A new report found that machine identities now outweigh human identities by a factor of 45x on average. This has created a buildup of identity-related cybersecurity “debt.” Buttressing this point, the report found that professionals overwhelmingly (79%) agree that security has taken a back seat to IT, especially in digital initiative investments.
The build-up of cybersecurity debt
The expansion of digital initiatives has created an explosion of human and machine identities, often tallying hundreds of thousands per organization. “This has driven a buildup of identity-related cybersecurity ‘debt,’” according to the report from CyberArk based on a survey of 1,750 IT security decision makers.
“Every major IT or digital initiative results in increasing interactions between people, applications and processes, creating large numbers of digital identities. If these digital identities go unmanaged and unsecured, they can represent significant cybersecurity risk…
“Identities are a prime attack vector and waiting to apply security controls after an attack is not a responsible security policy.”
--CyberArk 2022 Identity Security Threat Landscape Report, April 2022
Machine identities now outweigh human identities by 45x
The debt described in the report represents the future costs of addressing security vulnerabilities that have accumulated but were not “paid down” as new systems and applications were deployed, CyberArk said.
“A significant source of this cybersecurity debt stems from failure to protect sensitive assets and data from unauthorized access as identities are created en masse and proliferate unchecked across the entire IT environment,” the report said.
CyberArk says that causes of the debt include:
- Machine identities now outweigh human identities by a factor of 45x on average.
- 68% of non-humans or bots have access to sensitive data and assets.
- The average staff member has greater than 30 digital identities.
- 87% store secrets in multiple places across DevOps environments, while 80% say developers typically have more privileges than necessary for their roles.
DevOps, CI/CD are problems
Identity Security shortcuts are rampant in DevOps, CI/CD (continuous integration and continuous delivery) and other development environments, driving up more debt, according to CyberArk:
- 87% reported that secrets are stored in multiple places across DevOps environments.
- Half of respondents said application credential security is left up to developers—business users known for emphasizing speed and collaboration over security
- 80% agreed that developers have more privileges than they need.
It’s unanimous: Zero Trust is essential
There is nearly unanimous agreement that the Zero Trust cybersecurity model (“trust nothing; verify everything”) is essential to establish strong defense-in-depth controls and is the best path forward, the report said.
“In examining organizations’ current position along the Zero Trust maturity curve, the survey found nearly 100% were doing something to establish Zero Trust principles,” according to CyberArk.
The 2022 attack surface
Digital transformation and cloud migration are expanding the attack surface.
Credential access was the number one area of risk for respondents (at 40%), followed by defense evasion (31%), execution (31%), initial access (29%) and privilege escalation (27%), according to the report.
Over 70% of the organizations surveyed have experienced ransomware attacks in the past year: two each on average.
Sixty-two percent have done nothing to secure their software supply chain post the SolarWinds attack and most (64%) admit a compromise of a software supplier would mean an attack on their organization could not be stopped, CyberArk said.
How to protect machine identities: Venafi's guidance
The following is guidance from Venafi, separate from the report:
Many organizations have tried in vain to manually manage the rising number of machine identities. Manual management techniques often foster siloed procedures, errors and security gaps, leaving the organization without visibility into the number and status of machine identity ownership.
A solid machine identity management strategy should involve investment in a solution that allows the organization and the security teams to have clear visibility of all deployed machine identities, ensure ownership and governance, protect associated cryptographic keys and automate distribution and rotation.
Venafi Trust Protection Platform is a comprehensive solution for managing all TLS, SSH and code signing machine identities. This platform can manage and protect machine identities across teams and departments in on-premises, cloud, cloud-native, multi-cloud, and hybrid environments.
Do you have any zero trust gaps in your machine identity management strategy?