Skip to main content
banner image
venafi logo

Federal PKI Security Challenges: Is Your IAM Too Person-centric to Protect Machine Identities?

Federal PKI Security Challenges: Is Your IAM Too Person-centric to Protect Machine Identities?

PKI, public key infrastructure, NPE
June 11, 2019 | Lindsy Drake

Without identity, there is no security. And there is no trust without secured identity. For many years the public sector has worked to manage the identities of the many humans that constantly shift on and off of federal networks. However, gaining control of human identity management is just the tip of the identity iceberg—especially when we turn our attention to modernization and secure encryption policies that now inherently focus on identity validation of each different type of machine connection. 

The Department of Defense (DoD) for example, has recently been forced to transition from a private trust model for machine identities. So all DoD agencies have been directed to move to a public trust model that has a much wider reach. This is a giant step towards elevating the importance of machine identities to levels that are much closer to the emphasis that we give to protecting human identities.

But Federal machine identities have not always had this level of priority. To tell friend from foe, identity models throughout the public sector continue to focus on advancing and improving person-centric identity. But people are not the only actors on the networks. We also have non-person entities (NPE) or what we’ll refer to here as simply machines—cloud workloads, virtualization, Fast IT & containerization, mobility, IoT and more.  These machines all have identities—machine identities that need to be protected.

This becomes complicated as the number of machines has significantly outpaced the number of people on networks. To employ an all-encompassing approach to identity—we must work across the full spectrum of identity to include both person-centric and machine-centric identity protection strategies.

 

Is your agency doing enough to protect machine identities? Learn more.

 

On every network, human interactions are intertwined with automated machine-to-machine functions. Person-centric identity models include personal identity verification (PIV), usernames, passwords, smart cards and biometrics to unequivocally establish identity through the simplest mechanisms possible. But how do NPEs know which other machines to trust or not to trust? They use cryptographic keys and digital certificates to serve as machine identities and establish trust for machine-to-machine connections and communications.

Leaving machine identities unsecured creates significant vulnerabilities. We spend billions of dollars each year protecting human identities, but almost nothing protecting machine identities. Bad actors from nation-states to insiders know this and now devote more time and resources to stealing machine identities. Even though any type of identity data still proves to be a valuable target, recent research shows NPE data is more valuable by a factor of up to 100.

Compromised machine identities allow cyber criminals—whether hackers, organized crime or nation states—to leverage keys and certificates in their attacks. They hijack the trust established by keys and certificates to bypass security controls and obscure their activities. This includes mis-issuing certificates, breaking weak certificates, code-signing malware, legitimizing spoofed websites, creating fake HTTPS, conducting man-in-the-middle attacks, eavesdropping on communications, and misusing SSH keys to pivot undetected throughout networks.

When looking to the current and future state of identity management and security, a lack of machine identity protection has the same impacts as weak person-centric identity, including national security threats, public safety, and fraud.

Right now, there’s a big focus on the importance of properly implementing and protecting HTTPS communications across Civilian and DoD agencies. Modernization efforts and cloud migration add exponential complexity to this. But when the dust settles, your agency will have thousands of machine identities to manage and safeguard. At that point, how do you think the protection will vary from person-centric identity to machine identity in your agency?

Contact us to discuss why machine identity protection should be part of an all-encompassing approach to identity, going beyond a person-centric approach.

 

Learn more about machine identity protection. Explore now.

 

Related posts

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

IDaaS, Certificate as a Service, ssl certificate management, CaaS

Federal PKI Security Challenges: Extending IDaaS with Certificate as a Service

Federal PKI Security Challenges

Federal PKI Security Challenges: Are You Doing Enough to Protect Machine Identities?

About the author

Lindsy Drake
Lindsy Drake

Lindsy Drake writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat