We asked our champions for their best advice on The Growing Importance of Protecting Machine Identities. See below for their responses and we’d love to hear your perspective, too! Share your response on Twitter and join us in raising awareness of the importance of identity management and securing digital identities by sharing all of your best practices and advice on Twitter or LinkedIn using #BeIdentitySmart.
#BeIdentitySmart Week aims to spotlight the importance of identity security as part of Cybersecurity Awareness Month. Each day during the week we will focus on a specific aspect of identity security, posting blogs from the IDSA and the identity and security community, as well as crowdsourced advice from our Identity Management Champions.
“With machine identities now outnumbering human identities at many organizations, ensuring that steps are in place to first authorize and authenticate machine identities in feasible ways is critical in establishing trust. After trust has been established, processes and tools must be implemented to establish a baseline for ‘normal behavior’ for these machine identities and be able to act if anomalies and/or malicious behavior is detected. Finally, having a way to audit and log activities and access for machine identities is critical, particularly technical identities, service accounts and machines that require access to critical business tasks.”
–Rod Simmons, vice president of product strategy, Omada
“We’ve seen an impressive increase in stronger user authentication in the last year, but authentication for machines and devices still seems to be an afterthought. If IT leaders are building a Zero Trust architecture, they need to secure every identity on their network, including these machines and devices. This can initially seem overwhelming, especially since the most common way to authenticate machines is to use PKI. PKI, while secure, can be complex for IT teams to manage on-premises
– Jerome Becquart, COO, Axiad
“The shift to the cloud has fundamentally changed the way we approach security. The security paradigm has changed and it’s critical for companies to update their strategies accordingly. An organization not only needs to inventory its person and non-person identities, as well as what they can and are doing, but needs to continuously monitor them. The once a quarter reviews are dead. Along with this, it is critical for a company to know at all times where their data is, who has access to it and what an identity does with the data. No longer is it about getting to least privilege and least access, it is about continuously staying there and getting notified whenever something changes. Companies that fail to mature their security with this paradigm shift will be left picking up the pieces after a breach”
–Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security
“Organizations are moving to the public cloud in record-setting numbers, but with this growth comes unprecedented security challenges with user identity management and the explosion of machine identities such as applications, databases, and data stores. Gartner, Inc. estimates, ‘by 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.’ Unfortunately, traditional security tools are ill-equipped to handle this explosion of resource management and, as a result, over-provision access and exasperate security risks.
The rapid adoption of cloud computing has exposed a hidden threat of ‘permission sprawl.’ This challenge is driving the need for solutions that prioritize visibility and reduce the attack surface for identities and entitlements in the cloud.”
-Carolyn Crandall, chief security advocate, Attivo Networks
“Machine and service identities outnumber human identities 10:1 in business environments and require a complete re-think of the scale, security and automation of IAM strategies. Automation and scale are key constructs for managing today’s thousands if not millions of ephemeral machine identities. Automation must discover machines and services, provide an Identity assignment and fit into the DevSecOps pipeline. Authentication and authorization are then layered on top to control how data flows, what’s been consented to, and if it data can be shared. Automated authorization governance provides developer guardrails and base authorization policies to securely accelerate this approach.”
–Nathanael Coffing, co-founder and CSO of Cloudentity
“Machine identities are a vehicle to represent the characteristics of humans accessing different resources. They have entitlements, privileges, permissions, and rights just like a human would if they could interact at a complex electronic level. As we continue to expand our electronic footprint, implement digital transformation initiatives, and embrace automation, machine identities provide the mechanisms to ensure that these electronic counterparts have the authority to perform tasks and that the tasks being performed are meaningful. As the importance of machine identities grows, so too does the risk of them being abused by threat actors or misused due to human mistakes.”
– Morey Haber, CISO, BeyondTrust
“Organizations must develop a strategy around machine identities and the types of machine identities in their IT ecosystem. You can’t manage and govern what you can’t see, so it’s essential to discover the machine identities and develop a specific approach for each type (workload, IoT devices, and Bots).”
–Yash Prakash, Chief Strategy Officer, Saviynt
