A January 26 White House Office of Management and Budget (OMB) memorandum spells out a new zero trust approach to national cybersecurity stating that the “the foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.” It goes on to say that “it is a dramatic paradigm shift in philosophy” from verify once at the perimeter to persistent verification of every user, device, application, and transaction.
There is a lot said in the memo about protecting human identities but nothing specific about doing the same for machine identities—even though the number of machines in agencies is dramatically larger than the number of humans. Considering this imbalance, does the White House need to include machine identity as part of its brave new world view on security?
What the White House memorandum says
A more detailed version of the memorandum (PDF) puts forth a “Vision” under “Identity” that includes an action statement:
“Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.”
Under this, the memorandum goes on to list actions with an emphasis on MFA (multi-factor authentication), being phishing-resistant, and safer password policies. And though “identity” is mentioned 40 times throughout the memorandum, the emphasis is entirely on human users.
This is in line with a narrow focus on human identities rather than a broader view of all digital identities, says cybersecurity writer Anastasios Arampatzis, a frequent contributor to this blog. He adds that half of all internet traffic is created not by humans but by bots—good ones and bad ones.
The federal government, like other organizations, is dealing with an explosion of systems: mobile devices, applications, cloud instances, containers, microservices, APIs and more, says Diane Garey, Product Marketing Manager at Venafi, adding that “each of these systems needs a machine identity to establish identity and authenticity.”
Think of “identity as code,” says Ivan Wallis, Senior Solution Architect at Venafi.
“When you sign software you are putting your brand on it, and so essentially the identity travels with the software. Zero Trust assumes no trust at all and so there is a need to include that identity in the software,” Wallis says.
Zero trust and machines in the cloud
The memorandum also has a lot to say about the cloud and migrating to a zero trust architecture.
As Venafi has stated often in this forum, moving to the cloud, by its very nature, means data resides outside the enterprise’s perimeter. And as more and more machines “are spun up in the cloud, we need to assign security parameters based on their purpose,” according to Wallis, writing in a Venafi blog.
Wallis poses the questions: What are they doing? Are they crunching numbers? Are they serving up web pages? Or are they enabling some other sort of automated infrastructure?
“In this sense, Zero Trust automatically assumes that a given activity is not allowed on a machine unless it falls within the acceptable security parameters for the user and function,” Wallis says.
Machines as attack vectors
It’s no wonder that Gartner has named machine identity management as a foundational technology for securing organizations and enforcing a Zero Trust strategy. Compromised machine identities are a huge risk for enterprises in 2022 and beyond as they become attack vectors for adversaries to invade corporate networks, hide their activity and escape security controls.
To authenticate and authorize these machines to access corporate resources, organizations leverage cryptographic keys and digital certificates to serve as machine identities. As the number of machines increases, machine identities are spiking.
Will the U.S. government at some point address this head on? It’s not only necessary but seems almost inevitable given the proliferation of machines.
Protect all those identities
You can establish trust by controlling access at the machine identity level. This also gives you visibility into trust across the environment, allowing you to enforce Zero Trust in your cloud and on-premises environments.
Automated management of machine identities is the way to go. Manual management of machine identities does not scale and often results in siloed practices, which in turn leads to security gaps, leaving an organization without visibility into the number and status of machine identity ownership.
Venafi Trust Protection Platform is a comprehensive solution for managing all TLS, SSH and code signing machine identities. You can protect machine identities across teams and departments in on-premises, cloud, cloud-native, multi-cloud, and hybrid environments.