Date Published: April 20, 2022
Comments Due:
Email Questions to:
Author(s)
Michael Bartock (NIST), Murugiah Souppaya (NIST), Mourad Cherfaoui (Intel), Jing Xie (Venafi), Paul Cleary (Venafi)
Announcement
The initial public draft of NIST IR 8320C presents an approach for overcoming security challenges associated with creating, managing, and protecting machine identities, such as cryptographic keys, throughout their lifecycle.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Organizations employ a growing volume of machine identities, often numbering in the thousands or millions per organization. Machine identities, such as secret cryptographic keys, can be used to identify which policies need to be enforced for each machine. Centralized management of machine identities helps streamline policy implementation across devices, workloads, and environments. However, the lack of protection for sensitive data in use (e.g., machine identities in memory) puts it at risk. This report presents an effective approach for overcoming security challenges associated with creating, managing, and protecting machine identities throughout their lifecycle. It describes a proof-of-concept implementation, a prototype, that addresses those challenges. The report is intended to be a blueprint or template that the general security community can use to validate and utilize the described implementation.
Organizations employ a growing volume of machine identities, often numbering in the thousands or millions per organization. Machine identities, such as secret cryptographic keys, can be used to identify which policies need to be enforced for each machine. Centralized management of machine identities...
See full abstract
Organizations employ a growing volume of machine identities, often numbering in the thousands or millions per organization. Machine identities, such as secret cryptographic keys, can be used to identify which policies need to be enforced for each machine. Centralized management of machine identities helps streamline policy implementation across devices, workloads, and environments. However, the lack of protection for sensitive data in use (e.g., machine identities in memory) puts it at risk. This report presents an effective approach for overcoming security challenges associated with creating, managing, and protecting machine identities throughout their lifecycle. It describes a proof-of-concept implementation, a prototype, that addresses those challenges. The report is intended to be a blueprint or template that the general security community can use to validate and utilize the described implementation.
Hide full abstract
Keywords
confidential computing; cryptographic key; hardware-enabled security; hardware security module (HSM); machine identity; machine identity management; trusted execution environment (TEE)
Control Families
None selected