Diving into the machine

Researching this topic, I started to get a very serious case of Deja Vu. “Organizations don’t have enough skilled staff to manage their current PKI environment”

“Machine identities are growing at a rate faster than human identities.”

“Some organizations have no clue how many certificates they have”

This sounds very familiar if you’ve been around the identity industry for a while. It’s almost verbatim what we were saying to the business about human identities. Also, I’m seeing very little independent information on this topic. ( As in not by a vendor or a consultant who a vendor pays) This is more an indictment on our industry than anything else, but still a little disheartening.

But let's take a moment to define the problem at hand, shall we?

First things first: What is machine identity?

I found two definitions that, when combined, I think cover it nicely. First up is from our friends at Gartner ( via Entrust)

Machine identity is broken up into two groups:

Ok, so that lets us know what we are dealing with. Non human entities that need to have access to within your organization.

Now I also like this definition from the folks at StrongDM

Machines don’t authenticate as humans do. There is no interactive prompt to enter a password or MFA. Instead, they use credentials that allow them to establish trust with each other and create secure channels of communication. Enter in things like PKI ( Public Key Infrastrucutre), CA ( Certificate Authority), certs ( short for certificates), and the good ole SSH keys. ( Check the Deep Dive section for links to info on all of these things)

Now add to this that machine identities are a lot like rabbits. Once you have two, you basically have 1000. The growth rate for them is insane. This isn’t necessarily a bad thing. The onset of technologies like Kubernetes and architectures like microservices means that we are creating applications at a much faster pace but also creating “machines” ( remember our definitions up top) at just as fast a pace. We’ve embraced tearing down boundaries between data and applications and are by design, building apps that consume and share data at their core. Let’s dive a little deeper into what that means.

Let’s say your company is building a new SaaS app. It’s going to be new latest and greatest technology, everyone will love it and in 5 years you’re all sipping Mai Thai’s in Turks and Caicos. But first you have to build the app. You go with microservices architecture and break the app up into 5 different services.

Each of those services needs to talk to each other and also to the database to retrieve and store data. ( Now this is a very high level view, and there are tons of rabbit holes we can go down about microservice architectures and design, but just stay with me here). Each service has to have an understanding of who is accessing it, and what they want. More importantly, each of these services lives on the network in your organization and utilizes resources. You need to know what it is, and what access it has, and is it the correct access. This is just one simple application; we haven’t even discussed deployment yet. Can you see how quickly this can get out of hand?

Welcome to machine identity management.

Deep Dive

Managing Machine Identity in a Zero-Trust World

State of Machine Identity: Stats, Stats, and more stats

If you’re new to the newsletter you don’t yet know how much I love stats and reports such as this one. I think i was a statistician in another life, but I digress. Some interesting numbers from Keyfactor’s state of Machine Identity report.

Best practices for MIM

Become a paying subscriber of Identity Jedi Newsletter to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In