Whether your organization is trying to prevent machine identity attacks or stop outages, there’s a lot riding on the effectiveness of your machine identity protection program. But to create an effective program, you need in-depth insight into the strengths and weaknesses of each of your machine identities. Some of that you can learn from the certificate itself. But much of the intelligence you need just isn’t part of the certificate. It’s situational.
To gain the intelligence you need to enforce policies and detect machine identity anomalies and vulnerabilities, you need to be able to discover and collect information on the critical attributes of each of your machine identities. To do that successfully, you’ll need access to additional intelligence beyond what you can retrieve from the keys and certificates themselves.
Here are six things that you can’t learn from keys and certificates:
Where it’s located
You need up-to-date information about every machine where a key or certificate is installed to effectively manage machine identities and incident response. Without location information, machine identity problems can be extremely difficult to diagnose and even harder to fix. Location information should include the machine address, file location, Hardware Security Module (HSM), if applicable, and account (in the case of SSH keys).
Who owns it
Any number of users can request machine identities across countless systems and different groups. Central Public Key Infrastructure (PKI) and security teams rarely have the permissions necessary to manage these systems directly, and updates to machine identities often have to be performed locally. So, when a security vulnerability is detected, such as a weak algorithm, operational risk, or impending expiration, your PKI or security team needs to be able to rapidly contact the appropriate owner to solve the problem.
Is it using strong ciphers
Each machine that uses a machine identity is configured to use certain ciphers, such as Advanced Encryption Standard (AES). With advancements in technology, the strength and weaknesses of a cipher is often relative. It depends on factors, such as client compatibility, key size, faulty random number generators, cipher vulnerabilities, and including side channel attacks. Weak ciphers undermine the strength of encryption and can facilitate compromises by cybercriminals.
Which protocol version it’s using
New vulnerabilities are regularly found in protocols like SSH and TLS. To reduce the chance of compromise, ensure that you’re using only approved protocol versions. For example, a critical vulnerability was found in the TLS heartbeat extension of the popular cryptography library OpenSSL. Dubbed Heartbleed, this vulnerability required all impacted certificates to be replaced with those using an updated protocol.
How is it configured
Misconfigured servers, applications, or keystores may leave otherwise secure keys and certificates open to compromise. For SSH, configuration information can include source restrictions, force commands, whether port forwarding is allowed, and other security-critical requirements.
Is it being misused
The relative security of machine identities relies on multiple variables, and because there are so many rapid changes to machine identities, assessing risks quickly can be difficult. Reputation scores combine multiple machine identity attributes into a single numeric value that quickly indicates the risk associated with a specific certificate.
After you’ve gathered intelligence for all machine identities inside and outside your enterprise, you can use this information to identify machine identity vulnerabilities, anomalies, risks, and trends. This is important because each of your business groups need in-depth intelligence on the relative strength of machine identity for the systems they control. Otherwise, they won’t be able to follow the best practices required to protect machine identities or take rapid remedial action when needed.