Join executives from July 26-28 for Transform’s AI & Edge Week. Hear top leaders discuss topics around AL/ML technology, conversational AI, IVA, NLP, Edge and more. Book your free pass now!
Most companies do not know how much machine identities they created or what the security levels are for those identities, making it challenging to protect them. It is well known among CISOs that tracing workload-based machine identities is difficult and imprecise at best. This allows up to 40% of machine identities are not followed today. Adding to the challenge is how overwhelmed IT and cybersecurity teams are. 56% of CISOs say their teams are overstretched in supporting digital transformation initiatives and struggling to get cybersecurity work done.
Companies are struggling to keep up
Machine identities now outweigh human identities by a factor of 45 timesthe typical company reported that they 250,000 machine identities last year. In addition, a recent study by contours just thought that 44% of organizations manage and secure machine identities, leaving the majority exposed and vulnerable to attacks. Another challenge businesses face is automating digital certificate management, reducing the likelihood of company-wide breaches similar to SolarWinds’s. Nvidia’s stolen code signing certificates are being used to sign malware. Table bet for everyone zero trust strategy is an automated, secure approach to managing certificates.
Key Factors Machine Identity Management Status Report for 2022 found that 42% of companies still use spreadsheets to manually maintain digital certificates, and 57% do not have an accurate inventory of SSH keys. The exponential growth of machine identities coupled with sporadic protection by IAM systems and manual key management makes for a economic loss estimated at between $51.5 and $71.9 billion from compromised machine identities.
What it takes to protect machine identities
Identity Access Control (IAM) systems need tools to manage machine lifecycles designed into their architectures that support applications, custom scripts, containers, virtual machines (VMs), IoT, mobile devices, and more. In addition, machine lifecycles must be configurable to support a broad spectrum of devices and workloads. Leading vendors working in IAM for machine identities include Akeyless, Amazon Web Services (AWS), AppViewX, CyberArk, Delinea, googleHashiCorp, Keyfactor, Microsoft, Venafi and others.
For example, it is also necessary to make identification and authorization of machine identities more intuitive to ensure that keys and certificates are configured correctly. Securing machine identities as another threat surface is critical to protecting the devops process and communication between machines.
Given how complex machine identities must be managed and secured, implementing least privileged access is a challenge. There is less control over workloads to limit an attacker’s lateral movement or using stolen certificates to perform malware attacks. What is needed is the following:
- Improved secret management for each machine identity in a devops toolchain. Privileged Access Management (PAM) vendors are bolstering their support for machine identities and devops workflows, as well as providing support for the least privileged access to the workload level.
- Consolidate the variety of technologies to protect machine identities. Most machine identities differ significantly between departments, organizations and departments of companies. Their fragmented nature leads to a broader portfolio of technologies that IT and cybersecurity teams must manage and support. Those teams need a more consolidated view of the technologies on which machine identities are built and used, including Public Key Infrastructure (PKI) and other core technologies.
- IT and cybersecurity teams want to manage machine identities in hybrid and multicloud environments from a single dashboard. Sellers commit to providing this as companies make it clear that this is one of their most crucial evaluation criteria. In addition, IT and cybersecurity teams want to reduce response times while streamlining reporting.
- Different teams in IT, devops, security and operations have completely different needs regarding machine identity tools. The many differences in the tools, techniques and technologies each team needs to secure machine identities make implementing zero trust all the more challenging. There’s the basic IAM system that every team relies on, as well as the extensions that every team needs to secure machine identities as the work gets done. A cross-functional strategy is essential if an organization can develop a centralized governance approach. In addition, this is essential to achieve economies of scale for machine identities with IAM.
Knowing the interdependence of machines is key
First, discovery methods and technologies must be used to locate and then find the interdependencies of machine identities. It’s a good idea to identify how machine identities vary in hybrid and multicloud environments, and also track it with discovery tools. Finally, many CISOs are realizing that machine identities in multicloud environments require a lot more work to reduce the potential of being used to deliver malware or malicious executable code. Incorporating machine identities into a zero-trust framework should be an iterative process that can learn over time as the variety of workloads changes in response to new devops, IT, cybersecurity, and broader cross-team needs.
The mission of VentureBeat is a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.