Automating Protection: Machine Identities, F5 and Venafi

Enterprises, and the ever-growing catalog of applications at their heart, rely on complex networks of physical and virtual machines, sometimes ephemeral, sometimes persistent—on-premises and across private and public clouds. As connected machines grow in number and intricacy, manual methods of securing all these devices can lead to failures, outages, and breaches.

This inefficient approach also opens you up to increased risk and costly disruptions that come from administrative bottlenecks and human error. The mobile network O2 learned this the hard way in 2019 when 30 million people lost service due to an expired software certificate. Someone, somewhere simply forgot to renew it. This is a clear example of why it’s vital to automate the lifecycle of each and every machine identity; the status quo of management by spreadsheet and standard manual methods lead, eventually, to lost data, lost money, and a damaged reputation.

The best way to prevent certificate-related outages is with proactive management: integrating F5 BIG-IQ Centralized Management, F5’s management platform, and the Venafi Platform. With BIG-IQ and Venafi, you can automate the lifecycle of machine identities across all your F5 BIG-IPs, using a standard, compliant certificate-creation policy while also ensuring a good customer experience and strong security.

The Venafi Platform for Machine Identity Protection

To communicate securely, each machine uses a unique identity that authenticates and secures its connections with other devices. Given the prevalence of connected machines that are driving unprecedented improvements in business efficiency, productivity, agility, and speed, it’s practically impossible for an organization to create, manage, and protect an ever-growing pool of machine identities.

Machines are used to control nearly every aspect of the global digital economy. Organizations that were managing thousands of machines a few years ago are now trying to manage hundreds of thousands or even hundreds of millions of physical and virtual devices—each with a unique identity that must be protected. Management at this scale can’t be done with spreadsheets!

Protecting machine-to-machine communications across increasingly complex environments requires a high level of intelligent automation. This automation needs to be combined with visibility—the ability to discover every machine identity in a complex network—and with intelligence shaped by policy that defines proper configuration, use of encryption, expiration, and organizational ownership. These three values—automation, visibility and intelligence—must continually work together to remediate vulnerabilities as they’re discovered at machine speed and scale.

By combining visibility with policy enforcement based on detailed intelligence, and then automating appropriate actions, the Venafi Platform continually protects machine identities. The result is improved certificate lifecycle management and security that stops unplanned outages and breaches, enables fast crypto-agility, supports audits and reduces resource usage.

What Makes Machine Identity So Complex?

When we talk about connected machines or machine-to-machine communications, we don’t just mean the vast numbers physical devices across global enterprise networks. Today, machine also includes code running independently of devices, including APIs, containers, serverless architectures, and of course virtual machines (VMs). Because they’re software-defined, these machine types are easily created, changed, and destroyed throughout the day, every day—but each of them still requires a unique identity.

Maintaining secure communications relies on the flawless implementation and coordination of certificates and keys across your entire network of physical and virtual devices.

Enter BIG-IQ for Centralized Management, Licensing, Monitoring, and Analytics

IT Managers who manually oversee more than a few BIG-IPs—physical or virtual—are at risk of creating a bottleneck that slows down application deployment. In today’s world of cloud applications, it is not uncommon to be tasked with managing thousands of systems and all of their requisite administrative functions. In such an environment, manual oversight and orchestration of a constantly growing stable of managed devices is untenable.

F5 BIG-IQ simplifies oversight of complex BIG-IP environments by automating discovery, tracking, management, and monitoring of physical and virtual BIG-IP devices (and the services running on them), whether in the cloud, on premises, or co-located at another data center. Certificate management is among the many common management tasks consolidated within BIG-IQ, working with Venafi Platform to automate the processes of deploying, renewing, or changing SSL certificates. BIG-IQ can also alert you in time to plan ahead before certificates expire, alleviating headaches before they start.

Integrating the Venafi Platform and BIG-IQ

Integrating the Venafi Platform into BIG-IQ Centralized Management enables you to automate the lifecycle of certificates and keys across BIG-IP devices, avoiding any potential bottlenecks and greatly reducing the risk of human error. F5 and Venafi help you protect machine identities with continuous discovery and monitoring so you can easily and efficiently maintain a secure environment.

There is a complex and tightly regulated process around the issuance of SSL/TLS certificates, including the requirement that every new certificate be signed by an approved Certificate Authority (CA). Among the benefits provided by the Venafi Platform is the ability to quickly, efficiently, and automatically interact with major CAs through out-of-the-box integrations.

Traditionally, every time a new key pair and a Certificate Signing Request (CSR) were generated, someone would have to download the CSR, get it signed by a CA, and then upload the resulting certificate—a process that could take minutes, hours, or even days depending on the workflow (and expertise) that are in place. With the Venafi Platform, the download, sign, and upload processes are all replaced by API calls and automated processes that typically take a few seconds (depending upon the CA being used). 

Summary

The more devices—physical and virtual—embedded in your network, the more critical it is to validate each and every machine’s identity and encrypt its connection to your valuable data. Failure to do so can leave your organization open to cyberattack and costly downtime. But manually securing all these devices isn’t a viable option in today’s digital world. Integrating BIG-IQ Centralized Management and the Venafi Platform enables you to automate the orchestration of certificates and keys across all your BIG-IPs, improving efficiencies even as you increase security.

BIG-IQ Centralized Management Features

• Device creation, discovery, and monitoring: Discover, track, and monitor BIG-IP devices, including key metrics such as CPU/memory, disk usage, and availability
• Certificate management: Deploy, renew, revoke, or change SSL/TLS certificates and receive alerts before certificates expire
• Centralized software upgrades: Centrally manage BIG-IP upgrades by uploading release images to BIG-IQ and orchestrating the process for managed BIG-IPs
• License management: Manage BIG-IP virtual edition licenses, granting and revoking as you spin up/down resources
• BIG-IP configuration backup/restore: Use BIG-IQ as a central repository of BIG-IP config files through ad-hoc or scheduled processes
• Change management: Evaluate, stage, and deploy configuration changes to BIG‑IP
• Role-Based Access Control (RBAC): Define users’ ability to create view, edit, and deploy provisioned services according to their roles

For more information about the F5 and Venafi partnership and solution integration, visit f5.com/bigiq.