Why machine identities are crucial to zero trust strategies

The days when businesses operated within a defined perimeter that could be neatly protected by a firewall are long gone. Today’s enterprises are dynamic. In the era of cloud native, infrastructure is completely distributed -- from the traditional datacenter to multicloud instances, from physical servers and VMs to microservice-based applications and containerized workloads.

This change in how businesses operate necessitates a shift in how we defend. The old adage of "Trust but verify" has been replaced by, "authenticate everything all the time," otherwise known as "zero trust". Zero trust dictates that security teams must focus on each of the connection points on the network -- from the datacenter to the cloud to the endpoint, every connection must be verified and authenticated.

This puts identity at the heart of any zero trust strategy. But identity and access management has to extend beyond the different mechanisms that help us to identify and authenticate humans -- such as passwords, biometrics, and multifactor authentication. When designing zero trust strategies, it’s important to consider the other actors on the network: the machines.

The role of identity on a zero trust world

Recent research shows 94 percent of CXOs are in the process of implementing a zero trust strategy, while 77 percent of CXOs are increasing their investment in zero trust over the next 12 months -- with 99 percent of organizations saying identity is important or business critical to their overall zero trust security strategy.

If an enterprise lacks the ability to determine whether an identity is legitimate, they have no way of ensuring that zero trust will work. Yet very few have been successful in implementing this strategy across their entire infrastructure because of the speed and complexity of machine-driven cloud native development environments.

Consider for a moment, the modern enterprise. Machines such as Kubernetes clusters, virtual machines, containers, cloud instances, meshes, microservices, algorithms, APIs, AI and machine learning, all communicate and connect with one another to power business innovation at tremendous speed. Many operate independently, connecting back and forth with other machines without human intervention.

The more machines can do, the more we rely on them to power business strategy. As a result, the number of machines has skyrocketed, and machine identities now outnumber human identities by 45 to 1. That number continues to soar as new technologies enter the business landscape. Each of these connections and machines needs an identity to communicate securely. And each of these identities presents an opportunity for adversaries to infiltrate a business by abusing poor machine identity management practices. From SolarWinds to NVIDIA, we’ve seen countless examples of attackers ‘shifting left’ to target highly machine-driven cloud native development environments - making machine identities increasingly hot commodities.

Bringing machine identity management into your IAM strategy

Resultingly, Gartner says that managing machine identities is a key factor that will impact IAM planning going forward and that organizations must evolve to fully support these machine identities, not treat them as exceptions. Therefore, any comprehensive zero trust strategy must include the management of machine identities across all environments. However, maturity in machine identity management falls far behind that of human identity management. In part, this is due to a lack of knowledge and understanding.

Machines and people are not the same. They act differently, they do different tasks, and have different types of identities that authenticate who they are -- they cannot be managed in the same way so existing human user-specific strategies don’t apply. Recognizing these differences and building a holistic identity strategy that encompasses both machine and human identities is key to a successful zero trust approach.

This is particularly true in hybrid and multicloud environments. IAM strategies need deeper support for machines early in the development life cycle, and more well-defined integrations with API ecosystem(s). When looking at cloud native environments in particular, some machines only live for minutes, some just seconds. And as the number of machines skyrockets, protecting their identities throughout their lifecycle -- from issuance to revocation -- is becoming more challenging.

The need for a control plane

The good news is that awareness of the importance of managing and protecting machine identities is growing. Many organizations are planning to implement a zero trust model in ways that suggest that they know the importance of encompassing machines into identity strategies. However, understanding how crucial machine identity management is to zero trust is one thing, but having the knowledge and tooling to manage and protect machine identities is another.

It’s important for organizations to recognize that machine identities cannot be managed manually due to their sheer volume, and the speed at which identities must be created and revoked. Having a control plane which automates the management of machine identities throughout their lifecycle is therefore essential. This control plane provides the observability, consistency, and reliability needed to support a zero trust architecture, while also reducing the complexity that is occurring from digital modernization. By automating the management of machine identities, organizations can embed zero trust principles across their entire ecosystem and close the gaps in their IAM strategies. This will ensure that both actors on the network are protected, authenticated and can be trusted. Without it, any zero trust strategy will be deeply flawed.

Image credit: Olivier26/depositphotos.com

Kevin Bocek is VP, Ecosystem & Community at Venafi.