#HowTo: Solve the Machine Identity Crisis

Machine identities are the foundation of our digital world. They’re used worldwide and are required for secure and reliable connections between nearly every device you can think of – from physical, virtual and IoT devices to applications, APIs, clusters and containers. 

As businesses’ appetite for digital transformation grows, the number and variety of machines connected to the corporate network – and correspondingly the number of machine identities – is increasing exponentially. This has been accelerated by COVID-19, which fast-tracked organizations’ digital ambitions, particularly the shift to cloud-native environments, which require many more machine identities. In fact, recent Venafi research shows that the average company has over 250,000 machines – with that number growing by 43% year on year, and almost all respondents saying that digital transformation was driving this acceleration. This means that by 2024, companies can expect to be making use of over half a million machine identities. 

Yet, despite the massive growth in the number of machine identities and the rising complexity around them, most CIOs and CISOs have not increased their investment in managing them. Instead, they still rely on manual or siloed approaches to managing these critical security assets. 

Digital Transformation and Machine Identity Sprawl

In the wrong hands, a machine identity can allow attackers to move laterally through systems, escalate privileges and create backdoors. Equally, because machine identities authenticate machine-to-machine communication, if an identity expires or is misconfigured, that connection is broken, leading to expensive and disruptive outages. 

We’ve seen several high-profile examples of machine identity management gone wrong in recent years. Take SolarWinds as an example. By sneaking malware into the software build pipeline, the attackers ensured that malware was validated and authenticated by a legitimate code-signing machine identity. As a result, that malware was trusted by all the machines it was issued to, leading to hundreds of thousands of compromised systems worldwide – including the likes of Microsoft. 

We’ve also seen global businesses – including LinkedIn and O2 – floundering as expired certificates took them offline, leaving customers without access to vital services. With Gartner predicting the cost of a network outage to be close to $6000 per minute and the goodwill payments O2 offered 25 million customers for the day-long outage, you start to understand the scale of the damage. Poor certificate management was to blame in both instances.

Why Machine Identity Management is Becoming Harder

When looking at the driving factors that are increasing machine identity mismanagement risk, there are four key issues:

  • Volume. A big driver of the increase in machine identities is cloud adoption. Cloud only works if there is a strong system of identity to underpin it, as everything is done remotely – each machine needs to be sure that the other machine really is what it says it is. Managing that many identities takes more than just a spreadsheet and brainpower.
  • Velocity. Given the importance of strong identity and authentication in the cloud, machine identity lifecycles are shrinking. Close to two-thirds (61%) of organizations say their cloud environment changes once every minute or less, and nearly a third say it changes at least once per second, when previously, machine identities may have lasted months or even years. This increasing dynamism in machine identities and the speed at which today’s developers work means we have identity on steroids, requiring very swift and responsive lifecycle management.
  • Variety. The complexity of IT is growing daily, with multiple layers of abstraction. From micro-services, containers and clusters to virtual networks, algorithms and neural networks, through to platform-as-a-service (PaaS), machines come in a wide variety of forms requiring different identities and specifications. When you add in the myriad of other devices that companies use, you’re faced with a multi-faceted environment that is extremely hard to manage manually. 
  • Vulnerability. Attackers are increasingly targeting machine identities to support their campaigns, as they know they are often poorly protected. Yet we are also seeing certificate authorities (CAs) issued machine identities, introducing new risks. Recently, Let’s Encrypt discovered a bug and revoked over two million certificates with just two days warning. Events like this leave companies scrambling to swap out their certificates to avoid outages, exposing them to attack. When dealing with a huge number of machine identities, this process is extremely time-consuming.

Automation is Vital

These four Vs create the perfect machine identity storm and demonstrate why automation is absolutely crucial to effective machine identity management. Machine identities are critical to the speed of innovation. Yet, without automated management, digital transformation stalls, as security and reliability issues arise that have the potential to down an entire organization.

With digital transformation marching on relentlessly, automation takes these problems out of overstretched IT and security teams’ hands, allowing them to innovate rapidly. With damaging outages and breaches becoming more common due to the increased complexity of the machine identity environment, companies must act now to prevent potentially disastrous consequences down the line.

What’s Hot on Infosecurity Magazine?