Skip to main content
banner image
venafi logo

10 Things Your Machine Identity Risk Assessment Should Cover

10 Things Your Machine Identity Risk Assessment Should Cover

February 14, 2022 | Anastasios Arampatzis

Almost all businesses get targeted at nearly the same rate as large corporations when it comes to cyber-attacks, says Verizon’s 2021 Data Breach Investigations Report (DBIR). Why does this matter? Because there are key elements of data security that both big and small businesses are missing—that attackers seem to know and exploit. And with the proliferation of all types of machines across the company, the point of entry is typically a machine identity—be it an expired certificate, a stolen login or a cracked credential.

Are Your TLS Machine Identities at Risk? Download our Dummies Guide.

The following recommendations will help you uncover weak areas that leave your machine identities exposed and help you fix them before attackers can take advantage of them. In today’s threat landscape, attack is not so much a matter of if but when.

  1. Visibility
    Gain complete visibility over all certificates and other machine identities within your organization. To do this, you can complete a scan and see if there are any missed by your PKI admins. Remember, the persistent creep of Shadow IT (more about this later) could mean some certificates are languishing, expired or simply hiding in various departments, so find a certificate management platform that can scan the entirety of your network. It is best to avoid tracking expiration dates, certificate keys and passwords on archaic spreadsheets, sticky pads or in your admins’ notepad.

  2. Network Segmentation
    Throw hackers off by segmenting your network. A security-by-design feature, it takes your singular network and makes it look like multiple ones to the outside. This makes it difficult to breach your network as a whole, because each part must be breached separately. It also adds visibility as you can manage each piece, decreases the attack surface as each segment has its own hardware, and increases incident response efficiency. Save space on your server by looking into private cloud options with dedicated servers to host your segmented network parts.

  3. Data in Transit Encryption
    Encrypt your data in transit using at least TLS 1.2 or greater—ideally TLS 1.3. This prevents compromise should an attacker gain entry to your infrastructure or the infrastructure between the sender and receiver. This can apply to web-based services such as forms, login screens and upload/download capabilities. A WAN service, TLS or IPsec VPN gateway or bonded fiber optic connection can also be utilized, given proper configurations and considerations.

  4. Authentication
    Properly authenticate all machine-to-machine (M2M) communications. While usernames and logins authenticate users, leverage appropriate authentication protocols to authenticate machines. You can use a private PKI, be your own Certificate Authority, and utilize mutual authentication based on public/private key pairs for SSL/TLS.

  5. Access Control Policies
    Establish access control policies determining who can access what. NIST defines access control policies as “high-level requirements that specify how access is managed and who may access information under what circumstances.” According to Verizon’s 2021 Data Breach Investigations Report, privilege abuse is the primary cause of data breaches. Just-in-time access is one way of minimizing standard access permissions to improve data security. Ultimately, “a state of access control is said to be safe if no permission can be leaked to an unauthorized, or uninvited principal.” NISTIR 7316, Assessment of Access Control Systems explains some common access control policies and mechanisms available.

  6. Shadow IT
    Establish strong policies to mitigate your Shadow IT. Well-intentioned employees from all different departments (outside of IT) spin up certificates, purchase and deploy SaaS solutions but aren’t trained to know when or how to renew or manage them. Hence, a lot of unaccounted for certificates and digital identities lie around as liabilities: they could expire and serve as a vulnerable attack vector into the organization. Hence, scans and visibility are key for keeping ahead of the spread of Shadow IT.

  7. Incident Response
    Ready an incident response plan in case your organization is breached. If your organization is at the receiving end of a phishing scam or nation state attack, be ready with the proper protocols. NIST SP 800-61 outlines incident response policies as preparation, detection, containment, investigation, remediation, and recovery –with the CISO or Privacy Officer as owner.

  8. Monitoring
    It’s critical that you continuously monitor your cybersecurity posture—including machine identities. Traditional monitoring tools use a point-in-time method, which can become outdated before the next snapshot. Some elements for a continuous monitoring strategy are threat prioritization, monitoring tools with SIEM and GRC capabilities, a patching schedule and a culture of cyber awareness. Current tools also utilize AI to find trends in suspicious activity.

  9. Automation
    Automate your solutions wherever possible. Forester notes that “orchestrating the creation, provisioning, rotation, renewal, and replacement of machine identities tasks manually is nearly impossible, given the rapid increase in volume of machine identities and the velocity of changes affecting them.” Automating as a rule, not an exception, is state-of-the-industry and best practice. To that end, Venafi’s solution provides visibility, monitoring and automation for your company’s machine identity management.

  10. Culture
    Foster a culture of cyber awareness among your workforce. Employees are more likely to stay vigilant if they know what they’re looking for, and why it’s important. Building a cyber-open workplace and culture of quick remediation can set the standard for high data safety and a zero-trust environment.
Final thoughts

If you can’t account for all your machine identities, a criminal would be happy to do the double-checking for you. This list, while not conclusive, should give you a good start on your road to machine identity risk mitigation. As Jeff Hudson, Venafi CEO states, “We spend billions of dollars protecting usernames and passwords, but almost nothing protecting the keys and certificates that machines use to identify and authenticate themselves. The number of machines on enterprise networks is skyrocketing and most organizations haven’t invested in the intelligence or automation necessary to successfully manage these critical security assets.” With these solutions in place, chances are a cyber attacker will move on to greener pastures.

To ensure your company has a smooth digital transformation, investing in cyber security solutions such as the Venafi Trust Protection Platform, to fully automate the process of machine identity management is highly recommended.

Related posts

Like this blog? We think you will love this.
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more