The New Network Perimeter: Managing Machine Identities
Expert Insights speaks to Ted Shorter of Keyfactor to discover how organizations can more effectively manage their machine identities to protect their networks against data breaches.
Digital certificates, or public key certificates, are electronic credentials that verify the identities of users, devices or servers. A public key infrastructure (PKI) is the set of policies and processes needed to manage digital certificates, including creating and updating them. Organizations use digital certificates to ensure that only trusted devices and users can access their corporate networks, helping to prevent hackers from accessing data via an unauthorized device. They also stop attackers from intercepting communications and stealing sensitive data, by encrypting internal and external communications between entities. For example, a TLS certificate encrypts the data between a web server and browser so that bad actors can’t intercept and steal a website visitor’s data, such as credit card information.
However, with the rise of digital transformation, organizations are not only having to protect sensitive website transactions, but also to secure a mobile workforce when accessing a network that doesn’t have fixed perimeters. The increase in remote work and cloud adoption have made it increasingly difficult for businesses to keep track of their digital certificates and, as a result, ensure that all machine identities linked to their network are trusted. Rather than managing 5,000 certificates, organizations are having to manage millions of them; according to The Impact of Unsecured Digital Identities report by the Ponemon Institute, 70% of organizations do not know how many digital certificates and keys they have within the business. Failing to properly manage these certificates leaves the door open for attackers masquerading as trusted machines.
To find out more about how organizations can better manage their machine identities to help prevent data breaches, we spoke to Ted Shorter, CTO of Keyfactor. Shorter has spent his entire career in the security space, graduating to work with the US Defence Department for 10 years before shifting to focus on cryptography and public key infrastructure (PKI). He co-founded Keyfactor with now-CSO Kevin von Keyserling.
Originally named Certified Security Solutions, or CSS, Keyfactor was launched as a consulting company that worked with Fortune 500 and Global 2000 enterprises to design and deploy their PKI. During the first few years, with the increase in digital transformation, it became apparent that organizations were struggling to manage huge volumes of machine identities with existing solutions. In response to this, Keyfactor launched a new approach to certificate lifecycle and machine identity management. Their solution helps organizations keep on top of updating and managing their PKI to ensure compliance and prevent identity- and endpoint-related breaches.
User Vs Machine Identities: Why You Need To Manage Both
In recent years, organizations have become increasingly concerned with user identity management, investing in solutions such as multi-factor authentication and privileged access management to prevent fraudulent account access. This trend accelerated over the last 18 months, as the COVID-19 pandemic catalyzed two shifts within the modern workplace: an increase in remote work and the use of personal devices; and increased cloud adoption and use of SaaS applications. This led to security teams investing in solutions to help them manage and verify user identities, so that users can securely access applications, no matter from where they’re working.
However, just as users should be authenticated, so should machines—i.e. anything that isn’t a human, such as a desktop, server, application, website, IoT device, and so on—to ensure the integrity of network communications. Without proper machine identity management in place, attackers can access critical corporate data by impersonating trusted machines and intercepting network communications.
“Machines outnumber their human counterparts by a factor of two in large organizations,” Shorter tells me, “and every one of those devices needs to have a way to authenticate.”
The Challenge: Managing Machine Identities
Ensuring machine authentication presents two main challenges, Shorter says. The first of these is identifying all machines involved in corporate communications.
“In the early 2000s, enterprise organizations were struggling to deal with a newly mobile workforce. Everybody had a laptop then, later, mobile phones and so forth. And you needed to issue a credential to that device, to allow users to authenticate into the Wi-Fi an VPN and such. Now you have application identities and web services, both of which involve a high number of machine identities.
“In the mid to late 2000s, it wasn’t at all uncommon for organizations to have several 100,000 certificates to deal with. Now, that’s increasing by a factor of 10 in the enterprise space, and by a factor of more than 100,000 in the IoT space!”
Because of this huge scale, inventorying each and every machine communicating on a network is a mammoth task for security teams. However, it’s absolutely crucial to any organization’s data security because, as Shorter explains, “it’s not the certificates that you know about that are the problem—it’s the ones that you don’t.”
Second, is the cost of ensuring that all digital certificates are up to date so that each machine can securely authenticate.
“If you make organizations pick and choose which certificates they need to pay attention to, you’re going to leave a gap for a potential breach or outage,” explains Shorter. If businesses only update their most critical certificates, they leave any unprotected machines vulnerable to the exploit of cybercriminals. While less critical machines may not have direct access to sensitive corporate data, attackers can use them as a base to carry out lateral attacks that spread throughout the organization, giving them access to more machines and more data.
“An example of this is a casino that was hacked,” Shorter tells me. “Someone was pretending to be a fish tank heater, which was IoT connected. Now, the fish tank heater didn’t have a lot of security sensitivity of itself; it doesn’t hold a lot of personal information or anything. But by pretending to be a fish tank heater, the attacker was able to get into the backend network and access credit card numbers, personal information and so forth.”
To combat the risk of not being able to cover every identity, organizations should pay attention to how their PKI vendor charges for their services. “Our philosophy is not to charge customers on a per-certificate basis, because that forces them to make choices that will cause an outage,” Shorter says.
The Solution: PKI-as-a-Service
“There’s a reason that certificates expire; it’s not just to make people’s lives miserable,” says Shorter. “Algorithms age over time, and they need to be updated. The keys and algorithms that we use today won’t be secure in five or 10 years. We know this because the algorithms we used five or 10 years ago aren’t secure today!
“So, if you’re going to have a device in the field for a long period of time and you don’t have a way to update them, you’re creating a recipe for insecurity.”
Updating and managing the identity of each machine communicating on a network can quickly overwhelm security teams, says Shorter. But it doesn’t have to.
Investing in a third-party solution to help automatically inventory, update and manage machine identities not only takes the pressure off security teams, but also mitigates the risk of human error.
“One of the interesting things about cryptography is that it’s easy to make mistakes, which will leave you with a perfectly functioning system that’s just not secured, which is obviously not a good thing!
“The Keyfactor platform is designed to make it easy to not just issue those credentials at scale, but to make them updateable, and to do so in a secure, scalable, easily managed way. We help organizations answer, ‘What digital identities do I have in my environment? In what state are the algorithms they’re using? Where are they, and when do they expire?’, and then provide easy ways for them to automate replacements and updates.
“Our general philosophy is to make it as easy as possible to do the right thing.”
Achieving A Zero Trust Architecture With PKI
According to NIST, PKI is an essential part of achieving a zero-trust architecture. “Zero trust” is a security philosophy founded on the principle that you shouldn’t automatically trust any user or machine with access to your network, be they internal or external. Because of the philosophical nature of zero trust security, there is no single zero trust technology or solution; organizations should implement a combination of technologies to ensure maximum security and be flexible in their implementations to combat a shifting threat landscape.
“In cloud-first organizations, there’s no network boundary,” says Shorter. But businesses still need a way to establish a trust boundary within the organization, to ensure that only authorized entities are granted access to corporate data. This need has given rise to the concept of identity as being the new network perimeter.
“The credential being issued needs to give you access to something, no matter where you are in the world or in the network.
“And whoever you present that credential to, can process it and place trust in the fact that you are who you say you are.”
Authenticating both user and machine identities enables organizations to monitor, grant and disallow access to information within their networks, thus establishing a component of zero trust.
Preparing For A Hybrid Future
As the world begins to see the light at the end of the COVID-19 tunnel, organizations are beginning to embrace a hybrid return to the office, with some employees continuing to work remotely full- or part-time, and others based on-premises.
“The hybrid return to work is a consequence of the full remote working model we all adopted early last year,” Shorter says. “And a lot of organizations who have implemented a zero-trust model will now benefit from the steps they took at the beginning of the pandemic, in terms of being able to authenticate users and machines regardless of where they’re coming from, whether they’re outside or inside the network.
“So, I expect the hybrid return to work to be a lot less disruptive than the shift to full remote working, but the number of credentials to manage will continue to rise over time.
“You need to be prepared to scale and to update those identities regardless of where they are, and you need to have a plan to deal with future migrations. Implementing automation will help that next migration run much more smoothly, because the algorithms we’re using today won’t be secure in the future.
“The best way to deal with this, is to look for solutions that will partner with your organization to provide as complete an inventory of your shifting identities as possible—you can’t solve problems that you can’t see.”
Thank you to Ted Shorter for taking part in this interview. You can find out more about Keyfactor and their machine identity security and PKI management services at their website and via their LinkedIn profile.