Today’s economic climate exacerbates these cyber risks and the impact of the COVID-19 epidemic has led to an acceleration in digital transformation and technical change that will further stress-test organizations’ identity and access management practices. This creates new challenges in minimizing access-related risks across traditional datacenters, cloud, and DevOps environments.
Companies that have adopted an identity-centric approach to security are typically focusing on human users – customers, employees, IT administrators, consultants, or business partners. While focusing on human users is essential, it may not be sufficient. The reality is that today, identities include not just people but workloads, microservices, and applications.
In fact, non-person entities (also called machine or non-human identities) represent the majority of “users” in many organizations. Machine identities are often associated with privileged accounts, and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role.
For example, cloud services and the need to automate the management of these environments led to increased numbers of machine identities that not only are more difficult to manage – there is no HR record for them. In addition, they are also more prone to being ignored when it comes to the risks associated with these accounts being compromised and exploited by malicious actors.
Without knowing if and where these accounts exist, organizations face increased cyber risks exposure and an expanded attack surface. Mainstream use of APIs further accelerated the number of machine identities being used for client-to-client computing processes and applications development. The advent of microservices as well as widespread use of mobile technology and applications, along with Internet of Things (IoT) and Operational Technology (OT), compounded the matter.
Ultimately, these new types of machine identities and modern cloud-native application architectures are driving organizations to rethink their identity and access management strategies, as otherwise they would be exposed to a blind spot that their cyber adversaries can easily exploit. In a recent Gartner report, titled “Managing Machine Identities, Secrets, Keys, and Certificates” the author confirmed the uneasy feeling about lack of control and accountability, associated with machine identities. The article mentions the existence of shadow IAM deployments that issue, manage, and control keys, secrets, and certificates; the occurrence of ghost Secure Shell (SSH) keys across the organization’s different devices and workloads; and the lack of good guidance around the usage of machine identities as a few examples of how companies are struggling to deal with machine identities.
Besides underestimating the relevance of non-person identities in the context of a data breach, many organizations are quickly realizing that the traditional static password concept, which often requires manual and time-consuming configurations, is not suitable in fast-moving multi-cloud and hybrid environment where access needs are often temporary, and changes are constant. So, what does this mean for the future of passwords and how organizations approach controlling access to their sensitive resources?
Start with the Basics
From an identity-centric perspective, some of the best practices and processes that apply to human identities do not apply to machine identities:
Applying preventive measures and implementing mitigating factors like multi-factor and step-up authentication, privilege elevation, and account disable/deletion can easily be accomplished for human identities. However, establishing comparable security controls for machine identities is not trivial.
To get started, the Zero Trust Technical Working Group of the Identity Defined Security Alliance recommends the following basic measures to help alleviate risks and manage these accounts:
- Inventory and document machine identities and their use.
- Ensure naming conventions are implemented to ease monitoring and expedite audit.
- Manage those privileged non-person entities in a similar fashion as you would for human users – implement privileged access security methods.
- Secure the certificates and vault the accounts.
Advancing Your Authentication Model
Once organizations implement those basic steps, they have to relinquish their reliance on a static password model, and instead move to a dynamic password approach. These ephemeral, certificate-based access credentials address the major security issues that plague static passwords without impacting usability and agility in highly digitalized IT environments.
When implementing ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, establishing a “zero standing privilege” stance based on Zero Trust principles that ensures all access to services must be authenticated, authorized, and encrypted. For each session (be it for a human or machine), the ephemeral certificate is issued from the Certificate Authority (CA), which serves as the trusted third-party and is based on industry-standards such as the temporary X.509 certificate. It encodes the user identity for security purposes and has a short lifetime, avoiding the risk of man-in-the-middle attacks.
Ultimately, the CA controls access to the target system based on user roles (including roles assigned to workloads, services, and machines), which are created based on rules. The rules for particular roles are generated according to security policies and access requirements. The CA then obtains the rules for each role from the traditional enterprise directory (e.g., Microsoft Active Directory) and uses them to determine proper authentication. This approach alleviates setting up access for each individual user/machine and enables streamlined updates to groups of users/machines.
The integration of identity with security is still work in progress, with less than half of businesses having fully implemented key identity-related access controls according to the IDSA research study. Key to starting that path is acknowledgement that an identity-centric approach to security based on Zero Trust principles doesn’t only apply to humans, but also to machines.
About the Author: The Zero Trust Technical Working Group subcommittee was formed in July 2020. The team, led by Stefan Lesaru, includes Torsten George, Jay Kelley, Robbie Jones, Ben Goodman, Stephen Lee, Matt Egan, Doris Yang, Martin Kniffin, Don Coltrain, Kayslip Merchant and Allen Moffett.