Machine Identity part 1
Until a few years ago, organizations had little technology resources for their employees to do their jobs, had the bare minimum to communicate internally and automate some processes. Today, the scenario has changed. Companies are increasingly leveraging their technological infrastructure, and resources are equal or even exceed the number of employees.
Robotic automation processes, IoT, cloud infrastructures, machine learning, and many other technologies that have become part of an organization’s daily tasks have encouraged the need for not only humans to communicate with machines, but also machines to communicate with each other.
Humans use usernames and passwords to authenticate their access to resources, but machines and devices use keys and certificates to access the resources they need inside or outside the network, which means keys and certificates are the identification of machines to prove that their access and privileges are authentic.
Machine-machine communication is as important as human-machine communication. It is estimated that this year, companies will spend more than $ 10 billion to protect and manage passwords, but have spent virtually nothing to protect and manage machine identities.
Machine Identity is an important component for Identity & Access Management (IAM) – which enables one to manage identities and their access to organizational resources, as, typically, when you think about identity management, machines’ identities are neglected and end up increasing the risk of unauthorized access, because these machines do not have their access and privileges controlled and become susceptible to exploitation.
Exploration of Identities
Managing and securing these machine identities is sometimes more complex because machines cannot identify whether or not requests from another machine are appropriate. Unlike humans, who have the critical sense to identify suspicious situations, machines simply accept the requests they are ordered.
According to a Forrester study on Machine Identities from 2018, 70% of companies are tracking less than half of their potential machine identities, leaving them vulnerable to many risks. These identities include:
- cloud platform;
- identity codes and algorithms in mobile applications;
- identity codes and algorithms in desktop applications;
- identity of physical servers;
- SSH keys and others.
Without proper management and protection of their identities, machines grant access to any other that seems valid even if it is malicious.
The first point to note is how much machine identity is being used and for what purposes. The absence of this type of information can cause blackouts – machine communication failure due to an expired certificate or key, causing a procedure to stop that results in service unavailability. These blackouts happen because the control of identity expiration dates is not performed, so, when the deadline comes, the communication between the machines is interrupted and, consequently, the service as well. It is estimated that a blackout on a critical infrastructure could cause a loss of $ 5,000 per minute or more than $ 300,000 per hour.
Lack of control can also allow attackers to obtain these identities or communicate with network machines through false identities. This can happen because many security controls are based on communications authenticated by machine identities.
Another point of risk is direct access to keys and certificates. Organizations are concerned with disabling former employee credentials, but they forget to disable or change machine identities managed by these people, which gives them access to the system even after leaving the company.
In addition to exploits, these mismanaged identities can have a big impact when not updated. Due to a large number of certificates, some may be forgotten, and their expiration dates are reached without the knowledge of the responsible manager, causing some important communication breakdown. Microsoft went through something similar in 2013, when Windows Azure Storage stopped working globally, impacting HTTPS traffic due to an expired SSL certificate, which affected thousands of users on the planet.
Another example is the company Equifax, which could have prevented a data leakage if its traffic analysis device hadn’t had its certificate expired 10 months before the invasion of their systems. No one from the company noticed for 10 months that a certificate was expired, leading to a $ 700 million cost to the company.
How to protect these identities?
In its study, Forrester determines some necessary skills that companies must develop to protect communication on their devices:
- Visibility of the identities of all machines on the network, thus controlling the expiration dates of keys and certificates as well as unauthorized access and abuse of privileges.
- Understanding the full life cycle of machine identities: certificate generation, installation, deployment, rotation, removal to protect, expiration, and machine-to-machine communication.
- Development of self-training to reduce the need for highly trained personnel to handle daily security operations.
The study also revealed that companies’ biggest concern relies on the integration of machine identities across the whole infrastructure, and the control and prioritization of related risks.
This is because many companies leave certificates and keys under the responsibility of those who generate and use the identities, but each individual has a different mindset on how to protect identities, and do not understand their importance for many processes to work, which results on insecure, unregistered and unmonitored certificates and keys.
Protection of these identities can and is recommended to be done through automation and integration with other available technological resources. Automation will allow one to keep track of all changes that machine identities undergo (key and certificate generation, sending of information to the certifying authority, installation, configuration, etc.).
In short, a good approach to protecting identities includes:
- Mapping identities, listing who is responsible for them, individually, and what they are used for.
- Automating the life cycle of identities.
- Enabling alerts and notifications to find certificates and keys with close expiration dates to prevent blackouts.
- Validating identities, including their installation and configuration to ensure their correct operation.
- Including controls for these identities in security policies and in the system.
Many organizations understand the importance of machine identities, but they do not understand how they can protect and use them correctly, however complicated and challenging it may be.
With the rapid and inevitable increase in the number of machines within the organizations’ system, and in the number of vulnerabilities to which they may be exposed by not managing and protecting their identities, it is about time for organizations to devote their protection efforts to the extent they strive to protect the credentials of their employees.
CERTIFICATE-RELATED OUTAGES impact the reputation of financial services organizations. Jul. 18, 2019. Available at: https://www.helpnetsecurity.com/2019/07/18/financial-services-certificate-related-outages/. Accessed on Oct.2018.
FORRESTER. Security the enterprise with machine identity protection. 2018. Available at: https://consulting.forrester.com/#/assets/8/1449/TLP00005/tlp. Accessed on: oct.2018.
https://www.thesslstore.com/blog/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate/. Accessed on Oct. 2018.
MARTIN, Steve. Windows Azure Service Disruption from Expired Certificate. Feb. 24, 2013. Available at: https://azure.microsoft.com/en-ca/blog/windows-azure-service-disruption-from-expired-certificate/
THE EQUIFAX DATA BREACH went undetected for 76 days because of an expired certificate. Sep. 14, 2018. Available at: https://www.thesslstore.com/blog/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate/. Accessed on Oct. 2018.