A lot of companies have implemented data leakage protection (DLP) solutions that are designed to protect against the leakage of personal (human) information. For example, most of the DLP Solutions are optimized to protect personal identifiable information (PII) and classified/business-critical information shared (un)intentionally by employees. There are also a lot of default templates in these products that help customers to comply with all kind of regulations, like PCI or HIPAA, that are designed to protect personal information.
But what many organizations fail to consider is that most DLP products also include the ability to recognize the leakage of machine identities, such as private keys. In many ways, these machine identities are just as valuable (and arguably more valuable) than human identities.
Machine identities control the safe and private communications between machines as well as between humans and machines. If cyber criminals gain access to machine identities, then they can create covert channels that allow them to exfiltrate data under the cover of encryption. And while these encrypted tunnels are indeed nefarious, they use bona fide machine identities so they will appear to be legitimate.
That is why it is critical that organizations leverage DLP capabilities to include monitoring machine identities. But the sad reality is that, in a lot of cases, organizations do not identify the leakage of machine identities as part of their DLP policy.
The fact that most organizations do not privilege machine identities as part of their DLP efforts, confirms a suspicion that I have long harbored: that machine identities are not on the radar of the people that are protecting key assets. This general ignorance begs the question, “why aren’t the keys to the crown jewels better protected?” In other words, why would organizations pay so much attention to preventing the unauthorized flow of personal data from the enterprise, yet so little attention to protecting the machine identities that would allow attackers to disguise the illicit flow of that privileged personal data.
Ironically, one of best ways to protect human identities is by protecting machine identities. Indeed, once an underlying machine is compromised, cyber criminals may (in most cases) gain access to the critical personal data that they contain. Once this data is accessible, the attackers will find a way to hide the data in all kinds of (encrypted) protocols and exfiltrate them from the network, like we have seen recently. And, as I mentioned above, they will often misuse machine identities to do so.
Given the significant role that machine identities play in protecting data that resides on machines, my advice to organizations would be to check whether machine identities are a significant part of your DLP policies.
After all, what is the value in trying to protect user data leaving the network, if you don’t protect the identity of the machines on which the data resides?