Enterprises, and the ever-growing catalog of applications at their heart, rely on complex networks of physical and virtual machines, sometimes ephemeral, sometimes persistent—on-premises and across private and public clouds. As connected machines grow in number and intricacy, manual methods of securing all these devices can lead to failures, outages, and breaches.
This inefficient approach also opens you up to increased risk and costly disruptions that come from administrative bottlenecks and human error. The mobile network O2 learned this the hard way in 2019 when 30 million people lost service due to an expired software certificate. Someone, somewhere simply forgot to renew it. This is a clear example of why it’s vital to automate the lifecycle of each and every machine identity; the status quo of management by spreadsheet and standard manual methods lead, eventually, to lost data, lost money, and a damaged reputation.
The best way to prevent certificate-related outages is with proactive management: integrating F5 BIG-IQ Centralized Management, F5’s management platform, and the Venafi Platform. With BIG-IQ and Venafi, you can automate the lifecycle of machine identities across all your F5 BIG-IPs, using a standard, compliant certificate-creation policy while also ensuring a good customer experience and strong security.
The Venafi Platform for Machine Identity Protection
To communicate securely, each machine uses a unique identity that authenticates and secures its connections with other devices. Given the prevalence of connected machines that are driving unprecedented improvements in business efficiency, productivity, agility, and speed, it’s practically impossible for an organization to create, manage, and protect an ever-growing pool of machine identities.
Machines are used to control nearly every aspect of the global digital economy. Organizations that were managing thousands of machines a few years ago are now trying to manage hundreds of thousands or even hundreds of millions of physical and virtual devices—each with a unique identity that must be protected. Management at this scale can’t be done with spreadsheets!
Protecting machine-to-machine communications across increasingly complex environments requires a high level of intelligent automation. This automation needs to be combined with visibility—the ability to discover every machine identity in a complex network—and with intelligence shaped by policy that defines proper configuration, use of encryption, expiration, and organizational ownership. These three values—automation, visibility and intelligence—must continually work together to remediate vulnerabilities as they’re discovered at machine speed and scale.
By combining visibility with policy enforcement based on detailed intelligence, and then automating appropriate actions, the Venafi Platform continually protects machine identities. The result is improved certificate lifecycle management and security that stops unplanned outages and breaches, enables fast crypto-agility, supports audits and reduces resource usage.
What Makes Machine Identity So Complex?
When we talk about connected machines or machine-to-machine communications, we don’t just mean the vast numbers physical devices across global enterprise networks. Today, machine also includes code running independently of devices, including APIs, containers, serverless architectures, and of course virtual machines (VMs). Because they’re software-defined, these machine types are easily created, changed, and destroyed throughout the day, every day—but each of them still requires a unique identity.
Maintaining secure communications relies on the flawless implementation and coordination of certificates and keys across your entire network of physical and virtual devices.
Enter BIG-IQ for Centralized Management, Licensing, Monitoring, and Analytics
IT Managers who manually oversee more than a few BIG-IPs—physical or virtual—are at risk of creating a bottleneck that slows down application deployment. In today’s world of cloud applications, it is not uncommon to be tasked with managing thousands of systems and all of their requisite administrative functions. In such an environment, manual oversight and orchestration of a constantly growing stable of managed devices is untenable.
F5 BIG-IQ simplifies oversight of complex BIG-IP environments by automating discovery, tracking, management, and monitoring of physical and virtual BIG-IP devices (and the services running on them), whether in the cloud, on premises, or co-located at another data center. Certificate management is among the many common management tasks consolidated within BIG-IQ, working with Venafi Platform to automate the processes of deploying, renewing, or changing SSL certificates. BIG-IQ can also alert you in time to plan ahead before certificates expire, alleviating headaches before they start.
Integrating the Venafi Platform and BIG-IQ
Integrating the Venafi Platform into BIG-IQ Centralized Management enables you to automate the lifecycle of certificates and keys across BIG-IP devices, avoiding any potential bottlenecks and greatly reducing the risk of human error. F5 and Venafi help you protect machine identities with continuous discovery and monitoring so you can easily and efficiently maintain a secure environment.
There is a complex and tightly regulated process around the issuance of SSL/TLS certificates, including the requirement that every new certificate be signed by an approved Certificate Authority (CA). Among the benefits provided by the Venafi Platform is the ability to quickly, efficiently, and automatically interact with major CAs through out-of-the-box integrations.
Traditionally, every time a new key pair and a Certificate Signing Request (CSR) were generated, someone would have to download the CSR, get it signed by a CA, and then upload the resulting certificate—a process that could take minutes, hours, or even days depending on the workflow (and expertise) that are in place. With the Venafi Platform, the download, sign, and upload processes are all replaced by API calls and automated processes that typically take a few seconds (depending upon the CA being used).