Businesses over the last two years have become increasingly digitized and interconnected. Remote work and cloud migration have created new norms and business models. Although technology has created new opportunities, new security challenges have emerged.
Organizations are shifting from a perimeter-based security to an identity-based approach. Machine identities and human credentials now work together to protect an organization’s most valuable asset—data. Shouldn’t the credential management and machine identity management solutions work together too?
A fragmented identity management landscape
Before trying to answer the question above, it is essential to understand that both machine identities and human credentials are two important components of the overall Identity and Access Management (IAM) program. In a widely distributed business and computing environment, where identities are now the new perimeter to defend, controlling the access to data is crucial.
Robust access control is also the cornerstone of a Zero Trust security approach—the strategy to trust devices, workloads and people in an untrusted environment. But there isn’t a ‘one-stop-shop’ solution to both machine identities and human credentials. Even though most organizations are investing heavily in protecting human credentials, many security vendors are still providing varying approaches to managing the keys and certificates that comprise machine identities. And despite the relatively larger number of machines, investment in machine identity management lags far behind that of human credential management.
The Thales Access Management Index 2021 report illustrates a highly fragmented landscape at the enterprise level. A third (33%) of respondents said they use three or more authentication access management tools. Coordinating that many systems can, at a minimum, create operational complexity, but it can also increase the risk of errors or misconfigurations creating security gaps.
Managing machine identities is equally as important as managing human credentials
Machine identities validate the authenticity of non-human entities connected to corporate networks. These entities can be tangible, like IoT sensors, mobile devices as well as abstract infrastructures like containers and microservices. The prevalence of machine identities, combined with an overall lack of understanding of how to protect them, have made them a target for cyber criminals, who misuse them as effective attack vectors for infiltrating corporate networks and exfiltrating data.
Research demonstrates that machine identities have become hot commodities on the dark web and a key part of Crime-as-a-Service toolkits, particularly for threat actors who lack the technical skillset of a traditional attacker. They provide threat actors multiple ways of infiltrating networks. For example, cyber criminals can leverage machine identities to evade detection by hiding in encrypted traffic. Impersonating a trusted machine to gain access to sensitive data or to pivot across a network is usually a successful tactic for threat actors. It is, therefore, essential to prevent such attacks via investing in protecting your machine identities.
On the other hand, weak user authentication exposes the credentials for attackers to steal or compromise them. The Verizon Data Breach Investigations Report (DBIR) 2021 indicates that credentials are the most sought-after asset in data breaches. Compromised credentials are then used to launch further attacks, such as privilege abuse and impersonation attacks to exfiltrate personal data.
A holistic identity management program
Organizations need to advance their capabilities to keep up with increasingly sophisticated adversaries. Improving machine identity management and access management are critical elements of organizations’ progress in moving beyond perimeter-based security models and toward a Zero Trust approach.
The following considerations must be well thought through when selecting identity management solutions:
- Provide clear visibility of all identities and credentials
The foundation of every security program is the ability to identify all machine identities and user credentials. With organizations moving away from passwords and relying more and more on digital certificates and keys for machine and human identities, knowing your identity landscape will help you determine the best policies and practices for protecting these credentials.
- Ensure integration
Although you may rely on different vendors for managing your machine identities and user credentials, it is important to ensure the smooth integration of these solutions. Potential functionality gaps may result in painful and complex configuration settings and security holes leaving your organization vulnerable to credential attacks.
- Control and govern the management program
Although cloud service providers have launched native identity and access management solutions, the best practice is to segregate duties and opt for a neutral solution. In the Thales AMI 2021 survey, 59% of respondents agree that organizations should maintain control over their access security.
- Protect cryptographic keys
Machine identities and user credentials are effective only if the associated keys are protected. Use of a FIPS-140-2 accredited Hardware Security Module (HSM) is a best practice. HSMs act as anchors of trust and provide high assurance that the secret keys are protected from the preying eyes of an intruder.
- Automate management
As the number of identities owned by organizations increase, manually managing these credentials is a recipe for disaster. Automation helps minimize effort and reduce errors, while enforcing access policies across the entire enterprise.
Is your machine identity management integrated into your strategy for identity and access management?