As digital transformation is advancing and automation is becoming an essential component of modern enterprises, collaboration between humans and machines is crucial.
With this level of interaction, a new identity problem is emerging as machines operate on behalf of humans.
Collaboration between humans and machines is a working reality today. Along with this comes the need for secure communication as machines operate increasingly on behalf of humans. While people need usernames and passwords to identify themselves, machines also need to identify themselves to one another. But instead of usernames and passwords, machines use keys and certificates that serve as machine identities so they can connect and communicate securely.
Machine identities are rapidly expanding
The root of this new identity problem is an increasingly complex computing environment. The shift from on-premises data centers to cloud-based applications and workloads has created an explosion in the number of machines being deployed on enterprise networks. These machines are expanding well beyond traditional devices and servers to include:
- Virtual servers and devices
- Mobile devices
- IoT devices
- Cloud instances
- Software applications and services, including APIs and algorithms
- Containers that run apps and services
Each of these machines requires an identity that must be managed throughout its lifecycle. When you look at the infinite number of scenarios involving a combination of humans and machines accessing resources across this complex environment, keeping track of all the different identities that represent a single individual performing an action is a huge challenge. To make matters worse, the attack surface connected with machine identities is expanding much faster than human identities.
The consequences of poor machine identity management
Despite the growing importance of machine identities, organizations seem to forget about them. Instead, they focus only on protecting human identities. It is true that cybercriminals are breaking into corporate networks by compromising weak human identities – passwords or other credentials. But poorly managed machine identities can also become a path for infiltrating networks and stealing data. For example, threat actors frequently hide attacks in encrypted traffic. They can also compromise or forge a machine identity that can fool other machines into handing over sensitive data.
Navigating this massive volume of machine identities is made even more difficult by the fact that machine identity lifecycles are shortening. For many enterprises the need is compounded by digital transformation initiatives such as cloud migration and expanding DevOps processes. When organizations fail to keep up with the volume and variety of machine identities they need, the consequences can be dire.
Outages caused by expired certificates are the most visible symptom of poor machine identity management, but there are many other ways machine identities may be compromised. SSH keys, which are used to secure cloud-based servers and other machines, have been easily breached by the rising tide of SSH malware. Meanwhile, cybercriminals can steal private code signing keys to cloak malicious binaries within software updates, which are then unknowingly pushed out to unsuspecting end users.
Given that machine identities are of the least understood and weakly protected parts of enterprise networks, it should come as no surprise that cybercriminals are aggressively exploiting them. From Stuxnet to SolarWinds, attackers are increasingly abusing unprotected machine identities to launch a variety of attacks. In fact, over the past four years threats targeting weak machine identities have increased by 400%.
The disconnect in investing in machine identity management
Even though the impact of poorly managed machine identities is well documented in various studies, organizations are still investing almost solely on human identities. Why is there such a gap in allocated budgets for machine identities as opposed to human identities?
There are several factors that explain this disconnect:
- Rapid changes in IT infrastructure due to the accelerated digital transformation of the past two years have dramatically increased the volume of machines on enterprise networks that need machine identities—a changing reality organizations are only beginning to confront.
- The security and business risks connected with cryptographic keys and certificates serving as machine identities are poorly understood.
- There has been a scarcity of concrete standards and guidelines that provide organizations with prescriptive advice on how to effectively protect machine identities in a consistent, measurable fashion.
Common controls for managing both forms of digital identities
Although human identities and machine identities share many differences, their management is guided by similar security principles. The list below provides an overview of the top security controls applicable for both human identities and machine identities.
- Ensure they are strong
- Keep them secret
- If compromised, change them immediately
- Know where they are
- Centrally control them
- Do not duplicate them
- Remove access when use is terminated
- Limit their usage
- Review before issuing
- Review them regularly
More information on digital identities and different keys and certificates can be found in this education center.
About the author: Anastasios Arampatzis
Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience managing IT projects and evaluating cybersecurity. He was assigned to various key positions in national, NATO, and EU headquarters and honored by numerous high-ranking officers for his expertise and professionalism during his service – nominated as a certified NATO evaluator for information security.
Anastasios’ interests include, among others, cybersecurity policy and governance, ICS and IoT security, encryption, and certificates management. He explores the human side of cybersecurity – the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic, and cognitive) in applying cybersecurity policies and integrating technology into learning.
Currently, he works as a cybersecurity content writer for Bora Design.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, machinese)