Machine identity management – an answer to a growing challenge

Getting your Trinity Audio player ready...

In Part 1 of this article, we sat down with Shivajee Samdarshi, Chief Product Officer at Venafi (an expert in machine identity management) to talk about the rising tide of cloud-native security issues – and potential angles on how to solve them.

While we had Shivajee in the chair, we delved into the delicacy of trying to solve problems that, while they begin in the cloud, also involve the potentially competing interests of different teams of real people.

Solving the problem, not rocking the boat.

THQ:

So when you’re trying to address the increasingly vast number of machine identities companies have to manage, you have to be careful that the solution doesn’t inherently generate human problems between teams, right? You don’t want to cause communication or authority issues while solving machine identity management problems.

SS:

Correct. And again, I’d say automation is the key to achieving the scale of solution this problem demands. I mean, if you’re going to operate at scale, then you have to make sure that you’ve got the automation capabilities and the necessary insights to operate at that scale.

THQ:

Well, you have a solution out there in the field, TLS Protect. Have you had any feedback from teams who’ve used it yet? How confident are you that you’ve got the right approach here?

SS:

Yes, we’ve had lots of good insights, from clients in the travel space, and there are other clients in the finance space for whom it’s working well. We have a number of banks who are using this in the insurance space.

THQ:

Ah – well, if banks are using it, it’s probably a safe bet.

SS:

Now we are in the phase of asking how we scale the solution up and take it to everyone else in our customer base. People are seeing this problem, and they just don’t know how to deal with it. So we are seeing a lot of traction when we say “Well, you can do this.”

Freedom and future-proofing.

THQ:

And you went down a development route where the solution more or less works with anything out there, didn’t you? On the basis of giving your customers freedom of choice – so they don’t have to invest in a whole lot of Other Stuff to make TLS Protect work.

Is that also a future-proofing thing? Nobody has to come back in a couple of years like a Windows update and re-up their subscription.

SS:

Yes, absolutely. Freedom of choice is super important to us anyway, because it’s not our place to make choices about where customers choose to run their applications, whether they’re running Kubernetes in their private cloud environments, or they go to a public cloud, whether they use GCP, or whether they’re running OpenShift. Those are choices that customers are making depending on what best suits their needs.

What we have to make sure of is that whatever choice they make, that our solution works in all of those cases. And of course, the good news is that it does because it’s based on Cert Manager, which is the default for the industry anyway. So our solution’s built on that default, which makes it as easy and intuitive as possible for companies to use the solution, whatever else they’re using, because the solution works in exactly the same across the board.

The value of relationships.

THQ:

Would it be fair to say that you have an advantage on other companies trying to deliver solutions to the machine identity mountain, because of that Cert Manager factor?

SS:

Well, yes, you could say that, but not exactly because of Cert manager. After all, we made Cert Manager open source, so anyone can use it to develop their solutions. Where it’s true is in the fact that no-one’s had more experience with Cert Manager than we have, and we have a strong presence in the machine identity world, so there’s no doubt that, even before customers come to us, they know we understand the landscape. That’s really where our strength is.

And for the InfoSec audience, we’ve built strong relationships with CIOs and with people who are facing these challenges and operating these systems, so it’s a very natural conversation for us to have. A lot of them are telling us that there’s this new world that’s popping up, in which they have very little visibility and control. They don’t understand it, and they want help.

Since we’re one of the originator companies in this space, they know us of old, and trust us to have these conversations with them in mind. And to some extent, there’s an in-built level of trust in the solution we’ve come up with, because of those longstanding relationships.

What’s next?

THQ:

So – we understand the problem of machine identities breeding at an exponential rate, we understand the scale and the growth of the issue as we go more and more towards a cloud-native business world. You have a solution to the machine identity conundrum, and companies are accepting it and adopting it.

What happens next? Are you expecting the problem to substantively go away? Or are you already evolving the idea to meet the next problem coming down the data pipe?

SS:

No, no, no, no, no, not at all. Actually, it’s not going away. It’s not like “We’ve solved it. Let’s go home.” What I’d say is, we have to think about the world from the point of view of the folks who are writing these applications. What’s the challenge for them? For the most part, what they would like to see is a world where an application platform is gives them ultimate flexibility. without limiting them in any way, and without making them do extra work.

We hear this constantly. There’s this misapprehension that people in the development community are “lazy.” That’s not by any means true, but what people mean by “lazy” is that they don’t want to do repetitive tasks, they just want to make it super easy, super simple.

THQ:

That’s the point of advanced technology, isn’t it?

SS:

Should be, yes. So when you have that idea of making things as easy as possible, automation becomes a key part of the challenge. Obviously, these are super smart people, but they want to make sure that things are easy for them, so they can maximize their company’s investment in them by focusing on building applications.

So where we are headed is that the world’s going to look very heterogenous. Multicloud is here to stay. You might hear that a particular organization has signed a big deal to build their next generation application platform in GCP, or AWS, whatever their choice is, but the reality is going to be that it’s going to evolve and change because they might make an acquisition of a massive organization that’s running on AWS. What are they going to tell them, that they have to re-platform everyone and everything?

That’s a fool’s errand. We know that replatforming without actually significantly changing capabilities is a non-starter. So, heterogeneity is going to become important.

That means when applications are built, and when companies think about services, they’re going to be working in a multicloud environment. Kubernetes is going to be the application OS, if you will, but it will be distributed. Applications will be running in a range of clouds.

A firm foundation.

As a developer, I’d say “Make my life easier. I want a service in GCP to talk to another service in AWS, to talk to somebody else, but make the idea of machine identity how they talk to each other, and make it seamless. Take it out of my hair, let the platform deal with it.”

So this notion of machine identity that is going to be cross-platform is the next big vision for us.

Seamless cross-platform machine identities management, without impeding the work that developers do – and making it simple. That’s the next goal.

 

The challenge of managing an increasing number of machine identities across clouds and platforms, without it interrupting everybody’s normal workflow, may be the next goal, but taking the chaos and the panic out of the problem, and making it visible and manageable for InfoSec teams has to be the most logical first step towards achieving that goal.