The hybridization of the workforce and subsequent challenges within the IAM world has resulted in many organizations beginning (or reimagining) their journey toward building a mature identity program. As mentioned in our previous posts, Emerging Trends in IAM: Simplified Engineering and Using the Sunlit Approach to Simplify RBAC, Protiviti has observed several new trends in the IAM space. This series evaluates those key trends that organizations will focus on over the next few years. This post highlights why and how organizations can incorporate a machine identity management strategy to battle serious risks that have emerged alongside a hybrid work environment.
Over the last few years, the concept of digital identities has been a hot topic for cybersecurity professionals. Users are increasingly working from decentralized locations, driving the need for a new approach to secure company networks. Gone are the days when security professionals simply built a fence around their networks and guarded the resources inside. Now, organizations expect hackers to gain access to their environments and have developed the concept of identities to deal with this. Trust is no longer given to identities just for being on a network as access to assets must now be routinely verified for users on the network.
To deliver security capabilities in this new environment, security professionals began focusing heavily on user identities that authenticate to networks using the traditional username and password. Large investments were made to secure these identities as cyberattacks often targeted users through schemes such as phishing to gain access to the organization’s environment. However, in addition to the user identities that exist on every company network, there is another category of network identities that is often overlooked: machine identities.
Implementing effective machine identity management
Machines, like users, are consistently authenticating and communicating with each other on a network. Microservices, applications, servers, containers, traditional devices and virtual machines all communicate with each other and require the same establishment of trust to perform the tasks they need to support business operations. While the total number of user identities on company networks has remained largely static, the number of machine identities on the same networks has grown exponentially, providing a new, growing attack surface that hackers can exploit to gain access to company systems. Due to this emerging risk, there is a growing need for organizations to implement effective machine identity management (MIM) practices to govern the lifecycle of machine identities, the permissions granted to these identities, and the secrets, keys and certificates these machines use to authenticate.
Key MIM considerations include:
- Management of human and machine identities should be approached differently as each identity type presents a different set of challenges for identification, overall lifecycle management, automation and monitoring.
- At most organizations, the total number of user identities has remained relatively constant while the total number of machine identities has increased exponentially. This trend is expected to continue.
- MIM introduces an added area of complexity as machine lifecycles can be extremely short compared to user identities. The total lifecycle of some containers or virtual machines can be measured in hours instead of weeks or months.
- The autonomous nature of these machine identities, coupled with the often-elevated level of access to grant them, increases the overall risk posture associated with this growing identity population.
How organizations should approach machine identity management
- Assess the organization’s overall approach to identity to see how MIM is currently being delivered.
- Clearly define machine identities within the environment in order to easily identify and tell them apart from normal user identities.
- Ensure ownership for machine identities is clearly defined and communicated for all the identities within the environment.
- Make sure all identities within an environment are in line with a pre-defined framework which outlines ownership requirements for individual machine types (VMs, servers, containers, etc.).
- Machine secrets, such as certificates and key pairs, used for machine authentication must be securely managed.
Taking steps to ensure an effective MIM strategy will help organizations be prepared for the growing risks that have emerged out of a more hybrid workforce.
Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.