Earlier this month, the White House released the new US National Cybersecurity Strategy. In the introduction, President Biden outlines the primary aim of the strategy, “to better secure cyberspace and ensure the US is in the strongest possible position to realize all the benefits and potential of our digital future.” To accomplish the goal of making US cyberspace defensible and resilient, while staying aligned to the nation's core values, this new strategy makes some fairly significant departures from previous approaches: namely getting more proactive in cybersecurity defense tactics and establishing liability for breakdowns in cybersecurity, especially calling out ransomware and supply chain software vulnerabilities.
This new strategy represents another huge step forward in cybersecurity across federal and private sector organization. “A national cyber strategy is overdue and it’s very welcome to see White House leadership talking about cybersecurity as a fundamental risk to freedom and order in the world this century,” said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi.
Although machine identities are not called out by name in the strategy, there are several key focus areas where machine identity management will play an integral role in helping organizations achieve the strategy’s desired outcomes. Specifically mentioned are items where machine identity management can make a significant impact, like ransomware, strong encryption, verifiable digital identities, quantum resistant cryptography, software supply chains and modernization.
Below, I’ve briefly outlined the areas of the strategy that most specifically relate to machine identity management and where they fit in the five basic pillars of the strategy. And I’ve added some thoughts on how machine identity management can help organizations achieve the strategy’s desired outcomes.
Building a secure foundation for digital identities
Pillar Four: Invest in a Resilient Future looks for ways to incentivize long-term investments to reduce systemic technical vulnerabilities, bolster security resilience, and foster a robust cyber workforce. Secure digital identity is a fundamental cornerstone of digital economies. Without secure digital identity, it is much more difficult to establish trust for conducting sensitive transactions online.
This fundamental security tenant locates machine identities—such as TLS certificates, code signing certificates and SSH keys—at the foundation of modern security. Machine identities liberate the principals of security from a perimeter-based approach and take protection down to the fundamental level of individual connections and communications between machines.
This is especially true in modern infrastructures, which are completely distributed—from the traditional data center to multicloud instances, from physical servers and VMs to microservices-based applications and containerized workloads.
According to Bocek, “building in security, such as securing the identity of customers or machines, is our only path to success and the future.” He continues, “Engineers decide the success of business and are also the ones who can threaten not only their business but others. This change will not happen by just the new directive, but the good news is that leading businesses have recognized this need already."
Today’s identity and access management strategies must include significant protection for machine identities.
Deepen the impact of zero trust architectures
Pillar One: Defend Critical Infrastructure calls out zero trust as a necessary component of modernizing cybersecurity for Federal IT and OT infrastructure. In essence, zero trust shifts the focus of security from the perimeter to each individual connection point, placing the burden of authentication on the machine rather than the network.
The concept of identity is central to the success of zero trust models. Anything that accesses any part of the network has an identity—and this identity must be authenticated and trusted. If an organization lacks the ability to determine whether an identity is legitimate, they have no way of ensuring that zero trust will work.
As an access control system based on identity rather than network location, a zero trust system first needs to give digital identities to people and devices in the network and combines the identifiable people and devices at runtime to construct access subjects.
Machine identity management helps organizations enforce zero trust at a transactional level, rather than using wider, traditional methods.
Fight back against ransomware attacks
Pillar Two: Disrupt and Dismantle Threat Actors, calls out ransomware multiple times, zeroing in on it in Strategic Objective 2.5: Counter Cybercrime, Defeat Ransomware. Citing cybercrime and ransomware as the nation’s main targets, the objective recommends new prevention techniques and promotes instantaneous information sharing about threats and victims among all sectors, national and global.
This objective represents a radical shift from previous approaches in that it recommends going on the offensive to combat cybercrime. For the first time, we have a strategy document that says we aren't just going to defend, we're going to disrupt and dismantle threat actors.
Bocek warns that organizations need to put skin in the game, “We can’t fool ourselves. It’s still the role of businesses to protect themselves and their customers. This can’t be offloaded and ultimately, there is no defense force or police that will save businesses from cyber-attacks. This is a reality that the leaders in government must understand.”
This means that organizations will have to take more initiative to expand their defenses against ransomware. For example, most organizations do very little to protect their internal software against attack. Protecting deeper ransomware vectors, like macros and scripts, are largely ignored in cybersecurity strategies. A Venafi survey found that only 21% restrict macros and 18% restrict PowerShell scripts.
Code signing internal software is an important element of limiting the access of cybercriminals to valuable corporate assets that could be held for ransom.
Protect the software supply chain or accept liability for lapses
Pillar Three: Shape Market Forces to Drive Security and Resilience highlights the liability of software organizations to take responsibility for the impact of software supply chain attacks. Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services emphasizes the importance of securing supply chains and mitigating their associated security risks.
The strategy commits the government to move responsibility to those who supply software not those who consume it. The risk of malware cloaked in signed software threatens to swell dramatically as more companies build apps and services for internal use, external customers and stakeholders.
This remains a challenge, given increased attention to open source and cloud-native security, which often results in confusion over whether engineering or IT has responsibility for verifying the authenticity of software or software updates.
Code signing is a critical security control that provides software with a machine identity used to verify its legitimacy. Unfortunately, many organizations lack the technology and processes needed to ensure these keys and certificates are, in fact, secure. A lack of visibility and oversight leaves such organizations exposed to attacks by threat actors, who take advantage of the vulnerabilities of this valuable trust mechanism to slip their malware into software that appears to be legitimate.
Now organizations may be liable for such oversights in security for software supply chains.
Stop treating IoT like a security step child
Again, Pillar Three. Shape Market Forces to Drive Security and Resilience references the need to protect IoT devices. In Strategic Objective 3.5: Drive the Development of Secure IoT Devices, the strategy acknowledges that IoT devices are often not updated or patched.
When you use IoT devices within your IT environment, you open up your systems and data to vulnerability-related risks associated with those devices. Cybercriminals love to exploit these issues to gain access to your data or the network the devices are connected to. Once they get in, they can move laterally across your network, seeking additional vulnerabilities to exploit and data to compromise.
The key to securing the proliferation of IoT devices is being able to identify them. Digital certificates are great for the provisioning of machine identities and for authenticating the distributed IoT ecosystem. Many IoT manufacturers and organizations are already leveraging the benefits of digital certificates for device identity, authentication, and encryption. However, issuing and managing the thousands of digital certificates across the entire corporate IoT ecosystem can be challenging if the solution for certificate management does not allow for automation and scalability.
A machine identity management solution will help organizations secure their IoT ecosystem by provisioning unique, strong identities, defining and enforcing security policies and standards, scaling security, and maintaining robust and effective security without jeopardizing the efficiency and operation of constrained IoT devices.
Preparing to protect against quantum attacks
Pillar Four: Invest in a Resilient Future also recommends developing a solid strategy for preparing for quantum cryptography. Quantum-safe security is becoming increasingly important as quantum computers begin a steady – albeit slow – march toward practicality.
One of the initial challenges for quantum computing is bridging the gap with traditional computing. And this applies especially to cryptography. “The goal of post-quantum cryptography (PQC)…is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks,” according to NIST.
In that sense, resiliency means being able to find all those things that could be vulnerable to a quantum attack and then being able to swap them out immediately. Hybrid certificates enable organizations to migrate to quantum-safe security today to protect connected devices. These certificates support two or more cryptographic algorithms within a single certificate and can support both classic and quantum-safe public keys and signatures.
So, an important part of your machine identity management solution should be the ability to change out certificates on a dime if a quantum threat appears, while also preparing for the future with built-in support for quantum-ready cryptography.
Machine identity management is one of the many critical functions that the success of the US National Cybersecurity Strategy will rely on. Compromised machine identities can have a significant security impact on organizations. Attackers can misuse machine identities to establish hidden or concealed encrypted communication tunnels on enterprise networks and gain privileged access to data and resources. Forged or stolen machine identities can also allow an attacker’s machine to masquerade as a legitimate machine and be trusted with sensitive data.
To keep up with the volume, velocity and variety of machine identity changes, organizations need to intelligently orchestrate the management of a complex, rapidly changing set of machine identity data. Driven by a set of policies and controls that orchestrate machine identities, machine identity management can improve an organization's cybersecurity, reduce risk and support regulatory, legal and operational requirements.