Security

The Difference Between Human and Machine Identities

As digital transformation is advancing and automation is becoming an essential component of modern enterprises, collaboration between humans and machines is crucial.

With this level of interaction, a new identity problem is emerging as machines operate on behalf of humans.

Collaboration between humans and machines is a working reality today. Along with this comes the need for secure communication as machines operate increasingly on behalf of humans. While people need usernames and passwords to identify themselves, machines also need to identify themselves to one another. But instead of usernames and passwords, machines use keys and certificates that serve as machine identities so they can connect and communicate securely.

Image Source liberties.eu

Machine identities are rapidly expanding

The root of this new identity problem is an increasingly complex computing environment. The shift from on-premises data centers to cloud-based applications and workloads has created an explosion in the number of machines being deployed on enterprise networks. These machines are expanding well beyond traditional devices and servers to include:

  • Virtual servers and devices
  • Mobile devices
  • IoT devices
  • Cloud instances
  • Software applications and services, including APIs and algorithms
  • Containers that run apps and services

Each of these machines requires an identity that must be managed throughout its lifecycle. When you look at the infinite number of scenarios involving a combination of humans and machines accessing resources across this complex environment, keeping track of all the different identities that represent a single individual performing an action is a huge challenge. To make matters worse, the attack surface connected with machine identities is expanding much faster than human identities.

The consequences of poor machine identity management

Despite the growing importance of machine identities, organizations seem to forget about them. Instead, they focus only on protecting human identities. It is true that cybercriminals are breaking into corporate networks by compromising weak human identities – passwords or other credentials. But poorly managed machine identities can also become a path for infiltrating networks and stealing data. For example, threat actors frequently hide attacks in encrypted traffic. They can also compromise or forge a machine identity that can fool other machines into handing over sensitive data.

Navigating this massive volume of machine identities is made even more difficult by the fact that machine identity lifecycles are shortening. For many enterprises the need is compounded by digital transformation initiatives such as cloud migration and expanding DevOps processes. When organizations fail to keep up with the volume and variety of machine identities they need, the consequences can be dire.

Outages caused by expired certificates are the most visible symptom of poor machine identity management, but there are many other ways machine identities may be compromised. SSH keys, which are used to secure cloud-based servers and other machines, have been easily breached by the rising tide of SSH malware. Meanwhile, cybercriminals can steal private code signing keys to cloak malicious binaries within software updates, which are then unknowingly pushed out to unsuspecting end users.

Given that machine identities are of the least understood and weakly protected parts of enterprise networks, it should come as no surprise that cybercriminals are aggressively exploiting them. From Stuxnet to SolarWinds, attackers are increasingly abusing unprotected machine identities to launch a variety of attacks. In fact, over the past four years threats targeting weak machine identities have increased by 400%.

The disconnect in investing in machine identity management

Even though the impact of poorly managed machine identities is well documented in various studies, organizations are still investing almost solely on human identities. Why is there such a gap in allocated budgets for machine identities as opposed to human identities?

There are several factors that explain this disconnect:

  • Rapid changes in IT infrastructure due to the accelerated digital transformation of the past two years have dramatically increased the volume of machines on enterprise networks that need machine identities—a changing reality organizations are only beginning to confront.
  • The security and business risks connected with cryptographic keys and certificates serving as machine identities are poorly understood.
  • There has been a scarcity of concrete standards and guidelines that provide organizations with prescriptive advice on how to effectively protect machine identities in a consistent, measurable fashion.

Common controls for managing both forms of digital identities

Although human identities and machine identities share many differences, their management is guided by similar security principles. The list below provides an overview of the top security controls applicable for both human identities and machine identities.

  • Ensure they are strong
  • Keep them secret
  • If compromised, change them immediately
  • Know where they are
  • Centrally control them
  • Do not duplicate them
  • Remove access when use is terminated
  • Limit their usage
  • Review before issuing
  • Review them regularly

More information on digital identities and different keys and certificates can be found in this education center.

About the author: Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience managing IT projects and evaluating cybersecurity. He was assigned to various key positions in national, NATO, and EU headquarters and honored by numerous high-ranking officers for his expertise and professionalism during his service – nominated as a certified NATO evaluator for information security. 

Anastasios’ interests include, among others, cybersecurity policy and governance, ICS and IoT security, encryption, and certificates management. He explores the human side of cybersecurity – the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic, and cognitive) in applying cybersecurity policies and integrating technology into learning. 

Currently, he works as a cybersecurity content writer for Bora Design. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, machinese)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

FBI unlocked the phone of the suspect in the assassination attempt on Donald Trump

The FBI gained access to the password-protected phone of the suspect in the assassination attempt…

4 hours ago

Ransomware groups target Veeam Backup & Replication bug

Multiple ransomware groups were spotted exploiting a vulnerability, tracked as CVE-2023-27532, in Veeam Backup &…

7 hours ago

AT&T paid a $370,000 ransom to prevent stolen data from being leaked

Wired attributes the recently disclosed AT&T data breach to a hacker living in Turkey and…

9 hours ago

HardBit ransomware version 4.0 supports new obfuscation techniques

Cybersecurity researchers detailed a new version of the HardBit ransomware that supports new obfuscation techniques…

17 hours ago

Dark Gate malware campaign uses Samba file shares

A Dark Gate malware campaign from March-April 2024 demonstrates how attackers exploit legitimate tools and…

1 day ago

Security Affairs Malware Newsletter – Round 2

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

This website uses cookies.