Most enterprises do not know how many machine identities they've created or what the levels of security are for those identities, making protecting them a challenge. It is common knowledge among CISOs that tracking workload-based machine identities is difficult and imprecise at best. As a result, up to 40% of machine identities aren't being tracked today. Adding to the challenge is how overwhelmed IT, and cybersecurity teams are. 56% of CISOs say their teams are overextended in supporting digital transformation initiatives, struggling to get cybersecurity work done.
Enterprises are having trouble keeping up
Machine identities now outweigh human identities by a factor of 45 times, the typical enterprise reported having 250,000 machine identities last year. Additionally, a recent survey from Delinea found that just 44% of organizations manage and secure machine identities, leaving the majority exposed and vulnerable to attack. Another challenge that companies face is automating digital certificate management, alleviating the potential for enterprise-wide breaches comparable to SolarWinds and Nvidia's stolen code signing certificates being used to sign malware. Table stakes for any zero-trust strategy is an automated, secure approach for managing certificates.
Keyfactor's 2022 State of Machine Identity Management Report found that 42% of enterprises still use spreadsheets to track digital certificates manually, and 57% don't have an accurate inventory of SSH keys. The exponential growth of machine identities combined with sporadic protection from IAM systems and manual key management is driving an economic loss estimated to be between $51.5 to $71.9 billion from compromised machine identities.
What's needed to protect machine identities
Identity access management (IAM) systems need tools for managing machine lifecycles designed into their architectures that support applications, customized scripts, containers, virtual machines (VMs), IoT, mobile devices, and more. In addition, machine lifecycles must be configurable to support a broad spectrum of devices and workloads. Leading vendors working in IAM for machine identities include Akeyless, Amazon Web Services (AWS), AppViewX, CyberArk, Delinea, Google, HashiCorp, Keyfactor, Microsoft, Venafi and others.
For example, making identification and authorization of machine identities more intuitive to ensure keys and certificates are configured correctly is also needed. Securing machine identities as another threat surface is critical for protecting the devops process and machine–to–machine communications.
Given how complex machine identities are to manage and secure, implementing least privileged access is challenging. There's less control over workloads to limit the lateral movement of an attacker or the use of stolen certificates to launch malware attacks. What's needed is the following:
Knowing machine interdependence is key
Using discovery methods and technologies first to locate then find interdependencies of machine identities must happen first. It's a good idea to identify how machine identities vary in hybrid and multicloud environments, also tracking those with discovery tools. Finally, many CISOs realize that machine identities in multicloud environments need much more work to reduce the potential of being used to deliver malware or malicious executable code. Incorporating machine identities into a zero-trust framework needs to be an iterative process that can learn over time as the variety of workloads changes in response to new devops, IT, cybersecurity and broader cross-functional team needs.