- Identity Jedi Newsletter
- Posts
- The 43rd Edition of the Identity Jedi Newsletter
The 43rd Edition of the Identity Jedi Newsletter
Special Edition: Machine Identity!!
Wednesday 7/12/23 - Identity Jedi Newsletter - Subscribe
Hey Jedi welcome to the 43rd edition of the Identity Jedi Newsletter. This week we are deep diving in to the world of machine identity. I asked, and you answered. This was one of many topics requested for Special Edition Coverage, so be on the look out for more of these this summer.
SPECIAL EDITION: Machine Identity
We had an absolutely amazing month last month. Our biggest jump in subscribers EVER! Over 100 in a single month, you all continue to amaze me! Let’s keep the momentum rolling!
Let’s Get to the Good Stuff!
Managing Machine Identity in a Zero-Trust World
State of Machine Identity: Some stats and rants
Machine Identity Deep Dive: Links, Links, and more links
Diving into the machine
Researching this topic, I started to get a very serious case of Deja Vu. “Organizations don’t have enough skilled staff to manage their current PKI environment”
“Machine identities are growing at a rate faster than human identities.”
“Some organizations have no clue how many certificates they have”
This sounds very familiar if you’ve been around the identity industry for a while. It’s almost verbatim what we were saying to the business about human identities. Also, I’m seeing very little independent information on this topic. ( As in not by a vendor or a consultant who a vendor pays) This is more an indictment on our industry than anything else, but still a little disheartening.
But let's take a moment to define the problem at hand, shall we?
First things first: What is machine identity?
I found two definitions that, when combined, I think cover it nicely. First up is from our friends at Gartner ( via Entrust)
Machine identity is broken up into two groups:
Devices - Mobile devices, IoT/OT devices, desktop computers, code signing, etc.
Workloads - Containers, virtual machines, applications, services, etc.
Ok, so that lets us know what we are dealing with. Non human entities that need to have access to within your organization.
Now I also like this definition from the folks at StrongDM
Machine identities are unique descriptors of an organization's devices used to authenticate communication and system access. To put it another way, they are digital credentials that "identify" servers, computers, phones, and other Internet of Things (IoT) devices.
Machines don’t authenticate as humans do. There is no interactive prompt to enter a password or MFA. Instead, they use credentials that allow them to establish trust with each other and create secure channels of communication. Enter in things like PKI ( Public Key Infrastrucutre), CA ( Certificate Authority), certs ( short for certificates), and the good ole SSH keys. ( Check the Deep Dive section for links to info on all of these things)
Now add to this that machine identities are a lot like rabbits. Once you have two, you basically have 1000. The growth rate for them is insane. This isn’t necessarily a bad thing. The onset of technologies like Kubernetes and architectures like microservices means that we are creating applications at a much faster pace but also creating “machines” ( remember our definitions up top) at just as fast a pace. We’ve embraced tearing down boundaries between data and applications and are by design, building apps that consume and share data at their core. Let’s dive a little deeper into what that means.
Let’s say your company is building a new SaaS app. It’s going to be new latest and greatest technology, everyone will love it and in 5 years you’re all sipping Mai Thai’s in Turks and Caicos. But first you have to build the app. You go with microservices architecture and break the app up into 5 different services.
Each of those services needs to talk to each other and also to the database to retrieve and store data. ( Now this is a very high level view, and there are tons of rabbit holes we can go down about microservice architectures and design, but just stay with me here). Each service has to have an understanding of who is accessing it, and what they want. More importantly, each of these services lives on the network in your organization and utilizes resources. You need to know what it is, and what access it has, and is it the correct access. This is just one simple application; we haven’t even discussed deployment yet. Can you see how quickly this can get out of hand?
Welcome to machine identity management.
Deep Dive
Managing Machine Identity in a Zero-Trust World
State of Machine Identity: Stats, Stats, and more stats
If you’re new to the newsletter you don’t yet know how much I love stats and reports such as this one. I think i was a statistician in another life, but I digress. Some interesting numbers from Keyfactor’s state of Machine Identity report.
Best practices for MIM
Quick note on podcasts. It’s becoming difficult finding podcasts centered around identity that are updated with any kind of frequency. If you know of any, please let me know!
Identity Jedi Show Podcast
The Last Word
Where to start….
Let’s start with research. It makes absolutely no sense that access to information is so gated, and expensive. Yes, I’m looking at you Gartner, and Gartner wannabes. I’m not saying your work insn’t valuable, but we created the internet to free information right? And in this new age of AI, are your reports really worth that much? I would argue no. Gathering data and presenting it in a “summarized” fashion is no worth thousands of dollars. Expert level expertise, and insights is. I would challenge Gartner and the like to look at changing the model. Free the reports, free the research. It’s not about information it’s what you do with it. Helping companies execute on the vision that you layout, mapping value from their business to your research, etc. Yes I know this is a pointless rant, because capitalism. No way Gartner or any of them turns off their money making machine, but hey it’s what I do.
Ok now on to machine identity. This is a fucking mess folks. Had no clue it was this bad. I’ll admit I was one of those saying that while MIM was important, it wasn’t very high up on my list. I WAS WRONG. ( Save this newsletter, you won’t hear me say that often) . No I’m going to overreact and say drop everything you’re doing and make this number 1. But what I will say is it definitely needs to be at the top of your list in terms of strategic vision, and you should be having some conversations with your team in the tactical to understand it. When you combine this with the multi-cloud movement and the need to have dynamic authorization, this becomes critical path, REAL quick.
Shout out to Venafi and KeyFactor. They’ve done a fantastic job of making sure when you search for machine identity you see their names. Also some good content about the space as well.
Until next week folks
Be Good to each other, Be Kind to each other, Love each other
-Identity Jedi
The JEDI COUNCIL
Early access to next week’s Identity Jedi Episode
Reply