Each networked machine relies on an identity, in the form of cryptographic keys or digital certificates, so that it can identify itself and communicate with other machines in a secure way.
However, in the wrong hands, machine identities can allow cybercriminals to appear trustworthy, bypass security defenses undetected, gain access to networks, and exfiltrate data. However, organizations still overlook the importance of protecting them.
We spoke with Kevin Bocek, Vice President of Security and Threat Intelligence at VenafiTo find out why this is such a serious problem and how it can be addressed.
BN: What are machine identities and what are they for?
KB: Machine identities are for the digital world, since human identities represent people. Machine identities are everywhere – cloud, virtual machine, microservice, container, devices, website, and even artificial intelligence algorithms – and usage is growing rapidly. Each machine is based on an identity so that it can identify itself and communicate with other machines in a secure way.
BN: What impact have DevOps and digitization had on the use of machine identities?
KB: DevOps and digital transformation mean that developers lead innovation for businesses. Developers prioritize speed, agility, efficiency, and economies of scale. Basically today’s business is all about software development, whether we realize it or not. And the only way to identify a digitally transformed, cloud-based, software company is with machine identities. This is fast becoming more important than customer or workforce identity.
However, DevOps teams move fast and are not experts in machine identity. Using machine identities, incorrectly or by mistake, can create new vulnerabilities, threats, or even bring your business to a complete halt with an outage. Consequently, organizations need a new approach to help protect this wave of new machine identities that are an intrinsic part of DevOps projects.
BN: Why is there a machine identity crisis?
KB: The machine identity crisis stems from the increasing use of machines in our digital world, which is driving unprecedented improvements in business efficiency, productivity, agility and speed. With companies increasing their dependence on machines, the number of machines on business networks is growing exponentially. To communicate securely, each machine needs a unique identity to authenticate and protect communications. The adoption of the cloud has spawned a wave of machines that are often created, changed, and destroyed in seconds.
This onslaught of machines requires organizations to protect evolving machine-to-machine communication, but most do not have the visibility or technology to do so effectively. To make matters worse, the trends driving this complexity – mobile, IoT, cloud, and DevOps – are unique and cumulative complications, all impacting business networks simultaneously. Given the exponential growth of machines and their increasingly transient nature, protecting machine identity is already overwhelming IT and security teams. Organizations need a machine identity solution that is as dynamic as the trends that drive it. The only way that organizations can solve these problems is with intelligent automation. Organizations must have complete visibility into every machine identity that touches their networks. They should be able to monitor these identities in real time to detect misuse and automatically patch any discovered vulnerabilities at machine speed and scale. This is the only way that organizations can ensure the security of machine-to-machine communications.
BN: How poorly managed are machine identities by companies and how can hackers exploit them?
KB: Managing machine identities and privileged access to business data, as well as applications, is important work that can have serious security ramifications if done irresponsibly. The explosion of the public cloud, the private cloud, mobile devices, and the IoT means that machines of all kinds far outnumber people. Like humans, machines need to authenticate their identity when communicating with each other, which they do using machine identities such as TLS digital certificates. However, while organizations spend $ 10 billion a year protecting human identities, they spend much less protecting machine identities. Cybercriminals have become increasingly aware of this blind spot as companies show a critical lack of protection due to being overlooked and misunderstood.
Compromised machine identities can have a significant security impact on organizations. Attackers can misuse machine identities to establish hidden or hidden encrypted communication tunnels on corporate networks and gain privileged access to data and resources. Forged or stolen machine identities can allow an attacker’s machine to impersonate a legitimate machine and be trusted with confidential information. This comes at a huge financial cost: According to AIR Worldwide, inadequate protection of these identities has resulted in up to $ 72 billion in global economic losses.
Security teams are still trying to manage machine identities using spreadsheets despite having hundreds of thousands in a single company. This inevitably leads to critical errors that make them an open target for opportunistic attackers. In the wrong hands, mismanaged machine identities can be used to bypass security controls, allow privileged access to networks and data, move laterally through systems undetected, and insert back doors into networks. Depending on the level of sophistication of the attack and the attacker, this can continue for days or even months with huge ramifications for businesses.
BN: What can companies do to protect the identities of their machines? Has the SolarWinds hack affected the long-term management of machine identities?
KB: Almost a year after the SolarWinds attack, it continues to affect organizations as they don’t know which software and access decisions to trust. Security executives must drive proper machine identity management protection and understand where their machine identities are being used. Only by having complete visibility will they be able to automate their use safely.
Trying to address this problem manually is simply not feasible. Only technology can keep up with protecting machine identities for the growing number of IoT devices, so companies must automate this process. This means having tools that can discover all identities on the network, monitor and revoke them, and replace them if there is a security threat. Even with security standards in place, without automation it is a question of when, not if, an IoT network is attacked.