The concept of managing and securing machine identities is one that major cybersecurity leaders are finally taking seriously, especially with Gartner naming machine identity management a top security trend for 2021. Once you have gained a comfortable understanding around what machine identities are and how they’re used, it’s time to start formulating a strategy to manage and protect the digital certificates and machine identities on your network!
Why is this so important? Machine identities are the foundation of your entire cybersecurity landscape, and weak protection of your keys and certificates can lead to a whole host of problems that result in devastating financial, operational, and reputational damage. Understanding these five machine identity risks will help you better determine if your organization is vulnerable!
All issued certificates come with an expiration date. Certificates used to enjoy generous validity periods of 2 years, but recently certificate lifespans have been reduced to 13 months! A certificate not being renewed or reissued before it expires will trigger a certificate-related outage on the system that it supports. That unplanned outage and the associated downtime will continue until a new certificate is issued and installed. Some high profile examples were outages experienced by Google and Microsoft.
The only solution is to embrace automated certificate management, providing full visibility of your entire network and guaranteed management of your digital certificates. Want to learn more about how Venafi can eliminate certificate-related outages? Check this out!
Most security controls trust digital communications that are authenticated using machine identities. But when the private keys and certificates that serve as machine identities are compromised or forged, cybercriminals can use them to appear legitimate, allowing them to circumvent security controls. Cybercriminals also use stolen machine identities to gain privileged access to critical systems so they can move deeper into your network and stay hidden for extended periods of time.
Some examples of this phenomenon are the use of shadow certificates and rogue certificates. Remaining diligent against these types of data breaches has never been more important. Zscaler has recently reported a 260% increase in machine identity attacks!
The longer a security threat, outage, or breach continues unresolved, the greater the potential for serious damage. If one of your Certificate Authorities (CAs) is compromised, for example, is your team prepared to replace all the certificates from that CA quickly?
Other large-scale cybersecurity events that require a timely response include the discovery of a machine identity using a vulnerable algorithm like SHA-256, the exploit of a cryptographic library bug like Heartbleed, or when a leading browser decides it will no longer trust certificates issued by one of your CAs. When you need to respond to any type of event that affects machine identities, time is everything.
One factor in how quickly you can respond to an issue is whether you and your teams know where all of your digital certificates are located, who is using them, and for what purpose. This may seem like standard data to have on hand, but more than 50% of organizations recognize that they don’t always have all that information. Most of the cybersecurity events listed are notoriously difficult to diagnose when you don’t have full network visibility of all keys and certificates.
Organizations spend way too much time per year on manual certificate management, physically tracking and handling each individual digital certificate that serves as a machine identity. But are they even tracking everything? Considering that 71% of organizations don’t actually know how many certificates and keys they have, most likely not!
So right off the bat we know all digital certificates are not being managed with a manual approach, but let’s more closely consider the certificates that are manually accounted for. Organizations can have hundreds, thousands, or even hundreds of thousands of machine identities! It’s not hard to imagine how quickly the resulting overhead of manually tracking that many issue and expiration dates can add up. Not only is this a massive waste of time, but human error is always a major factor at play that can have dire consequences.
Administration of machine identities can also be complicated by administrators who are unfamiliar with certificates or trust stores. If your machine identity operations aren’t running smoothly —as is often the case — the time required can escalate fast, especially when there’s an outage or breach.
Machine identities are increasingly subject to corporate, government, and industry policies and regulations, including several standards that focus specifically on cryptographic key and certificate management and security. Because most organizations don’t have a strong machine identity protection program, it’s not unusual for auditors to discover that an organization is unable to monitor machine identities, enforce policies, or maintain effective management, all of which create significant security and reliability risks. If you’re tasked with addressing negative compliance findings and you don’t have a machine identity protection program in place, you face a lengthy, manual project.
From service outages to security breaches, weak machine identities will wreak havoc with your business. When a machine identity is compromised and used in a cyberattack or causes an outage, the negative consequences can be significant. You may suffer from a damaged reputation, loss of revenue, costly remediation, and higher management costs.
The good news is with Venafi, you don’t have to worry about any of that! Protect keys and certificates, SSH machine identities, code signing keys, and users across your entire enterprise with the Venafi Trust Protection Platform!