Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Advisor and Analyst with KuppingerCole Analysts. My guest today is Martin Kuppinger. He is Principal Analyst and one of the founders of KuppingerCole Analysts. Hi Martin, good to have you.
Hi Matthias, pleasure to be here and thanks for inviting me again.
Great to have you. at the end of the podcast, we want to make sure that our audience understands the term machine identities much better and why they're important and why they need proper protection. So we're not talking about terminator rise of the machines, although the machines are on the rise. So to start with a definition, Martin, what do you define as being machine identities and what distinguishes them from other non-human identities, non-carbon based life forms in identity management.
I think the problem starts with the term, honestly, because I personally believe that machine identities is an incorrect term. So if you look at the Oxford Dictionary for the definition of machine, then it starts with, its mechanical. The machine identities we are talking about in many cases don't have to do anything. In some cases they have to do, many cases they don't have anything mechanical with moving parts and so on. So I think we still have a bit of a terminology challenge here. Human identities, that's relatively clear. Okay, no, it's totally unclear because I remember discussions about identities versus personas versus account versus user, etc. So it's also relatively undefined, but we at least know what a human is. And then we have everything that is not a human. And clearly you could argue that the chip in the ear of your dog or wherever makes it a non-human identity. And this is not what we are talking about. So non-human identities also is a bit of a problematic term. Non-carbon, silicon, whatever, also tricky. But I think the problem goes deeper even. The point is it's not human versus everything else. Be it machine, non-human, silicon, et cetera. We have a wide range of different types of identities, so to speak, on the other side, as we have on the human side. On the human side, have the standard user, we have the administrator, we have accounts that are used, that are shared, that are used by multiple persons, but sometimes not only by persons. So where do they stand? I personally believe we need more differentiation, more clarity here, because there are also different requirements for different types of these identities. And it's not that we manage to do one thing in one way, otherwise we would have not IGA versus PAM, for instance. And we manage everything else the other way. That's just not true.
And I think, despite of everything that you said, they are on the rise. We see them coming up in all the publications that we as analysts see. So there are vendors that are really using the term machine identities to promote new kinds or new versions of solutions. On the other hand, we are currently in the process of revamping our identity fabric and reference architecture and to the left, are these arrows representing the identities and we've added machine identities there as well. So they play an important role, although they might require some redefinition and more streamlined definitions. But to get more closer to the point, how are they typically used in modern IT infrastructures? Where do they come into play? Why do they need identities and who is it who needs these identities?
So first, we're currently working on a Leadership Compass Enterprise Secrets Management for humans, machines and workloads. So this is the distinction I've made, there could be more. When we look at the left-hand side of the identity fabric, the old one and the new one, we have quite a number of identity types, machines being one, services, and so on. Being honest, we have a bit differentiated this. I think where you're absolutely right, we have incredibly more identity and types of identities to deal with. Both adds to the complexity. So the one is the sheer number. The other is the variance that require a different approach for managing. This goes from an, IoT or industrial IoT device to software in different incarnations to at the end again the more on the human side existing accounts. And so we have this range of things and the challenge we are facing is that there are more in the number, there are more in the types and their lifetime also is very different. So a lot of these identities are created automatically and they may disappear relatively quickly again. So when you look at software and agile development, then it means that there are a lot of these identities that come up, that disappear, they are very fluent. For these we can't manage them in a traditional way. A human creates an account, assigns entitlements and forgets to retire that account. Usual stuff that will not work. We will need to do it differently. We need automation here. We need automation at scale. We need solutions that help us managing identities and secrets. For instance, for things that where we don't have the same change cycles and life cycle management approaches, we can't have them as we have, so to speak, in our traditional world. So we need to think about these. But I still believe, that's why I mentioned a little earlier, I still believe we oversimplify if we say there's human and call it however you want, machine or whatever else. There's more with different needs, but for everything we need security. We need a secrets management. We need to lifecycle management for secrets, but also lifecycle management for the identities. So we need to be, I would say much more precise in this entire area to handle this because at the end of the day, the secrets are what helps us keeping our world at least halfway secure and safe.
Right, when you say secrets from an administrative point of view, from a management point of view, how do these secrets look like? Are they still traditional certificates? And what other secrets are required to manage these new types, these changed types of machine identities, ranging from hardware, which will live a lifetime of 10, 20, 30 years, up to those what you just mentioned, automated, orchestrated, cloud native platforms that have a very short lifetime and have to have compliance and governance all the way through their lifetime as well. So it's very different. So how do you identify? Where comes identity management into place? What do you manage in the secrets management?
So what are the secrets? I could say basically everything. Passwords, worst case, yes, passwords are around. And by the way, for many machine identities, we still constantly use passwords. So there are incredible amounts of technical accounts that are used by a service, they're accessed as a shared account or a technical account username password. So unfortunately, yes, they are still around. Always was a bad practice, remains being a bad practice, but it's there. Mostly we talk about keys and certificates. So this is basically what we mostly talk about. But then in really a wide range of incarnations, to be very clear. New technology coming up, I just this morning read something about a new approach that at least claims to be in the quantum safe encryption space, so the QSE stuff. So we see that a lot of variants, but at the end of the day, the point is, there are identities. We must know these identities. We must create them. We must manage them. We must assign entitlements to the identities. We must be able to retire them and they need secrets and these secrets again have their life cycle they need to be managed. So at the end of the day we have as usual we have multiple life cycles that's the same like we always had also with human identities. We create Martin, we assign accounts to Martin, we assign entitlements. All of these things have life cycles. At the end everything is different but at the end everything is the same more or less. We need good life cycles. The main difference is we always struggle with handling this manually in the small world of human identities. We absolutely have no chance to do it manually in that world of other types of identities, call it machine identities. And we have, by the way, we have also around humans, have quite a number of new challenges. Managing pass keys at the enterprise level or FIDO2, key management at the enterprise level, et cetera, all these things come into the equation. So we have really an incredible amount of new challenges we are facing and we need adequate solutions. I would really like to see, especially in this complex world, to see a bit more differentiation of terms without ending up in what we had in the identity world. I remember probably almost two decades ago there were very long discussions about what's an identity versus a persona versus a user, cetera. I think once it gets too, let's say, call it positively philosophical, it won't help. We need to be pragmatic, but not overly pragmatic because handling the machines for an IoT device is different than handling the secrets and the identities for services within software that runs on an infrastructure as a service cloud and accesses resources. These are really different things. We should also understand our different... you Matthias, and me we've looked at at the IoT side a while ago in a joint project and yes, it is a different world very different standards and an astonishing lack of good lifecycle and complete lifecycle management as we remember. Yes.
I think even if we stick with the term machine identities and we identify several patterns that they have in common, no matter what they actually are, I think just the sheer number of machines that are around right now, be they physical, or much more probably, be they virtual, be they orchestrated as Docker containers, as Kubernetes clusters and their components, I think they all have the same security challenges in common. If there is a lot of more machines around, there is of course a higher, a bigger attack surface and that needs to be protected well. Do you think that this is already... has this arrived with organizations? Have they fully understood, embraced that the challenges are there and that they need to take machine identities and their proper management? Just what you described, the life cycle management. Also they're retiring, that they have fully embraced that and understood that and well implemented and are the solutions that you are looking at capable of doing that?
So what I would say is they have understood it. Whether everyone has fully understood it, not 100 % sure. But I think that the problem is, the problem domain is, it's understood that there is a problem domain. How to tackle this is a bit of a different thing. But we saw the event of a lot of new types of solutions, the secrets management space.
Absolutely.
So we see a lot of new startups here. We saw the event of CIEM, Cloud Infrastructure Entitlement Management, which is also related to this area. So we see things proceeding. Are the organizations already there? Do they have a perfect grip on everything? Probably most don't have yet. So it's a journey. And I think also when we look at just the sheer number of startups, it makes very clear this is a evolving area. So it's still a lot of work in progress, but we're making progress. There are really good solutions out there. I think one of the big challenges is that it also requires really a lot of knowledge about cybersecurity, about cryptography, et cetera, to address it. But it also requires a good amount of knowledge about life cycles and how to make it efficient and work well in every infrastructure. So it's a complex domain and that doesn't make it simpler. But yes, there are, there's technology, there are solutions. It's an increasing number of solutions. But it's a tricky domain. And then latest when we think about, whatever, quantum safe encryption, I doubt that there are that many people who really fully understand what it is and how it works. So at the end, it's like with everything we need to move to a level, and we are probably not yet there, where we don't need to care much about this anymore. So it's always a comparison. You know, when you and I were young and we probably still could do it, we needed quite a bit of knowledge about whatever IP, TCP and ARP, Address Resolution Protocol, things like that to get things up and running. Nowadays, most people don't need it anymore. At that time, every network administrator needed it. And we need to come to a level where we can consume this. And currently, I think there are still too many pieces we need to bring together. So some vendors have quite comprehensive portfolio. But at the end, it's still a lot of bits and pieces we need to bring together. And this is, think, where we need to work on to have solutions that help us addressing challenges of managing the life cycles of each and every type of identity and the secrets in as consistent as possible manner without requiring us to dive too deep into all the nitty-gritty details.
Yeah, I fully agree. At least I have to do this side note. So we are around for quite a while in that area and we are still using X509 certificates and that dates back to 1988 to the X500 standards. So that's good to see that even those older standards are still around and are still in use. That's my side note because I started with X500 way back then. But we are at the end of this episode and we just started thinking about machine identities and lack of a proper term. What we did not touch is the area of regulation. So regulation really has a deep impact on the management of machine identities because they are important. It could be hardware like a car, like a pacemaker. And it is also software. So to really make sure that you just protect your cybersecurity posture and your attack surface to the outside, even when you're scaling up, scaling down virtual orchestrated platforms. So there's a lot to do from cybersecurity, from regulation perspective, which we have not even yet touched upon in this episode. There's so much more to do. I think the most important thing is to tell every organization to really also put focus on that, to really make sure that they manage their machine identities as well as they do manage their human identities. Maybe even take one step further to do relationship management between people and machine identities. Ownership, responsibility, accountability for these systems is important and then you have all types of identities involved. Any final thoughts from your side Martin? Before we close down?
Just one thought, I think there are always two options. The one is we can try to be very differentiated with the types of identities, et cetera. Or we just say, it's an identity of someone or something and say, okay, we'll just care about relationships between identities, about life cycles and try to unify it as much as possible. Might be the other approach we could take over time. Very interesting. What I started thinking about and I'll keep that on my task list is, I think it might be a good idea to come up with a nice Advisory Note that explains all that stuff and relates it and adds some nice looking pictures around it. So I'll put this on my list because I believe we need to sort of shed a bit more light on this space. Help people better understand these things.
Absolutely, I fully agree with the patterns, the commonalities, but also the differences between different types of identities. In the end, it's an object with attributes and a life circle. But how are they different and how are they similar? I think that's an important thing to look at. Now we're again philosophical. So we close down. Thank you, Martin, for being my guest today, for talking about machine identities, still in lack of a proper term. Looking forward to digging deeper into that topic very soon because I think there's so much more to embrace when it comes to machine identities. Thank you, Martin.
And Thank you. And hopefully next time we talk, have a better term than machine identity, at least for the ones that are not associated to mechanical stuff with moving parts. Thank you, Matthias.
