Machine Identity Management: The Key to Managing Compliance Risk in a Multi-Cloud, Multi-Cluster World

By Sitaram Iyer, Senior Director of Cloud Native Solutions at Venafi

Financial services may be an industry in which mainframes still do much of the heavy lifting, but increasingly it’s also at the center of a new wave of cloud computing innovation. An estimated 60% of North American banks plan to invest in cloud technology in the future, according to one estimate. However, as individual customers spread their risk by migrating workloads to multiple Kubernetes clusters across multiple public cloud providers, they may be unwittingly introducing new security risk.

That’s due to a resulting explosion in the volume of cloud assets, all of which have identities that must be securely managed. The only way to do so in dynamic and volatile environments like these is to turn to third-party tooling for automation and control.

A multi-cloud, multi-cluster world

According to one report, 92% of enterprises had a multi-cloud strategy last year. Deploying workloads across multiple public clouds can be particularly useful for organizations in highly regulated industries like financial services. It may help them meet compliance-based data sovereignty and availability requirements – by ensuring that sensitive information is stored in the right jurisdiction and that systems remain up-and-running even if one provider fails. A multi-cloud strategy also enables banks to take advantage of best-of-breed capabilities offered by specific providers. And it helps to mitigate the risk of vendor lock-in – which may also be a concern for regulators.

As multi-cloud has grown in popularity, so have containers and microservices – which offer a vehicle in which to run workloads across these different cloud environments. In many cases, it is Kubernetes that is used as the de facto system for automating, deploying and managing these containers. Again, at this level, financial services companies are choosing to run them not just in a single cluster but in multiple clusters – and across multiple cloud environments – to reduce vendor lock-in, enhance performance, and improve availability and resiliency.

But government and financial regulations also require businesses to assert a level of control over these environments in order to mitigate cyber risk. This should include not only human identity and access management, but also managing the digital certificates and keys that comprise machine identities.

When the auditors come knocking

What do we mean by machines in this context? It could refer to anything from devices to workloads, applications, containers and clusters. Fail to keep these identities up-to-date and secure and the “machines” they are linked to will become vulnerable to hijacking and exploitation – potentially leading to data breaches, ransomware, crypto-jacking and much more. That’s because machine identities effectively secure and encrypt communications between these cloud assets. Fail in this, and financial services organizations could expose themselves to significant reputational and financial risk.

The bad news is that there are several roadblocks to effective machine identity management. Containers in particular are dynamic and ephemeral – appearing and disappearing all the time. Each new one needs a digital certificate, which may ultimately only last an hour or two. Multiply this out over multiple clusters and clouds, and the numbers quickly become mind-blowing.

Research reveals that the average organization used nearly 250,000 machine identities at the end of 2021 – but that this figure will more than double to at least 500,000 by 2024. Three-quarters of surveyed CIOs said they expect digital transformation initiatives to increase the number of machine identities in their organizations by at least 26%. We would expect similar findings in the financial services sector.

The challenges are multiplied by the fact that cloud native identity management tools don’t work across other providers’ environments and don’t allow for continuous monitoring of machine identities. This can lead to duplicated effort, extra expense and critical security gaps. It will also put financial services firms at risk of failing risk management audits – which will at the very least require them to show an inventory of every machine protected by a certificate and possibly answer additional questions on critical assets. Depending on the audit, significant fines could follow.

A win-win

In short, this is a job that has quickly become unmanageable for human security teams. Instead, they require a single, automated machine identity management solution to work across all cloud and container environments. It should automatically configure, renew and revoke certificates, delivering cross-cluster visibility to help teams check the status of machine identities and answer any auditor questions with confidence. Automated error displays down to the individual certificate-layer would enable them to easily click through and remediate – further enhancing overall security posture.

With a control plane for managing machine identities, financial services security teams can have the peace-of-mind that complex cloud environments will remain secure, even as they continue to evolve. And both they and developer teams will have more time to work on higher value tasks to support the business. That’s a win-win all round.

About the Author

Sitaram Iyer is Senior Director of Cloud Native Solutions at Venafi.  He believes security should be one of the primary considerations organizations make as they make their cloud native journey. With a plethora of cloud native technologies out there, it is critically important to empower developers and platform teams with services that allow them to build and deploy applications more securely.

Building a zero-trust model as you adopt strategies to use Kubernetes and service meshes can be challenging. At Venafi, we understand this and work with large enterprises who are looking to address these challenges.

Sitaram can be reached online at LinkedIn and at our company website www.venafi.com.