BR +55 11 3069 3925 | USA +1 469 620 7643

Machine Identity part 1

by | Oct 15, 2019 | BLOG

Until a few years ago, organizations had little technology resources for their employees to do their jobs, had the bare minimum to communicate internally and automate some processes. Today, the scenario has changed. Companies are increasingly leveraging their technological infrastructure, and resources are equal or even exceed the number of employees.

Robotic automation processes, IoT, cloud infrastructures, machine learning, and many other technologies that have become part of an organization’s daily tasks have encouraged the need for not only humans to communicate with machines, but also machines to communicate with each other.    

Humans use usernames and passwords to authenticate their access to resources, but machines and devices use keys and certificates to access the resources they need inside or outside the network, which means keys and certificates are the identification of machines to prove that their access and privileges are authentic. 

Machine-machine communication is as important as human-machine communication. It is estimated that this year, companies will spend more than $ 10 billion to protect and manage passwords, but have spent virtually nothing to protect and manage machine identities. 

Machine Identity is an important component for Identity & Access Management (IAM) – which enables one to manage identities and their access to organizational resources, as, typically, when you think about identity management, machines’ identities are neglected and end up increasing the risk of unauthorized access, because these machines do not have their access and privileges controlled and become susceptible to exploitation. 

Exploration of Identities

Managing and securing these machine identities is sometimes more complex because machines cannot identify whether or not requests from another machine are appropriate. Unlike humans, who have the critical sense to identify suspicious situations, machines simply accept the requests they are ordered. 

According to a Forrester study on Machine Identities from 2018, 70% of companies are tracking less than half of their potential machine identities, leaving them vulnerable to many risks. These identities include: 

  • cloud platform;
  • containers;
  • identity codes and algorithms in mobile applications;
  • identity codes and algorithms in desktop applications; 
  • identity of physical servers; 
  • SSH keys and others. 

Without proper management and protection of their identities, machines grant access to any other that seems valid even if it is malicious. 

The first point to note is how much machine identity is being used and for what purposes. The absence of this type of information can cause blackouts – machine communication failure due to an expired certificate or key, causing a procedure to stop that results in service unavailability. These blackouts happen because the control of identity expiration dates is not performed, so, when the deadline comes, the communication between the machines is interrupted and, consequently, the service as well. It is estimated that a blackout on a critical infrastructure could cause a loss of $ 5,000 per minute or more than $ 300,000 per hour

Lack of control can also allow attackers to obtain these identities or communicate with network machines through false identities.  This can happen because many security controls are based on communications authenticated by machine identities. 

Another point of risk is direct access to keys and certificates. Organizations are concerned with disabling former employee credentials, but they forget to disable or change machine identities managed by these people, which gives them access to the system even after leaving the company.

Identity Blackout

In addition to exploits, these mismanaged identities can have a big impact when not updated. Due to a large number of certificates, some may be forgotten, and their expiration dates are reached without the knowledge of the responsible manager, causing some important communication breakdown. Microsoft went through something similar in 2013, when Windows Azure Storage stopped working globally, impacting HTTPS traffic due to an expired SSL certificate, which affected thousands of users on the planet. 

Another example is the company Equifax, which could have prevented a data leakage if its traffic analysis device hadn’t had its certificate expired 10 months before the invasion of their systems. No one from the company noticed for 10 months that a certificate was expired, leading to a $ 700 million cost to the company.     

How to protect these identities?

In its study, Forrester determines some necessary skills that companies must develop to protect communication on their devices:

  1. Visibility of the identities of all machines on the network, thus controlling the expiration dates of keys and certificates as well as unauthorized access and abuse of privileges. 
  2. Understanding the full life cycle of machine identities: certificate generation, installation, deployment, rotation, removal to protect, expiration, and machine-to-machine communication. 
  3. Development of self-training to reduce the need for highly trained personnel to handle daily security operations.

The study also revealed that companies’ biggest concern relies on the integration of machine identities across the whole infrastructure, and the control and prioritization of related risks.  

This is because many companies leave certificates and keys under the responsibility of those who generate and use the identities, but each individual has a different mindset on how to protect identities, and do not understand their importance for many processes to work, which results on insecure, unregistered and unmonitored certificates and keys. 

Protection of these identities can and is recommended to be done through automation and integration with other available technological resources. Automation will allow one to keep track of all changes that machine identities undergo (key and certificate generation, sending of information to the certifying authority, installation, configuration, etc.). 

In short, a good approach to protecting identities includes:

  • Mapping identities, listing who is responsible for them, individually, and what they are used for. 
  • Automating the life cycle of identities. 
  • Enabling alerts and notifications to find certificates and keys with close expiration dates to prevent blackouts. 
  • Validating identities, including their installation and configuration to ensure their correct operation. 
  • Including controls for these identities in security policies and in the system. 

Many organizations understand the importance of machine identities, but they do not understand how they can protect and use them correctly, however complicated and challenging it may be.

With the rapid and inevitable increase in the number of machines within the organizations’ system, and in the number of vulnerabilities to which they may be exposed by not managing and protecting their identities, it is about time for organizations to devote their protection efforts to the extent they strive to protect the credentials of their employees. 

REFERENCES

CERTIFICATE-RELATED OUTAGES impact the reputation of financial services organizations. Jul. 18, 2019. Available at: https://www.helpnetsecurity.com/2019/07/18/financial-services-certificate-related-outages/.  Accessed on Oct.2018.

FORRESTER. Security the enterprise with machine identity protection. 2018. Available at: https://consulting.forrester.com/#/assets/8/1449/TLP00005/tlp. Accessed on: oct.2018.

https://www.thesslstore.com/blog/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate/. Accessed on Oct. 2018.

MARTIN, Steve. Windows Azure Service Disruption from Expired Certificate. Feb. 24, 2013. Available at: https://azure.microsoft.com/en-ca/blog/windows-azure-service-disruption-from-expired-certificate/ 

THE EQUIFAX DATA BREACH went undetected for 76 days because of an expired certificate. Sep. 14, 2018. Available at: https://www.thesslstore.com/blog/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate/. Accessed on Oct. 2018.

Top 7 Types of Phishing Attacks and How to Prevent Them

Social engineering, in the context of information security, consists of practices performed by hackers to manipulate users to take actions that go against their interests, exploiting their vulnerability and lack of knowledge for their benefit. One of the main types of...

ISO 27001 – What is the importance of having achieved the certification

The process of digital transformation has intensified in companies of all sizes and industries, and is considered an essential factor for business success. One of the main consequences of this process is the exponential growth in the amount of data from customers,...

Principle of Least Privilege: Understand the Importance of this Concept

Granting administrator access to a user who does not even have time to explain why they need this permission is not an efficient way to solve a company's problems but rather to harm its security.  This is because sensitive data can fall into the wrong hands through a...

How to Prevent DDoS Attacks in Your Company?

There are several methods by which malicious agents attack websites and destabilize network services and resources. One of the most widely used techniques is the DDoS attack, which means distributed denial-of-service. Through this attack, a website ends up becoming...

Gartner and PAM: What Does One of the Most Important Consulting Companies in the World Say About this Cybersecurity Solution?

All of us have already heard of digital transformation at some point. This phenomenon affects companies of all verticals and sizes and has been gaining prominence in the market.  Digital transformation increasingly requires organizational leaders to adapt their...