In machines we trust? The critical role of digital identity management

The introduction of the cloud has brought a lot of change to the world. A big one for enterprises is that it’s no longer a necessity to guard data on-premises. Most organizations today rely on a hybrid approach to hosting their applications, with an average of three or more different clouds driving various applications in their infrastructures.

While the cloud has delivered plenty of benefits to these businesses and transformed the way they think about data and security, they’re not all properly managing and securing applications across the enterprise.

Different applications distributed across various on-premises and cloud servers will always require an SSL/TLS certificate to establish trust online. Thus, enterprises end up managing hundreds or even thousands of digital certificates and their private keys in their hybrid network infrastructures. Because this is mainly done using traditional management techniques like spreadsheets certificate protection, not just management, it gets complicated. Simply put, today’s IT and security teams are burned out and unable to keep up.

So it was no surprise to those paying attention that The State of Certificate Lifecycle Management in Global Organizations, which surveyed 1,600 IT and IT security practitioners across a variety of industries, revealed that nearly 65 percent of organizations still are unable to secure and govern the growing volume of machine and application identities in the form of digital certificates -- the backbone of enterprise security.

Here are some of the key takeaways from the report, and critical areas to focus on when it comes to managing digital identities.

Digital identity management adoption maturity varies across industries

It is not surprising that organizations in the financial services, healthcare, and retail verticals invest more in managing certificates and keys than human identities -- and there are various reasons for this.

• For banking and financial services, the importance of public key infrastructure (PKI) cannot be overlooked. PKI is used in several areas, such as their websites, which serve as portals for customers to make financial transactions, and their internal servers, access to which is usually protected with access cards or other PKI-backed services. Organizations in the banking and financial services vertical should invest in an enterprise PKI solution ready to take on new opportunities offered by emerging technologies. Automation done right is not just the way forward, it’s the only way to a future-ready PKI. While certificate lifecycle management solutions have many merits, any lack of automation will cause unnecessary work for IT teams, and ultimately cause burnout.
• In the healthcare sector, while PKI has traditionally been used in hospitals to secure sensitive patient records, cryptography finds new applications in wearable/remote IoT-enabled medical devices. With such devices capturing user information and relaying it back to healthcare professionals by the minute, it is essential to ensure that the line of communication is not intercepted. It is also crucial to keep the device up-to-date via regular updates for optimum security. PKI makes this possible by providing a device identity and a layer of protection to medical devices.
• In the retail industry, a secure and seamless omnichannel customer experience can be achieved if there’s an efficient certificate lifecycle automation solution that helps with discovery, renewal, revocation, enrollment, and reporting. An end-to-end management tool provides seamless integrations with certificate authorities (CA) and network device providers, mobile device management platforms, security vendors, and more. It will help IT teams at retailers stay proactive by keeping unauthorized users at bay while building digital trust.

Zero Trust adoption lags behind

Amid an industry-wide battle cry for Zero Trust, organizations are still struggling to embrace Zero Trust strategies across their digital assets, specifically for IAM. According to the Ponemon Institute survey, 61 percent said their company had not yet turned to zero trust. An IAM strategy is about defining and managing the roles and access of users and devices to a variety of cloud and on-premises applications. These devices include computers, smartphones, routers, servers, controllers and sensors.

The core objective of IAM is one digital identity per individual or item. Once that digital identity has been established, it must be maintained, monitored throughout each user’s or device’s access lifecycle. According to 45 percent of respondents, their organization’s IAM strategy has been adapted to track cryptographic certificates, keys and other digital certificates.

Automation is the future

Because the management of machine identities continues to be a problem for many organizations, it’s critical to invest in an end-to-end automated certificate lifecycle management solution. Organizations that embrace automation will enhance their security posture.

Automating certificate and key lifecycle management helps keep digital identities up-to-date and effectively eliminates outages. Processes such as policy management and SSH key rotation can be automated for enhanced security.

Most automation partners enable cryptographic agility, providing algorithm upgrades to offer the best possible protection. Information is everything. Verizon’s 2022 Data Breach Investigations Report revealed that 61 percent of data breaches involved credentials while 70 percent of all misuse cases were caused by privilege misuse. A lack of understanding of certificates and keys has caused widespread breaches, outages at Target, Equifax, Colonial Pipeline and SolarWind -- and will continue to cause upheaval in organizations if it’s not properly addressed.

Image credit: ekkasit919/depositphoto.com

Alon Nachmany, is a cybersecurity evangelist and Field CISO of AppViewX, where he helps some of the world’s largest organizations secure vital data, as well as protecting some of the most cutting-edge innovations. Nachmany has more than 15 years of experience as a cybersecurity leader and has served as CISO, as well as an IT and security executive for organizations such as National Securities Corporation, WeWork, Bromium and others.