The speed and scale of the cloud requires automation of PKI certificates needed to build TLS and mTLS communication encryption. The automated PKI tools must sacrifice machine identity trust to achieve the speed needed for encryption.
Issue a machine ID credential once, at DevOps deployment, and then preserve that trust by verifying the identity credential at the start of each communication session.
When PKI certificates expire, their replacement issued from a certificate authority gives a machine an entirely new and different identity. All association with a machine's prior identity is lost.
Frequently rotate the identity credential using a cryptographic derivative of the machine's prior activity history. Decentralized rotation preserves the chain of trust.
PKI certificates are cryptographic keys that must be secured, retrieved, and managed through external cloud services that add cost and complexity.
Rotate the identity from within secure decentralized 'sidecars' deployed with each machine.