.

1. Lifecycle to provide and maintain a machine identity
2. Authentication to determine trustworthiness of a machine identity
3. Authorization to allow or deny access
4. Governance to oversee and control machine identities and these tasks

A new category was created — Machine Identity Management

We invented the technology and created the category Gartner now calls machine identity management. We established the Machine Identity Management Development Fund to accelerate the growth of the ecosystem that connects all machines to the machine identity management function. We established a large and growing community of like-minded individuals, companies, and universities to help our society fulfil the vision. Daily, we create tremendous value for our customers.

Measurable value is created

The four categories of measurable value that is created by customers that implement machine identity management are:

1. Eliminate outages due to expiring or malfunctioning identities
2. Reduce the risk of misuse and compromise by the bad guys who use identities in their attacks
3. Reduce the massive amounts of human time and effort involved in attempting to manually manage machine identities
4. Accelerating development because developers are freed from the responsibility of managing machine identities.

Organizations realize millions of dollars of annual value creation by implementing machine identity management.

The digitally transformed systems that billions of people rely upon to live their everyday lives depend on Venafi.

Complexity is increasing and causing massive problems

From the vantage point of visionary, innovator, category creator and leader we are seeing a new level of complexity in managing machine identities resulting from the digital modernization that is occurring. The complexity has extreme negative consequences on speed of development, security, and reliability. We are in the middle of an epochal change from data center centric to a modern cloud-native digital transformation. These 2 environments are required to work together for successful modernization. The orchestration required and precipitating complexity is staggering, which is causing an emergence of a new approach to reducing the complexity of managing machine identities.

Emergence of a control plane

What has emerged is the need for a control plane for machine identity management. In other disciplines like network, storage, cache, and others, the approach to managing complexity is to abstract control from the object in question. This allows all entities that rely upon, create, or modify the object, to use a standard approach for control. A standardized approach (control plane) avoids the overhead, reduced speed of development, inconsistency, and duplicated wasteful effort of many humans who with good intentions create multiple, impossible-to-maintain individual control systems that result in reduced speed, reliability and security.

The control plane for machine identity management executes the specific tasks of machine identity management across the enterprise. Specifically, lifecycle, authentication, authorization, and governance for all machine identities in the organization.

It is a control plane for machine identity management that is connected to all machines and provides the control required for desired outcomes to be achieved. The control plane for machine identity management provides observability, consistency, reliability, and freedom of choice while simultaneously reducing complexity. It works across clouds, hybrid environments, datacenters and to the edge. It is connected to an extensive and vibrant technology ecosystem that is the connective fabric to all machines.

It is distributed by design and provides entire capabilities directly, distributes them, or delegates them under pattern and policy control. It was designed from the ground up for the highest levels of security.

The capabilities include organizing patterns, Intelligence, telemetry, everything API, and universal connections. We have designed the control plane to provide these capabilities to support the machine identity management tasks of lifecycle, authentication, authorization, and governance.

What’s new here?

There was a time when digital transformation was happening in data centers. The applications that were first to appear on the internet in the 90s ran in data centers. With the appearance of the public cloud, digital transformation started to happen on multiple public and private clouds. In the early second decade of this century there were hybrid versions, multi cloud versions and for the most part they were server based running Linux. As we predicted, a new operating system for the cloud arrived that ran on clouds, not servers. Kubernetes was the first instance of an operating system for the cloud. Applications could run anywhere. Applications fragmented from monolithic to microservice based. This has huge ramifications for machine identities. For the longest time machine identities were used only to allow machines to get into and out of the perimeter around data centers. Then it expanded to multiple data centers and the requirement to orchestrate between multiple platforms arose. Complexity increased significantly. With the widescale adoption and deployment of Kubernetes thousands of microservices are spread over multiple heterogenous platforms and there is no perimeter. Complexity exploded. And to complicate matters even further, the perimeter dissolved, and machine identity became the foundation of security. The complexity of managing machine identities is inconceivable in this newly evolved environment. It is this massive rise in complexity that led to the emergence of a new way to manage machine identities — the control plane for machine identity management.

fastsecure

fastsecure is the driving force for organizations that will survive and prosper. In the past, the prevailing wisdom was that there was a tradeoff between speed and security. Developers want to go incredibly fast and infosec wants to be secure even if it slows down development. It was a teetertotter or seesaw — where one goes up and the other goes down. Speed goes up, security goes down. All done with the best intentions in the name of governance.

Software is eating the world because speed wins and software (digital business) is faster than anything else. Go slow and you perish in the new world. At the same time the apps must be secure and reliable. If you are hacked or crash, you perish in the new world. This means that the winners are those that go fast and are secure at the same time. Developers must go fast and secure their machines while they are creating them. Infosec must provide the intellectual property and expertise to accelerate development while securing it. In one word — fastsecure. Instead of a teeter-totter or seesaw, think of 2 astronauts sitting side by side — development and security — they both blast into space together. The astronauts beat the teeter-totterers(seesawers) every time.

The control plane for machine identity management has emerged to directly power fastsecure. Development does not have to think about controlling machine identities. They use the control plane. They are fastsecure. Security is assured because the enterprise-wide control plane for machine identity management is the foundation for security. Security accelerates business via fastsecure.

We have spent the last decade innovating and evolving the machine identity management technology stack and ecosystem. All advancements are the result of the knowledge and experience we uniquely possess from the thousands of journeys we have taken with the world’s largest and most advanced digitally transformed enterprises. The opensource project we created and lead called cert-manager, is downloaded millions of times every day. We are clearly the leader in machine identity management for data center centric and cloud native modern. Because of our accomplishments, investments, inventions, and leadership we are introducing the future. The control plane for machine identity management.

Venafi is developing the Control Plane for Machine Identity Management that encompasses current and future Venafi modules that can be snapped together to create the appropriate range of functionality and capacity to meet an organization’s machine identity management needs. We invest heavily in research and development which results in continually expanding functionality to deliver the desired outcomes in a rapidly changing environment. Delivered as a Service, in the data center, on the edge or in a hybrid mix of environments, the Venafi Control Plane for Machine Identity is unmatched in reducing complexity, increasing the speed of development, and increasing security for machine identities which is the foundation of security in a modern world.

We take our mission seriously. Everyday billions of people on this planet rely on Venafi to manage the identities of the machines that our lives depend on.

footnotes

1 Machines are basically software. Hardware is useless without software. Further, hardware has been virtualized into software. Virtual machines, containers, clusters, firewalls, hardware security modules, servers, have all been turned into software which taking it one step further, runs on software (virtualized hardware), not physical hardware. Software takes the action. Software includes APIs, cloud services, applications, containers, operating systems, drivers, connectors, clusters, and functions to name a few

2 For those interested in the philosophical and mathematical basis for identity uniqueness https://www.darshams.info/generallaw.html

3 Machine identity types include TLS certificates, SSH certificates and keys, code signing certificates, SPIFFE certificates and keys, API keys, JWT tokens to name a few. There is constant innovation in this field.

4 Many attempts have been made to manage machine identities from AWS across Azure and GCP. Other attempts delegate to a specific machine the responsibility for organizing machine identities across different machines. These attempts have experienced an extremely high failure rate. Multiple machine identity management failures at cloud providers like Microsoft Azure or born-in-cloud startups like LinkedIn.