Over the coming months Department of Defense (DoD) agencies will be actively working towards aggressive deadlines for migrating to a public trust public key infrastructure (PKI) for all publicly facing websites. The result will be a laudable all-HTTPS environment. However, that environment will rely on vast populations of short-lived certificates, or machine identities to maintain security. All of these unique machine identities will need to be carefully managed and secured against expiry or misuse. Will DoD agencies be prepared to protect these new machine identities as well as they protect the identities of the people who are accessing them? Let’s take a closer look at what that would entail.
With two kinds of actors on every network—people and machines—Federal agencies must definitively identify, authenticate, and secure every one of these to authorize proper access. While people rely on usernames, passwords, smart cards, and biometrics to access machines, the machines, in turn, use keys and certificates as identification for machine-to-machine authentication. Billions are spent each year on ICAM/IdAM solutions in both the public and private sectors, but virtually all of it is dedicated to securing human access while machine identitiesremain un-managed, or at best under-managed.
Modernizing technology efforts are forcing machines to take a more central role in agency operations and decision making from cloud workloads, virtualization, Fast IT & containerization, and mobility and IoT. With faster processing and artificial intelligence, machines are doing work that was traditionally performed by humans. Like humans, machines must be authenticated, and their access controlled.
Most federal agencies are challenged to produce a complete inventory of their machine identities, such as X.509 certificates, and SSH keys. If an attacker compromises a machine identity, they can impersonate the system to which the identity is assigned, enabling unauthorized access and the ability to eavesdrop and pivot through networks undetected. Inadequate management of machine identities further results in poor crypto-agility, reducing agencies’ ability to rapidly change machine identities in response to a security event, such as a Certificate Authority (CA) compromise, vulnerable algorithm (e.g., SHA-1), or cryptographic library bug (e.g., Debian or Infineon). The mismanagement of machine identities is evidenced by the ongoing outages that occur when certificates assigned to machines expire.
While traditional centralized identity management systems maintain an inventory of human identities with extensive access controls, most federal agencies lack the same type of control systems for machine identities, leaving them without a comprehensive picture of machine identity concerns such as validation of the certificate authorities (CAs) used in their environments, locations where certificates are deployed, policy control of encryption standards, and human accountability. Without this visibility, when a cryptographic issue is detected, agencies are left scrambling to find the responsible parties for all affected certificates and keys.
Existing National Institute of Standards and Technology (NIST) guidelines can be leveraged to provide parameters for machine identity management and security. NIST includes certificates and keys used by machines as authenticators in SP 800-53 IA-5 Authenticator Management. In the ITL Bulletin for July 2012, NIST explains the risks of CA compromise and best practices for preparing and responding. Risks and best practices related to SSH keys are detailed in NISTIR 7966.
Machine identities play an increasingly critical role in federal agency operations. As the DoD moves to a public trusted public key infrastructure, is your agency ready to minimize the risks posed by poor machine identity management? Contact us to discuss the importance of including machine identities in the overall ICAM/IdAM security strategy and policy development.