Ponemon Institute and Keyfactor kicked off the first-ever State of Machine Identity Management Report with one purpose: Drive industry awareness around the importance of managing and protecting machine identities, such as keys, certificates, and other secrets, in digital business.
For the 2021 State of Machine Identity Management Report, Ponemon Institute surveyed 1,162 respondents across North America and EMEA who work in IT, information security, infrastructure, development, and other related areas.
We hope that IT and security leaders can use this research to drive forward the need for an enterprise-wide machine identity management strategy. No matter where you are in the business – IT, security, or development – and no matter the size of your company, this report
offers important insights into why machine identities matter.
In recent years, we’ve witnessed the rapid growth of internet-connected devices and machines in the enterprise. From IoT and mobile devices to software-defined applications, cloud instances, containers, and even the code running within them, machines already far
Much like the human identities we rely on to access apps and devices we use every day (e.g., passwords, multi-factor, etc.), machines require a set of credentials to authenticate and securely
connect with other devices and apps on the network. Despite their critical importance, these “machine identities” are often left unmanaged and unprotected.
In the 2020 Hype Cycle for Identity and Access Management Technologies, Gartner introduced a new category: Machine Identity Management. The addition reflects the increasing importance of managing cryptographic keys, X.509 certificates, SSH keys, and other non-human identities.
Machine identities have undoubtedly become a critical piece in enterprise IAM strategy, and awareness has reached even the highest levels of the organization. Sixty-one percent of respondents say they are either familiar or very familiar with the term machine identity management.
“Machine identities, such as keys, certificates and secrets, are essential to securing connections between thousands of servers, cloud workloads, IoT and mobile devices,” said Chris Hickman, chief security officer at Keyfactor. “Yet the survey highlights a concerning and significant gap between plan and action when it comes to machine identity management strategy. Acknowledgment is a step in the right direction, but a lack of time, skilled resources and attention paid to managing machine identities make organizations vulnerable to highly disruptive security risks and service outages.”
In this section, we highlight key findings based on Keyfactor’s analysis of the research data compiled by Ponemon Institute. For more in-depth analysis, see the complete findings.
Strategies for crypto and machine identity management are a work in progress.
Despite growing awareness of machine identity management, the majority of survey respondents said their organization either does not have a strategy for managing cryptography and machine identities (18 percent of respondents), or they have a limited strategy that is applied only to certain applications or use cases (42 percent of respondents).
The top challenges that stand in the way of setting an enterprise-wide strategy are too much change and uncertainty (40 percent of respondents) and lack of skilled personnel (40 percent
Shorter certificate lifespans, key misconfiguration, and limited visibility are top concerns.
Challenges in managing machine identities include the increased workload and risk of outages caused by shorter SSL/TLS certificate lifespans (59 percent of respondents), misconfiguration of keys and certificates (55 percent of respondents), and not knowing exactly how many keys and certificates the organization has (53 percent of respondents).
A significant driver of these challenges is the recent reduction in the lifespan of all publicly-trusted SSL/TLS certificates by roughly half, from 27 months to 13 months, on September 1, 2020. It is worth noting that the real impact of this change will likely not be realized
until the months and years ahead.
Crypto-agility emerged as a top strategic priority.
Moving into the top position on the list, more than half of respondents (51 percent) identified crypto-agility as a strategic priority for digital security, followed by reducing complexity of IT infrastructure and investing in hiring and retaining qualified personnel (both 50
percent of respondents).
Cloud and Zero-Trust strategies are driving the deployment of PKI and machine identities.
While many trends are driving the deployment of PKI, keys, and certificates, the two most important trends are cloud-based services (52 percent of respondents), and Zero-Trust security strategy (50 percent of respondents). Other notable trends include the remote workforce and IoT devices (both 43 percent of respondents).
SSL/TLS certificates take priority, but every machine identity is critical.
Overall, respondents agree that managing and protecting every machine identity is critical. That said, SSL/TLS certificates were widely considered the most important machine identities to manage and protect, according to 82 percent of respondents.