The machine identity crisis -- and what to do about it [Q&A]
Every single networked machine relies on an identity -- in the form of cryptographic keys or digital certificates -- so that it can identify itself and communicate with other machines securely.
In the wrong hands though machine identities can enable cybercriminals to appear trustworthy, slip past security defences undetected, gain access to networks, and exfiltrate data. Yet organizations still overlook the importance of protecting them.
We spoke to Kevin Bocek, VP security and threat intelligence at Venafi, to find out why this is such a serious issue and how it can be addressed.
BN: What are machine identities and what are they used for?
KB: Machine identities are for the digital world as human identities represent people. Machine identities are everywhere -- cloud, virtual machine, microservice, container, devices, website, and even AI algorithm -- and usage is growing at speed. Every single machine relies on an identity so that it can identify itself and communicate with other machines securely.
BN: What impact has DevOps and digitization had on usage of machine identities?
KB: DevOps and digital transformation mean that developers are leading innovation for business. Developers prioritize speed, agility, efficiency and economies of scale. Basically, today's business is all about software development whether we've realized it or not. And the only way to identify a software, cloud, digitally transformed business is with machine identities. This is quickly becoming more important than customer or workforce identity.
However, DevOps teams move fast and are not machine identity experts. Using machine identities, the wrong way or in error can create new vulnerabilities, threats, or even completely stop business with an outage. Consequently, organizations need a new approach to help them protect this wave of new machine identities that are an intrinsic part of DevOps projects.
BN: Why is there a machine identity crisis?
KB: The machine identity crisis comes from the increasing use of machines in our digital world which is driving unprecedented improvements in business efficiency, productivity, agility, and speed. With businesses increasing their reliance on machines, the number of machines on enterprise networks is growing exponentially. To communicate securely, each machine needs a unique identity to authenticate and secure communications. Cloud adoption has spawned a tidal wave of machines that are often created, changed, and destroyed in seconds.
This onslaught of machines is requiring that organizations protect evolving machine-to-machine communication, but most don't have the visibility or technology necessary to do this effectively. To make matters worse, the trends driving this complexity -- mobile, IoT, cloud, and DevOps -- are unique and cumulative complications and they all affect enterprise networks simultaneously. Given the exponential growth of machines and their increasingly transient nature, machine identity protection is already overwhelming IT and security teams. Organizations need a machine identity solution that is as dynamic as the trends that drive it. The only way organizations can solve these problems is with intelligent automation. Organizations must have complete visibility into every machine identity that touches their networks. They should be able to monitor these identities in real time to detect misuse and automatically patch any vulnerabilities discovered at machine speed and scale. This is the only way organizations can ensure the security of machine-to-machine communications.
BN: How poorly managed are machine identities by businesses and how can hackers exploit them?
KB: Managing machine identities and privileged access to business data as well as applications is a significant job that can have serious security ramifications if it's done irresponsibly. The explosion in public cloud, private cloud, mobile and IoT means that machines of all types vastly outnumber people. Like humans, machines need to authenticate their identity when communicating with each other, which they do using machine identities such as TLS digital certificates. Yet while organizations spend $10 billion a year protecting human identities, they spend far less on securing machine identities. Cybercriminals have become increasingly aware of this blind spot as businesses showcase a critical lack of protection due to being overlooked and misunderstood.
Compromised machine identities can have a significant security impact on organizations. Attackers can misuse machine identities to establish hidden or concealed encrypted communication tunnels on enterprise networks and gain privileged access to data and resources. Forged or stolen machine identities can allow an attacker's machine to masquerade as a legitimate machine and be trusted with sensitive data. This carries a huge economic cost: according to AIR Worldwide, improper protection of these identities has resulted in up to $72 billion in worldwide economic losses.
Security teams are still trying to manage machine identities using spreadsheets despite having hundreds of thousands in a single business. This inevitably leads to critical errors that make them an open goal for opportunistic attackers. In the wrong hands, poorly managed machine identities can be used to circumvent security controls, enable privileged access to networks and data, move laterally through systems undetected and insert backdoors into networks. Depending on the level of sophistication of the attack and attacker, this can continue for days or even months with huge ramifications for enterprises.
BN: What can businesses do to secure their machine identities? Has the SolarWinds hack impacted the long-term management of machine identities?
KB: Nearly a year after the SolarWinds attack, it continues to plague organizations as they're unaware of which software and access decisions to trust. Security executives need to drive proper machine identity management protection and get a grasp of where their machine identities are being used. Only by having complete visibility will they be able to automate their use safely.
Trying to address this problem manually is simply not viable. Only technology can keep up with the pace of securing the machine identities for the ever-growing number of IoT devices, so firms need to automate this process. This means having tools which can discover every identity on the network, monitor them and revoke and replace them if there's a security threat. Even with security standards in place, without automation it's a matter of when, not if, an IoT network falls victim to attack.