The machine identity management conundrum
There’s no way you missed this, but we live in a rapidly changing world. In particular, in a metaphor so achingly human as to almost be a religious movement, we’re moving our technological lives from on-site storage and servers and processors to “the cloud” at a prodigious rate. That’s a move that brings tremendous advantages at almost every level of productivity – but it also comes with its own new set of security issues – particularly around machine identity management.
We sat down with Shivajee Samdarshi, Chief Product Officer at Venafi (an expert in machine identity management) to talk about a new generation of cloud-native security issues – and potential angles on how to solve them.
What’s the big issue that’s arising the more and more companies go cloud-native?
The shifting world.
Traditionally, the role of machine identities has been well understood. But over the last 10 or 12 years, the role that security teams play hasn’t changed that much. It’s been based around the classic infrastructure, the platforms that supported applications that drive business – which means the model’s been fairly monolithic. What’s happening now is the IT mainstreaming of Kubernetes, and cloud-native technology. Kubernetes has become kind of mainstream, even in those enterprises that previously had traditional, understandable, monolithic structures, where the security team knew what was what.
So that shift is really the first step in the new challenge for security teams, because they’re still responsible for the security of the enterprise and the operational systems that underpin that – but those operational systems have now moved into a world with which they’re really not super familiar.
Machine Learning vs. Data Science
Familiar job, entirely unfamiliar environment. Like farming, but on Mars?
Yes. Now, it’s the dev teams that are picking these application platforms that host the next generation applications, and driving their adoption. Well, those platforms include machine identities as a fundamental basis of securing all communication, all interaction, whether it’s what you’d say on the ingress for a cluster, or in the cluster itself. It’s all based on experiment. So, good news for us because it’s all machine identity. Bad news for the InfoSec teams, because they have no clue what’s going on in that world.
Most InfoSec teams are still trying to figure it out. What’s going on? What does that look like? There is no vocabulary to talk to that team.
The world has changed, and there is no visibility into that. And they do need visibility, because ultimately, that’s their responsibility.
Everything everywhere all at once.
So this is more or less an “everywhere” problem? Which means it has an “everything” scale?
Yes, though the adoption and mainstreaming of machine identities across different organizations will happen at different rates. For some of them, it’s already part of what they do and it’s become the standard application platform. It’s like when people talk about digital transformation – that’s not any kind of new concept, it’s been around for 20 years. It just means something different to every different company – so similarly, this is a process of change that will hit different companies at different times and rates.
In this generation, digital transformation tends to be about microservices. It’s about the proliferation of all these services. Clearly, what used to be one service has exploded into ten. And now it’s in the thousands of services – and each of them requires a machine identity to secure its communication. So you can just imagine how it’s exploding.
So machine identities are proliferating like rabbits.
Exactly – good analogy. We have some data on this. We did some research last year, and asked CIOs about the proliferation of machine identities. 100% of around 1000 CIOs said their number of machine identities was increasing. And they’re predicting that in two years, the number will have almost doubled, if not more than that. We’re seeing an average of around 250,000 identities, with some up to half a million. The longer that continues, the more and more management it needs.
Definitely like rabbits. Or like unstructured data, come to that. Growing faster than we can naturally handle it. So this is a fundamental problem of scale, just in a cloud environment?
A problem of scale.
Definitely a fundamental problem of scale. And obviously, the cloud-native world has other challenging characteristics too. It’s ephemeral, it’s coming up, it’s going away. It poses new challenges, which have historically been a bit more static. The lifetimes have been longer, but they are much shorter now. So those are other challenges that may not appear on the surface. But the more you peer into this, the more you understand that the way this world’s going to behave is going to be quite different from the way the existing world has behaved.
Is the world ready for it? For the challenges that cloud-native security brings with it?
Well, it’s coming whether the world is ready for it or not, right? That’s really our job – to get the world ready. The world needs to be more aware of the challenges, so it can deploy evolving solutions to the questions of cloud-native security.
So what is the solution, and how does it work?
Building on existing “everywhere” technology.
If you look at the Kubernetes ecosystem, the CNCF (Cloud-Native Computing Foundation) is accepted as part of the architecture. Things have gained traction by community adoption, and they make their way into the CNCF set of products. For us it all starts with Cert Manager – and we’re the original authors of that. Cert Manager is the core component of machine identity management in the CNCF, so it has a familiarity all across the cloud-native business world. It’s the default choice. It’s part of CNCF, so it’s become the de facto way that teams manage identities.
Why is that important?
Because that forms the basis of everything else that we want to do beyond it – and it’s already present, so nobody needs to re-invent the wheel even as the machine identity management workload scales exponentially.
Then we add intelligence on top of that.
People put Cert Manager in their cluster already, so adoption’s not really an issue. How do we make sure that what we build is relevant to what enterprises need?
That’s the phase we are in right now. We know the problem – so how do we give visibility to the InfoSec teams? We came up with TLS Protect for Kubernetes as a way to bring more visibility, consistency and control to InfoSec teams who need to manage this increasing machine identity management challenge in the cloud.
Cert Manager addresses a challenge for platform engineering teams. Now, we are seamlessly connecting it to cloud-based services, where we gather all this data, we aggregate it, we provide visibility, and then we give the security team insights and intelligence. So when they have to vouch for the security posture of their infrastructure, they’re basing their reports on real, reliable data.
Do not bring teams to a grinding halt.
Obviously, for the InfoSec team, the UI (user interface) defines their visualization capabilities, but there is a big second part, which is making sure that you can specify policies centrally for the InfoSec team, and those policies then get automatically translated into clusters.
Now, if all this is done, then the problem does not change. So from the InfoSec perspective, they can go as fast as they want and the team gets all the insights it needs, and has the ability to specify policy. So we are also using this as a way to connect teams that have challenges talking to each other.
That’s the danger when bringing solutions to new problems, isn’t it? You can bring a solution that can actually grind everybody to a halt? So then there’s a productivity-sapping period of the teams having to work out how they’ll do this? And who does what, and why.
Exactly – and at that point, you’re potentially looking at security incidents. In the survey I mentioned, over 50% of CIOs said that they’ve had machine identity-related security incidents. It could lead to an outage, it could lead to a real data breach. So it’s vital to get that stuff right, or you’re just manufacturing problems down the line.
In Part 2 of this article, we’ll investigate the way Venafi in particular is tackling the challenge of a machine identity management boom.
25 September 2023
22 September 2023
22 September 2023