The coronavirus 2019 (COVID-19) pandemic has changed the way in which organizations and customers interact with one another. Nowadays, employees are providing support remotely from their homes to their consumers. To do so, they’re using a host of new technologies including mobile devices, Internet of Things (IoT) products and containers.
These devices introduce new risks into organizations’ environments, however. Consider the following statistics:
- In Q2 2020, Kaspersky detected 14,204,345 attacks that had targeted mobile devices. Those attacks weren’t significantly fewer than the 15,137,884 attacks spotted in Q2 2019. This finding reveals that the number and rate of mobile attacks didn’t decrease significantly as a result of COVID-19
- Palo Alto Networks Unit 42 research team shared in March 2020 that more than half of IoT devices were susceptible to medium- or high-severity attacks. Researchers also found that 98% of traffic on IoT environments was unencrypted, thereby threatening the exposure of organizations’ sensitive information.
- Early in 2020, StackRox released a survey in which it found that 94% of respondents had suffered a security incident in their container environments over the past 12 months. The majority (68%) of those security events had involved a misconfiguration.
The problem has to do with how these devices communicate with one another. As noted on Venafi’s website, these machines need to validate their identities to ensure safe machine-to-machine connections and communications. To securely authenticate themselves to other devices, machines use keys and certificates instead of the usernames and passwords that humans use. But while companies spend billions of dollars in developing robust Identity and Access Management (IAM) solutions for credentials used by human employees, they haven’t spent nearly as much in protecting keys and certificates used by machines.
These components are essential for organizations’ data security, however. That’s because they’re essential to the way in which devices maintain “machine identities.” Indeed, organizations can use machine identities to govern the flow of data between devices so as to keep their information safe from unauthorized machines.
The changing IAM landscape
A recent press announcement, Venafi Named as a Sample Vendor in the Gartner Hype Cycle for Identity and Access Management Technologies, 2020, highlighted the critical nature of machine identities to an organization’s IAM strategy. Of course, organizations IAM roadmaps should include features such as Identity Governance and Administration (IGA), identity proofing and phone-as-a-token authentication in their future IAM programs. But the story is a bit different for machine identity management, however.
This was the first analyst report in which machine identity management made an appearance. Not only that, but expectations for what machine identity management could potentially achieve are high, which begs the question: what exactly is machine identity management?
Machines—from physical devices to containers and algorithms—control the flow of sensitive data. They shape innovation and are fundamental to the way all businesses operate. As a result, the way in which they connect and authorize communication makes them a primary security and operational risk for organizations.
Machine identity management helps organizations gauge how much trust they can place in the identity of their machines—particularly as they interact with other machines. To facilitate that goal, machine identity management handles the life cycle of credentials used by machines. These machine identities may include credentials, such as secrets, cryptographic keys, X.509 and code signing certificates, and SSH keys.
Why is machine identity management critical?
The issue here is that the keys and certificates used for machine identities could end up in the wrong hands. If that were to happen, malicious actors could then abuse those machine identities to inject themselves into encrypted communication channels, impersonate trusted services and/or gain access to sensitive data or assets.
When compromised, machine identities become powerful tools for attackers, allowing them to hide malicious activity, evade security controls and steal a wide range of sensitive data. Cybercriminals routinely target machine identities in order to misuse their capabilities because they are often poorly understood and weakly protected.
Machine identity management isn’t getting any easier as organizations continue with their processes of digital transformation, either. Venafi points out elsewhere on its website that mobile, cloud and IoT devices are growing more numerous, for instance. Simultaneously, manufacturers are creating new devices such as sensors, medical technologies and industrial equipment that replace functionality which humans have traditionally performed. All the while organizations are increasingly relying on the fluidity of cloud services such as virtual machines and containers to meet their IT needs. These trends make machine identities all the more susceptible to compromise.
How to approach machine identity management
Some organizations have tried to manage these machine identities manually. But as noted by Gartner, many of these methods don’t scale or operate with modern cloud environments. They succeed only in deepening the silos of departmental processes and tools, thereby further limiting the ability of organizations to maintain visibility of their machine identities throughout their networks.
In light of these limitations, analysts recommend that organizations first use tools to discover their machine identities and inventory their usage/dependency. They should then use machine identity management solution to audit the number of machine identities deployed in their environments and to identify potential risks. Finally, they should consider investing in a solution to help automate the management of keys and certificates, especially with organizations’ mobile and IoT devices.
- 4 Ways Machine Identities Will Challenge You
- How the Explosive Growth of Machines Creates a Machine Identity Crisis
- 6 Things You Probably Don’t Know About Your Certificates [And Why They Matter]