The real identity crisis: Why businesses must act on machine identities
Recent years have seen endless stories of human identity being exploited heavily in attacks. The malicious actors behind these attacks have compromised human identities (usernames, passwords and 2 factor authentication) to steal valuable data from countless companies and individuals. The COVID-19 pandemic and the shift to remote work dramatically increased the risks connected with human identities as people accessed corporate networks from many new locations and devices.
But while security departments have increased their investments in protecting human identities, many are still neglecting the risks connected with machine identities. Machines of all types including hardware, software and containers all need unique identities in order to connect and communicate securely, yet most businesses have very limited security controls in place to protect them.
As businesses move to the cloud the number of machines on enterprise networks is multiplying daily at a rate much faster than the number of humans. And because machine identities provide broad access to systems and data and because many companies are just getting started protecting them threat actors are taking note.
The disconnect between investment in human and machine identities
Machine identities enable secure connections between every part of the IT infrastructure, from IoT devices to software applications, APIs and containers.
Following the COVID pandemic and the increase in security threats stemming from digital transformation, companies worldwide have invested billions in Identity and Access Management for humans, such as biometrics and privilege access management. In fact, research found that 37 percent of companies have increased their investment in biometrics by 20-39 percent in comparison with the previous year, meanwhile 16 percent have increased spending by 40 percent or more. But in comparison, very little investment goes towards protecting machine identities.
However, digital transformation initiatives driven by the pandemic have also led to an explosion of machines across corporate networks, from physical and IoT devices to software and containers. Venafi research found that digital transformation is driving an average of 42 percent annual growth in the number of machine identities. With the average company now having 250,000 machine identities running on its network, by 2024, that figure will stand at over 500,000, vastly outpacing the growth of human identities.
What are machine identities and why do threat actors want them?
Poorly protected machine identities present an opportunity for threat actors because they enable attackers to move laterally through systems, insert backdoors, escalate privileges and exfiltrate data unimpeded. Many of the largest and most serious security events, such as SolarWinds, Log4j and the recent Verifone outage involve machine identities. In fact, over the last year over half (57 percent) of organizations have experienced at least one data breach or security incident relating to compromised machine identities (including TLS, SSH keys and code signing keys and certificates), according to Venafi research.
Security teams who were managing a few hundred machine identities just a few years ago are now trying to manage and protect hundreds of thousands of certificates without the visibility and automation required to protect them. Unplanned certificate expirations, often affect a number of high-profile companies like Microsoft and Spotify, taking crucial services offline for hours. The same research shows that 83 percent of organizations suffered a machine identity related outage during the last 12 months and over a quarter (26 percent) say critical systems were impacted.
Fixing the disconnect with machine identity management
Unfortunately, these issues will continue to get worse until organizations get to grips with machine identity management. As the number of machine identities continues to grow, manual tracking is impossible. This is why companies must deploy intelligent automation to ensure every machine has a unique identity that is managed and secure.
Companies must focus attention on ensuring both human and machine identities are protected – concentrating on one is not enough. But importantly, our definition of identity needs to radically change as identity needs to be seen as security. Without investment in effective machine management, efforts to control security risks will go to waste as businesses are still vulnerable to attacks. With the machine identity environment only increasing in complexity, companies must act now to prevent catastrophic outages and breaches down the line.
Kevin Bocek is VP Security Strategy & Threat Intelligence at Venafi.