Why enterprises face challenges in protecting machine identities

Join executives from July 26-28 for Transform’s AI & Edge Week. Hear from top leaders discuss topics surrounding AL/ML technology, conversational AI, IVA, NLP, Edge, and more. Reserve your free pass now!

Most enterprises do not know how many machine identities they’ve created or what the levels of security are for those identities, making protecting them a challenge. It is common knowledge among CISOs that tracking workload-based machine identities is difficult and imprecise at best. As a result, up to 40% of machine identities aren’t being tracked today. Adding to the challenge is how overwhelmed IT, and cybersecurity teams are. 56% of CISOs say their teams are overextended in supporting digital transformation initiatives, struggling to get cybersecurity work done.   

Enterprises are having trouble keeping up 

Machine identities now outweigh human identities by a factor of 45 times, the typical enterprise reported having  250,000 machine identities last year. Additionally, a recent survey from Delinea found that just 44% of organizations manage and secure machine identities, leaving the majority exposed and vulnerable to attack. Another challenge that companies face is automating digital certificate management, alleviating the potential for enterprise-wide breaches comparable to SolarWinds and Nvidia’s stolen code signing certificates being used to sign malware. Table stakes for any zero-trust strategy is an automated, secure approach for managing certificates.

Keyfactor’s 2022 State of Machine Identity Management Report found that 42% of enterprises still use spreadsheets to track digital certificates manually, and 57% don’t have an accurate inventory of SSH keys. The exponential growth of machine identities combined with sporadic protection from IAM systems and manual key management is driving an economic loss estimated to be between $51.5 to $71.9 billion from compromised machine identities.

Human and machine identities have completely different automation, observability and ownership requirements, further complicating the challenges of securing device and workload identities.   

What’s needed to protect machine identities 

Identity access management (IAM) systems need tools for managing machine lifecycles designed into their architectures that support applications, customized scripts, containers, virtual machines (VMs), IoT, mobile devices, and more. In addition, machine lifecycles must be configurable to support a broad spectrum of devices and workloads. Leading vendors working in IAM for machine identities include Akeyless, Amazon Web Services (AWS), AppViewX, CyberArk, Delinea, Google, HashiCorp, Keyfactor, Microsoft, Venafi and others. 

For example, making identification and authorization of machine identities more intuitive to ensure keys and certificates are configured correctly is also needed. Securing machine identities as another threat surface is critical for protecting the devops process and machine–to–machine communications.  

Given how complex machine identities are to manage and secure, implementing least privileged access is challenging. There’s less control over workloads to limit the lateral movement of an attacker or the use of stolen certificates to launch malware attacks. What’s needed is the following:

  • Improved secrets management for every machine identity in a devops tool chain. Privileged access management (PAM) vendors are strengthening their support for machine identities and devops workflows, providing least privileged access support to the workload level.
  • Consolidate the variety of technologies to protect machine identities. Most machine identities are significantly different across departments, organizations, and divisions of companies. Their fragmented nature leads to a widening portfolio of technologies IT and cybersecurity teams need to manage and support. Those teams need a more consolidated view of the technologies that machine identities are built on and use, including Public Key Infrastructure (PKI) and other core technologies.  
  • IT and cybersecurity teams want to manage machine identities in hybrid and multicloud environments from a single dashboard. Vendors are committing to providing this, as enterprises clarify that this is one of their most crucial evaluation criteria. In addition, IT and cybersecurity teams are looking to reduce response times while streamlining reporting simultaneously.
  • Different teams across IT, devops, security and operations have entirely different needs regarding machine identity tools. The many differences in the tools, techniques and technologies each team requires for securing machine identities make implementing zero trust all the more challenging. There’s the baseline IAM system that every team relies on, and also the extensions each team needs to secure machine identities as work gets done. A cross-functional strategy is essential if an organization can develop a centralized governance approach. In addition, that is essential for achieving scale with IAM for machine identities.  

Knowing machine interdependence is key 

Using discovery methods and technologies first to locate then find interdependencies of machine identities must happen first. It’s a good idea to identify how machine identities vary in hybrid and multicloud environments, also tracking those with discovery tools. Finally, many CISOs realize that machine identities in multicloud environments need much more work to reduce the potential of being used to deliver malware or malicious executable code. Incorporating machine identities into a zero-trust framework needs to be an iterative process that can learn over time as the variety of workloads changes in response to new devops, IT, cybersecurity and broader cross-functional team needs.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.