Facing up to the machine identity crisis

Facing up to the machine identity crisis: a Q&A with Venafi
(Image credit: Shutterstock)

I’ve been working in cryptography for my entire career, but I landed in cyber security entirely by accident. At my first job after leaving university, we were having issues getting an Oracle database to talk to another one located on the other side of the city. I managed to figure out that the cause was that there were no valid digital certificates being used from one Oracle node to the next – I’ve been working with certificates ever since. This took me to a variety of roles at startups in Germany, and later the UK, before landing at Venafi in 2012.

What are machine identities and what are they used for?

Machine identities govern the privacy, authentication, and integrity of communications between machines. To assure their unique identities, machines – that is, every single application, website, device, cloud instance, microservice, even algorithm – use keys and certificates, much like people use a system of usernames and passwords to authenticate themselves online. Common machine identities include TLS, SSH, and code signing keys and certificates.

Compromised machine identities can have a significant security impact on organizations. Attackers can misuse machine identities to establish hidden or concealed encrypted communication tunnels on enterprise networks and gain privileged access to data and resources. Forged or stolen machine identities can also allow an attacker’s machine to masquerade as a legitimate machine, and be trusted with sensitive data.

We’ve all probably experienced machine identity failures at one point or another. Ever come across a website marked with a “cannot be trusted” warning? Or found that you just can’t connect to a website? It’s likely a machine identity has expired and has essentially been banished from the Internet as untrustworthy. When machines can’t be trusted by other machines, the services they provide simply cease to function, and we’ve seen plenty examples of machine identity expiries causing costly outages, from O2 to Spotify. Since there are thousands, possibly even millions, of machine identities in use by a single business it’s no wonder these failures let alone attacks happen so often.

Now, consider the extent to which machines drive our world. From cloud services, microservices, virtualized applications, edge computing, to IoT, digital transformation is accelerating. Machine-to-machine connections are increasing rapidly and are forecast to reach 14.6 billion by 2022, all of them underpinned by machine identities that validate the communication as trustworthy and secure. In other words, machine identities form the bedrock of trust for our entire digital world.

What impact, if any, has the COVID-19 crisis had on usage of machine identities?

COVID-19 has led to many organizations accelerating their digital initiatives, which has resulted in more and more machine identities being used. There’s more use of cloud, more Kubernetes, more APIs, more web services – all of which means more machine identities. Organizations know they must innovate quickly, taking advantage of digital tools to weather the current storm and emerge from it in a better shape than their competitors.

As a result, many have turned to DevOps to enable them to meet their digital goals faster. However, this is introducing new security risks. In many cases as the speed of development has gone up, DevOps teams are creating more new machine identities than IT security teams are able to properly manage, increasing the risk of identities being stolen and exploited by cybercriminals. For many organizations, this is driving what’s known as the ‘machine identity crisis’.

Can you explain why machine identities are valuable to cybercriminals?

Armed with machine identities and their powers, cybercriminals can slip past an organization’s security defenses undetected by creating hidden encrypted TLS tunnels into the organization’s network. They can move on to gain SSH privileged access to systems and to exfiltrate data. Stolen code sighing certificates can also enable hackers to hit their targets with malware that evades next-gen AV. Ultimately stolen or forged machine identities enable cybercriminals to move around without being spotted as these identities give them legitimacy and trust.

Beyond this, machine identities can also be used to impersonate or spoof websites, making them appear genuine and secure to fool unwitting victims – the padlock in the browser’s URL bar doesn’t necessarily mean that the website is safe. Importantly, machine identities can also be used to sign malware, making it appear to come from legitimate sources such as Apple or Microsoft. Using machine identities in this way can hugely speed up the rate at which malware is distributed, because if it is signed with an identity from a trusted source it’s far more likely to be accepted by machines around the world. And as we use containers for cloud-based microservices, the opportunity to run untrusted software is accelerating.

You mentioned the risk of a ‘machine identity crisis’ – what does this mean?

The machine identity crisis is the situation where organizations find themselves with more machine identities than they’re able to protect, raising the risk that cybercriminals will be able to take advantage. Our increasing dependence on machines has caused the number of machine identities organizations must look after to skyrocket. Organizations that once had thousands of them to secure now find themselves with hundreds of thousands, even millions – and the number keeps rising as digital transformation gathers pace. Every one of these unprotected machine identities poses a new cybersecurity threat.

Complicating matters further, machine identities expire after a certain period in order to reduce the window in which compromised or fake certificates can be exploited by cybercriminals. As soon as a certificate expires, the digital processes it supports cease to function since they can’t be validated by other machines. As such, proper management of machine identities goes beyond looking for signs of misuse by cybercriminals; it extends to replacing certificates before they expire and cause an outage.

All it takes is for one certificate to expire, or one certificate to fall into the wrong hands, and organizations can find themselves in hot water. Given the exponential growth of machines and their transient nature, machine identity management is already overwhelming IT and security teams.

Why do organizations risk overlooking the importance of protecting their machine identities?

Organizations typically prioritize protecting human identities – usernames and passwords – at the expense of machine identity protection. Organizations spend billions securing the former, yet only a fraction of this on the latter. This may partly be because machine identities are a relatively new point of attack, and are seen as less of a tangible risk than human identities. Yet while the number of human users on a network remains relatively flat, the number of machines in use has exploded.

Despite this, many organizations still rely on managing machine identities using manual methods such as spreadsheets. This approach leaves those responsible for managing them struggling to keep up with the sheer volume of new machine identities being created, raising the risk of machine identities falling through the cracks into the hands of cybercriminals, or expiring and causing an outage. This risk carries a heavy financial cost: according to a report from AIR Worldwide and Venafi, improper management of machine identities has led to between $51 billion and $72 billion in losses to the global economy.

The only way organizations can solve these problems is with intelligent automation. Organizations must have complete visibility into every machine identity that touches their business from data centers to every cloud, be able to monitor these identities in real-time to detect misuse or upcoming expiries, and be able to automatically remediate any vulnerabilities discovered at machine speed and scale.

  • Kevin Bocek, VP security strategy and threat intelligence, Venafi.
Kevin Bocek

Kevin Bocek is Vice President, Security Strategy and Threat Intelligence at Venafi. He has over 16 years of experience in the IT security industry. He is recognized as subject matter expert in threat detection, encryption, digital signatures, and key management. Additional experience in managing technical sales and professional services organizations.