What Is Machine Identity Management?
What is machine identity management (MIM)? Why should organizations be thinking about the security of their machine identities? What can be done to reduce risk?
Identity management is a familiar term to anyone in the cyber security space, and for good reason. Breaches often occur as a result of poorly managed human identities, which is why organizations today spend considerable time, money and energy on securing identities used by individuals and groups within their environments. These efforts are important, but it is also important to consider another set of identities, which are often highly privileged and could also be targeted by cyber criminals – these are machine identities.
According to McKinsey & Company the pandemic has accelerated digital transformation by an average of seven years. As digital transformation continues to develop and progress, we can expect to see an upward trend in the number of nonhuman entities which make up modern applications. This growth must be met with an equivalent effort to manage machine identities and should be considered an integral part of security operations.
What Are Machine Identities?
In the context of computing, the term “machine” can refer to any non-human entity. These nonhuman entities which we interact with daily – including applications, IoT devices, algorithms, APIs, microservices, containers, virtual machines etc. – have grown in number, and, therefore, grown in risk too. When combined with the current lack of focus on securing these identities, this risk is a cause for concern.
Like usernames and passwords that grant human identities access to the various devices and apps we utilize in our personal and professional lives daily, machines use their own credentials (in the form of digital certificates and cryptographic keys) to authenticate themselves and practice secure communication. With the rise in digitization, however, comes an increase in the number of these credentials, which leads to serious issues with machine identity management.
Think about all of the personal devices in your life. Just within arm’s reach there may be a laptop, a phone, and a tablet, or if you are at work look around and you may see dozens of devices used by coworkers to complete their daily tasks. What about home devices like a smart thermostat? Or a smart fridge? The number of connected machines in our lives will only increase with the digital revolution, so when we consider the amount of data they collect, store, and share we must also consider how to effectively secure it.
To read this article, you must have gained access to one of your devices (say a desktop or mobile phone) by logging in with a username, password, passcode, facial scan etc. This is how we as users authenticate ourselves. For machines, however, the process is different. As a machine cannot enter a password, it will use a set of credentials more appropriate for the highly automated and connected environments they operate in. Some of these credentials include:
- Code Signing Certificates
- SSH Keys
- Cryptographic Keys
- SSL/TLS Server Certificates
- SSL/TLS Client Certificates
What Are The Risks To Machine Identities?
Machines are everywhere, in all facets of the IT environment. If they are left unidentified or unprotected, they can be vulnerable targets and act as an open door for attackers and malicious insiders. If a machine is compromised, attackers are then able to create encrypted communication tunnels on enterprise networks and gain privileged access to confidential data. Attackers can pose as a legitimate machine to remain undetected by the conventional cybersecurity safeguards that are already in place.
To keep on top of the fast-growing number of machines and their associated identities, organizations will need to automate the management of a fast changing, complex set of machine identity data with the appropriate software tools. These tools can help by setting policies and facilitating controls that work to orchestrate machine identities to boost organization-wide security posture, minimize risk, and ensure legal, operational, and regulatory requirements are met.
As with privileged user identities, privileged machine identities benefit from a layered approach to security. By adopting a zero-trust model and not relying on a single control point, you can strength your ability to prevent unauthorized access.
What Can We Do To Improve Machine Identity Security?
Machine identity management is an increasingly critical component of a strong cybersecurity program. However, machine identity lifecycles are not easy to manage due to the exponential growth in the number – and variety – of machines at our disposal.
We’ve listed some of the core security fundamentals for strengthening and protecting machine credentials and identities, which include:
The first, and perhaps most important, cybersecurity control to consider when looking to better protect machine accounts and identities is to employ an effective vulnerability management system. The X-Force Threat Intelligence Index 2022 reveals a notable rise in the number of security incidents caused by vulnerability exploitation with a 33% increase from 2020 to 2021, and also notes that four of the top five vulnerabilities exploited in 2021 were new vulnerabilities. For this reason, most organizations already run a vulnerability management system.
Some of the most valuable information you can receive from a vulnerability management system is the number of “known exploits” for each vulnerability. By “known exploits” we refer to the documented attacks that can be launched against the vulnerability, which are often included in attack “kits” which makes them easy to implement.
It is important to remediate these known “exploits” before they can be exploited to gain access to an important application or computer system. An “exploit” is not malware itself, but can be leveraged by cybercriminals to deliver malware and wreak havoc.
Manage Endpoint Privileges
Endpoint Privilege Management is a core Privileged Access Management (PAM) solution area – one of three we’ll cover in this section – which can either be deployed independently or as part of a combined solution.
A good way of explaining this topic is to picture a building that is secured and locked up, but several people have keys to the building. Some of those people have additional keys to rooms within the building, and some of those people also have codes to access safes and locked filing cabinets. If a burglar can find one of these people (ideally with the most extensive access) they won’t need to break windows or scale walls to gain access and steal the valuables. Similarly, if a cyber attacker can find a user with direct privileged access, they can gain access without having to find a security vulnerability to exploit.
When we are looking to secure machine identities, removing direct privileged access from users is an important step. Endpoint Privilege Management tools help to achieve this by offering users the ability to elevate privilege for certain applications and processes at run-time through tight, specific policies. By doing this you ensure that any privileges offered are tied not to the users, but to the processes. This keeps your accounts safe by granting the least level of privilege in order to accomplish the task. This helps to avoid introducing more risk to the environment than is necessary.
Attackers who manage to take over a regular users account on a network will often attempt ‘vertical privilege escalation’ to gain higher privileges for more extensive access. The implementation of multi-factor authentication makes it more difficult for privilege misuse to occur, without overburdening the user and creating too much friction. By limiting an attacker to being an unprivileged user, you can limit their ability to gain access and threaten your network.
Manage Privileged Passwords
If an attacker fails to access more privileged accounts in the network, standard accounts and shared privileged accounts will be their next target. These typically include the accounts of support team members, and default super-user accounts.
A standard user who has an occasional need to log into a remote system, using a privileged account, makes an excellent target for an attacker who is looking to harvest those credentials. They will then try to gain access to an account containing critical data or a critical machine account that can be further exploited. With a Privileged Password Management (PPM) solution in place, organizations are able to take control of privileged accounts for both humans and non-humans/machine automatically, securing them in a system which controls the user’s access to them.
All embedded (or hard-coded) credentials should be replaced with code that uses API calls to the PPM solution. Embedded credentials—also referred to as hardcode credentials—are plain text credentials in source code. The practice of embedding plain text (non-encrypted) credentials (including SSH Keys, account passwords, DevOps secrets etc.) into source code is called password/credential hardcoding, and it typically discouraged as it creates security risks which malware and hackers can exploit. Hackers can inert these hardcoded credentials to form a backdoor, granting themselves access to a systems, application, or device they should not have access to. PPM solutions will periodically update password associated with various privileged accounts, sometimes even updating the credentials on highly sensitive accounts after every use. These kinds of password management processes mitigate the risk of password reuse and brute-force attacks by disincentivizing attackers.
Secure Remote Access
When we secure remote access we enable secure connections to networks, data, or applications, even when users are out of office and accessing these things from remote locations. Today, remote and hybrid working is commonplace, so the subject of securing remote access has never been more relevant. Organizations open themselves up to significant unnecessary risk by failing to ensure remote access is secured by the appropriate solutions.
Organizations need to consider users outside of the network. These are individuals working for third-party companies, who can connect to the network directly in order to support elements of the environment using privileged accounts. Putting appropriate solutions in place to eliminate their direct access to privileged accounts, and negate direct network into the environments, ensure they do not face unnecessary risk. With no direct routes left open from the attackers to the target systems, they remain secured.
When it comes to securing machine identities, keep it simple. Many of your machine identities will be effectively secured with the controls mentioned above. Storing privileged credentials, secrets and keys separately from machines will lead to a reduction in the risk associated with the machines themselves – both physical and virtual.
Taking control and sufficiently managing machine identities helps organizations to take a proactive – not reactive – approach to cybersecurity. When it comes to data security, it is better to prevent breaches by responding to any concerning incidents, rather than dealing with the fallout of a successful breach if one occurs.