One of the advantages of modern IT services is that they leverage both physical machines (computers and other devices) and virtual machines (e.g., applications, containers and code) to exchange data and execute tasks without human intervention.
That makes it possible to design services that are fast, flexible and reliable. But it also raises an important security question: How do you know whether those machines can be trusted?
That’s a question of identity management. Just as humans use passwords, Personal Identity Verification and Common Access Cards to identify themselves, machines use cryptographic keys and digital certificates to identify themselves during a transaction. Just like passwords, those machine identities can be compromised or left to expire. Agencies need to put in place policies, processes and technology to manage that risk.
“In this digital transformation era where machines create machines, an automated machine identity management program is critical to the delivery, availability and efficiency of any DevSecOps team,” said Eddie Glenn, Senior Product Marketing Manager at Venafi, which provides solutions for protecting machine identities.
Three Areas of Risk
Glenn highlighted four key risks associated with machine identities:
- Expired digital certificates can lead to system outages that can bring down critical infrastructure.
- Expired certificates can also lead to system failures, which can be exploited by hackers. According to the Government Accountability Office, an expired certificate played a role in the 2017 data breach at Equifax.
- Unmanaged, unknown and unprotected machine identities might be based on weak cryptographic algorithms, or could be obtained by bad actors to breach systems and access classified or sensitive data.
- Hackers can leverage unprotected keys and certificates to gain access to systems, install and execute malicious code, or remove sensitive data— all without raising an alarm. This is how WikiLeaks is believed to have stolen documents from the CIA in 2017.
The Key Piece: Automation
As agencies look to accelerate application delivery, these security and operational challenges increase. DevSecOps—the integration of the development, security and operations teams—is essential. But the DevSecOps team will struggle to keep up with the mounting number of machine identities without the benefit of automation.
“As government adoption of DevOps increases, there are numerous lessons to take away in terms of automating legacy processes that have many slow and manual interventions detrimental to the success of DevSecOps,” Glenn said.
Glenn suggested agencies follow four best practices:
- Make it as easy as possible by providing access to machine identity management-as-a-service.
- Integrate machine identity management into tools that DevSecOps teams already use or want to use.
- Maintain visibility of all machine identities, tracking both upcoming expirations and associated risks.
- Enforce machine identity policies consistently, so that teams can request machine identities without needing to worry about which certificate authority to use, which encryption strength is adequate and so on.
Venafi’s Trust Protection Platform helps federal agencies manage and secure their machine identities. Using the Venafi Platform, agencies can efficiently orchestrate the entire machine identity lifecycle, keeping communications between machines secure and private.
This article is an excerpt from GovLoop’s recent guide, “Agencies Build Foundation for DevSecOps Success.” Download the full guide here.
