In an increasingly perilous cyber landscape, traditional perimeter-based security approaches do not work. Identity has emerged as the new frontier to defend. “Identity is the steam engine of the digital economy,” noted Andrew Nash, Managing Vice President, Consumer Identity at Capital One back in 2018.
Move towards an identity-based Zero Trust cybersecurity approach
The importance of identities is reflected in the recent strategy for a Zero Trust cybersecurity, published by the Office of Management and Budget (OMB). In accordance with the memorandum, the strategy “places significant emphasis on stronger enterprise identity and access controls.”
A key principle of a Zero Trust architecture, as defined in NIST SP 800-207, is that no network is implicitly trusted. Hence, all network traffic “must be encrypted and authenticated as soon as practicable.” This includes traffic between devices, containers, APIs and other cloud workloads.
Zero Trust with cert-manager, Istio and Kubernetes
Machine identity is key component of Zero Trust
It is also important to understand that network traffic does not originate only from human interactions. In fact, bot traffic made up 42.3% of all internet activity in 2021, up from 40.8% in 2020. Bad bot traffic is nearly double that of the so-called “good bots” that perform legitimate functions such as indexing and automated responses.
Hence, device-to-device, API-to-API, container-to-container, or, in a word, machine-to-machine communications must be authenticated. To wit, Forbes reported that machine identities are growing twice as fast as human identities on corporate networks. With the increasing number of machines – and their ephemeral and dynamic nature – machine identities play a crucial role in a Zero Trust strategy.
To achieve the goals of Zero Trust cybersecurity, efforts should be based on the following pillars, all of which are closely related with managing machine identities.
- Identity: Leverage centrally managed identities to access cloud based workloads and entities.
- Devices: Have a clear and complete inventory of every device in an enterprise to prevent, detect, and respond to incidents on those devices.
- Networks: Encrypt and authenticate all network traffic within a business environment, while segmenting networks to limit the impact of successful breaches.
- Applications and Workloads: Secure applications, APIs and containers during development and runtime.
- Data: Identify and classify data to monitor and audit access to sensitive data.
The challenges of managing machine identities
According to Paul Fisher, Lead Analyst at KuppingerCole, management complexity is not going away any time soon, rather it is destined to increase. A key reason is heterogeneity will continue to grow. Just think of all the machines we need to protect:
- Servers and VMs in public and private clouds
- Applications and APIs
- Consumer devices, like smartphones and IoT gadgets
- OT systems, like Supervisory Control and Data Acquisition (SCADA) and programmable logic controllers (PLCs)
But all these digital identities must be effectively managed. And this becomes particularly challenging in a multi-cloud business environment. Fisher presented – during the KuppingerCole European Identity and Cloud Conference 2022 – the following as factors contributing to poor or weak machine identity management:
- Complexity: 59%
- Velocity of change: 45%
- Lack of automation: 44%
- Use of multiple IAM tools: 40%
- Scale: 39%
Automate your machine identity management
To implement a Zero Trust strategy, organizations should automate their machine identity management program. In today’s threat economy, it is impossible to achieve zero trust without machine identity management. And efforts should begin with verifying the identity of all devices or machines. Identification is the foundation of securing access to company resources, to include workloads that process data in the cloud.
Therefore, a comprehensive machine identity management policy should allow security teams to:
- Achieve visibility of all deployed machine identities
- Ensure ownership and governance
- Protect associated cryptographic keys
- Automate distribution and rotation of keys
Venafi Trust Protection Platform allows you to manage all TLS, SSH and code signing machine identities for all devices within your ecosystem. Ensure Zero Trust across your IoT by protecting machine identities in on-premises, cloud, cloud-native, multi-cloud, and hybrid environments.
Find out more about how Venafi Machine Identity Management can ensure Zero Trust for devices and improve cyber resilience.
Why Do You Need a Control Plane for Machine Identities?
Related posts