Managing machine identities has never been more critical to an enterprise’s cybersecurity.
Machine identities now outnumber humans in enterprises, according to Nathanael Coffing, co-founder and CSO of Cloudentity. Without thorough visibility and proper management of machine-to-machine communications, all those machines can become a huge security issue.
Gartner’s list of the top security risks and trends for 2021 included machine identity management for the first time. This should come as no surprise. Coffing notes that the recently discovered ThroughTek Kalay vulnerability compromised 83 million IoT devices, which better machine identity management could have prevented.
“This security flaw would have been identified earlier if the organization had full visibility and control over every machine identity connected to their SDK,” Coffing said.
In a conversation with eSecurity Planet, Coffing explained why this area is such a concern and what enterprises can do in response.
Poor Machine Identity Management Introduces Risks
If the past few years of cybercrime trends indicate anything, it’s that companies have a shocking number of vulnerabilities – and cybercriminals are getting better at exploiting them. Machine identities are one of the most prominent risks.
The rise of automation and the IoT have resulted in enterprises unintentionally expanding their attack surface. “While machines provide numerous benefits to organizations, such as the distributed ability to share and collect data, they also introduce new points of attack and added security challenges,” said Coffing.
As the ThroughTrek Kalay incident demonstrates, businesses lack visibility over their vast fleet of devices. Without complete visibility, it’s not always easy to determine what data is going to which device. That uncertainty lets software vulnerabilities and the cybercriminals that exploit them go undetected as they compromise organizations’ information.
Also read: Top Vulnerability Management Tools
Machine Identity Risks Go Overlooked
Another factor that makes machine identities so concerning is that businesses often overlook them. As Coffing points out, the ThroughTrek Kalay breach would not have been as severe had the company had a system to manage its machine identities. Unfortunately, many organizations keep expanding their IoT environments without considering their vulnerabilities.
Even in terms of IoT security, identity management is not always a part of enterprises’ strategies. Regulations like California’s SB-327 strengthen connected device security standards but don’t require identity management schemes. As a result, businesses may feel protected because of their other security steps despite these vulnerabilities remaining.
Organizations may establish an identity and access management (IAM) system that applies only to user identities. With more devices than there are users, though, that strategy stops short of what’s needed. Identity management must also include machines.
How Enterprise Security Can Adapt to Machine Identity Risks
While these risks remain prevalent, enterprise security strategies to cope with them are changing. High-profile cyber attacks have brought more attention to the issue, driving organizations to consider their machine identity management.
For now, only businesses with leading cybersecurity strategies feature thorough, companywide machine identity management. Most still lack sufficient tools in this area, even if they are increasingly aware of the risks. According to one study, 42% of organizations have a limited strategy that applies only to some applications, while 18% have none at all.
Coffing outlined several considerations for enterprises looking to adapt their security strategies for machine identity risks. Here’s how businesses can protect themselves against these emerging threats.
“With the increase in machine identities, security leaders must implement a machine IAM strategy that includes digital secrets,” says Coffing. These secrets typically take the form of a username and password, but security teams must take a different approach to credentials with machine identities. Coffing recommends cryptography and private keys.
Cryptography ensures that sensitive data traveling between devices is unreadable to machines and users that shouldn’t have access to it. Machines must have cryptographic certificates to verify their identity, and only then can they decrypt this data. This key system ensures that only authenticated, authorized devices can access any given data packet.
Coffing also suggests that as part of this strategy, companies use private keys based on open standards. Public key infrastructure (PKI) and Secure Production Identity Framework for Everyone (SPIFFE) provide a roadmap for securing cryptographic communications.
Authorization Governance Automation
One challenge enterprises face in machine IAM is growing workforce and resource shortages. The U.S. cybersecurity market currently needs 350,000 additional workers to meet demand, and many companies also lack sufficient IT budgets. Coffing suggests that cybersecurity teams embrace automation to cover these gaps.
“Without the proper automated software solutions, such as authorization governance, IT teams won’t be able to manage the massive influx of machine identities on their network,” Coffing said.
Authorization governance automation creates risk profiles for each machine identity based on real-time context. That way, businesses can account for the fact that a device can be trustworthy in one situation but not another.
Automation can handle these identity risk evaluations far faster than human workers. It also gives security teams more time to focus on other tasks, accomplishing more without additional staff.
Zero Trust Architecture
Coffing also says zero-trust security is a must for machine identity management. Just as enterprises adopt these policies for their user IAM strategies, they should expand these actions to machine identities. Systems must restrict data access and verify machine identities before authorizing them, regardless of whether or not they appear trustworthy initially.
Businesses must apply these policies to everything, not just behind-the-scenes organizational work. As Coffing said, “zero trust is enforced at every transactional decision point when users sign and request access to apps or devices, or when machines exchange data with partners and customers.”
Any data exchange with customers, partners or other third parties must rely on zero trust architecture. Just as businesses should never assume any user is safe, they shouldn’t trust any device until verifying it and only giving it as little information as necessary. These steps will hinder unauthorized network access and reduce data leakage.
Cybersecurity Strategies Must Include Machine Identities
Much cybersecurity literature today focuses on human threats, and indeed, users are still a prominent security concern. However, enterprises must not overlook the importance of machine identity management in their cybersecurity strategies.
By following these steps, companies can account for machine identity risks in their broader security infrastructure. They can then expand their device fleets with greater safety.
Further reading: How Zero Trust Security Can Protect Against Ransomware