In traditional computing and business settings, digital identities—user names and passwords—were used to validate the authenticity of humans. But, as technology evolves and business models adapt to the global shifting environment, a new form of digital identity has emerged: machine identities. As a Venafi research report suggests, machine identities are becoming even more important than human identities for protecting critical corporate resources and data.
What are the use cases of machine identities?
Machine identities are credentials used to validate the authenticity of non-human entities connected to corporate networks. These entities can be tangible, like IoT sensors, APIs, mobile devices as well as abstract infrastructures like containers and microservices. Machine identities protect a wide range of transactions including:
- Web transactions over HTTPS: SSL/TLS digital certificates enable encrypted connections between a web browser and web server.
- Privileged access: SSH is often used to secure administrator-to-machine access for routine tasks. SSH is also used to secure the machine-to-machine automation of critical business functions, such as automatically triggering operations and routine file transfers.
- DevOps: Application development teams are focused on speeding up the delivery of software. To do this, developers use cloud computing and software-defined containers to run individual microservices. These function as separate machines and use SSL/TLS certificates that serve as machine identities for secure authentication and machine-to-machine communication.
- Communications on consumer mobile and IoT devices: Digital certificates are a vital part of mobile security. This is because they provide the foundation for authenticating mobile devices that access enterprise networks. Also, mobile device certificates are increasingly being used to enable access to enterprise Wi-Fi networks, and for remote enterprise access using SSL and IPSEC VPNs. In addition to this, mobile access to Internet of Things (IoT) devices on enterprise networks relies on certificates for authentication.
- Software authenticity: Software is usually signed with a certificate to verify its integrity. Users implicitly trust products when they are signed by a reliable publisher’s code signing certificates.
Risks and challenges of increased machine identities
As a result of the wider scope of these use cases, the attack surface connected with machine identities is expanding much faster than human identities. The number of machines being deployed on enterprise networks is growing exponentially because the types of machines that need identities is expanding beyond traditional physical devices and servers.
Each of these machines requires an identity that must be managed throughout its lifecycle. As the number of machines continues to proliferate, it results in the volume of machine identities increasing. Protecting these machine identities throughout their lifecycle—from issuance to revocation—is becoming more challenging. Moreover, the potential consequences brought about by ineffectively secured machine identities is proving to be extremely damaging to businesses, their customers and partners.
A lucrative target for new criminality ‘business models’
Because of their prevalence, machine identities have become a lucrative target for cyber criminals acting as effective attack vectors for infiltrating corporate networks. Research demonstrated that machine identities have become hot commodities on the dark web. Many of these machine identities are being sold as packages with a range of complementary, intuitive services, including:
- Website design services for fraudulent storefronts.
- Turnkey e-commerce webstores—complete with hosting and domain services and the ability to take fraudulent payments from PayPal, Stripe and other payment providers.
- SSL stripping tools that prevent browsers from using an SSL connection and enable man-in-the-middle attacks.
This is indicative of the emerging ‘business model’ of cyber criminals. Machine identities have become a key part of Crime-as-a-Service toolkits, particularly for threat actors who lack the technical skillset of a traditional attacker. They provide threat actors multiple ways of infiltrating networks. For example, cyber criminals can leverage machine identities to evade detection by hiding in encrypted traffic. Impersonating a trusted machine to gain access to sensitive data or to pivot across a network. Therefore, the return on investment for a single machine identity is huge considering the likelihood of success.
“Hacked human identities from well-known websites can be purchased on the dark web for 0.00003c per username and password. In comparison, machine identities like TLS certificates range in cost from $260 to $160.0”
Is there a disconnect between threats and protection?
Despite the impact that a stolen or fraudulent machine identity can have on business operations, organizations fail to protect machine identities. Instead, they invest more money into the protection of human credentials. There is clearly a disconnect between the actual risk and the proactiveness of businesses. Among the many factors for this disconnect are:
- The rapid changes in IT infrastructure and business models due to accelerated digital transformation and work from anywhere trends. These developments have dramatically increased the volume of machines on enterprise networks that require machine identities to be authenticated.
- The security and operational risks associated with the digital keys and certificates are poorly understood.
- There has been an absence of concrete standards and guidelines. Having this in place would provide organizations with prescriptive advice on how to effectively manage and protect machine identities in a consistent, measurable fashion.
“The Venafi research discovered that 85% of respondents had a company written policy on password length and complexity, but only 54% had a policy detailing key length and randomness.”
To better understand the gap in applying effective security controls for human identities versus ones for machine identities, Venafi commissioned a global study of more than 1,500 IT security professionals from a range of company sizes and verticals. Download the report here, and find out how machine identity protection compares to human identities and what you can do to close the gap.