Without identity, there is no security. And there is no trust without secured identity. For many years the public sector has worked to manage the identities of the many humans that constantly shift on and off of federal networks. However, gaining control of human identity management is just the tip of the identity iceberg—especially when we turn our attention to modernization and secure encryption policies that now inherently focus on identity validation of each different type of machine connection.
The Department of Defense (DoD) for example, has recently been forced to transition from a private trust model for machine identities. So all DoD agencies have been directed to move to a public trust model that has a much wider reach. This is a giant step towards elevating the importance of machine identities to levels that are much closer to the emphasis that we give to protecting human identities.
But Federal machine identities have not always had this level of priority. To tell friend from foe, identity models throughout the public sector continue to focus on advancing and improving person-centric identity. But people are not the only actors on the networks. We also have non-person entities (NPE) or what we’ll refer to here as simply machines—cloud workloads, virtualization, Fast IT & containerization, mobility, IoT and more. These machines all have identities—machine identities that need to be protected.
This becomes complicated as the number of machines has significantly outpaced the number of people on networks. To employ an all-encompassing approach to identity—we must work across the full spectrum of identity to include both person-centric and machine-centric identity protection strategies.
On every network, human interactions are intertwined with automated machine-to-machine functions. Person-centric identity models include personal identity verification (PIV), usernames, passwords, smart cards and biometrics to unequivocally establish identity through the simplest mechanisms possible. But how do NPEs know which other machines to trust or not to trust? They use cryptographic keys and digital certificates to serve as machine identities and establish trust for machine-to-machine connections and communications.
Leaving machine identities unsecured creates significant vulnerabilities. We spend billions of dollars each year protecting human identities, but almost nothing protecting machine identities. Bad actors from nation-states to insiders know this and now devote more time and resources to stealing machine identities. Even though any type of identity data still proves to be a valuable target, recent research shows NPE data is more valuable by a factor of up to 100.
Compromised machine identities allow cyber criminals—whether hackers, organized crime or nation states—to leverage keys and certificates in their attacks. They hijack the trust established by keys and certificates to bypass security controls and obscure their activities. This includes mis-issuing certificates, breaking weak certificates, code-signing malware, legitimizing spoofed websites, creating fake HTTPS, conducting man-in-the-middle attacks, eavesdropping on communications, and misusing SSH keys to pivot undetected throughout networks.
When looking to the current and future state of identity management and security, a lack of machine identity protection has the same impacts as weak person-centric identity, including national security threats, public safety, and fraud.
Right now, there’s a big focus on the importance of properly implementing and protecting HTTPS communications across Civilian and DoD agencies. Modernization efforts and cloud migration add exponential complexity to this. But when the dust settles, your agency will have thousands of machine identities to manage and safeguard. At that point, how do you think the protection will vary from person-centric identity to machine identity in your agency?
Contact us to discuss why machine identity protection should be part of an all-encompassing approach to identity, going beyond a person-centric approach.