Skip to main content
banner image
venafi logo

Federal PKI Security Challenges: Is Your IAM Too Person-centric to Effectively Manage Machine Identities?

Federal PKI Security Challenges: Is Your IAM Too Person-centric to Effectively Manage Machine Identities?

PKI, public key infrastructure, NPE
June 11, 2019 | Lindsy Drake


Without identity, there is no security. And there is no trust without secured identity. For many years the public sector has worked to manage the identities of the many humans that constantly shift on and off of federal networks. However, gaining control of human identity management is just the tip of the identity iceberg—especially when we turn our attention to modernization and secure encryption policies that now inherently focus on identity validation of each different type of machine connection. 
 

The Department of Defense (DoD) for example, has recently been forced to transition from a private trust model for machine identities. So all DoD agencies have been directed to move to a public trust model that has a much wider reach. This is a giant step towards elevating the importance of machine identities to levels that are much closer to the emphasis that we give to protecting human identities.
 

But Federal machine identities have not always had this level of priority. To tell friend from foe, identity models throughout the public sector continue to focus on advancing and improving person-centric identity. But people are not the only actors on the networks. We also have non-person entities (NPE) or what we’ll refer to here as simply machines—cloud workloads, virtualization, Fast IT & containerization, mobility, IoT and more.  These machines all have identities—machine identities that need to be protected.
 

This becomes complicated as the number of machines has significantly outpaced the number of people on networks. To employ an all-encompassing approach to identity—we must work across the full spectrum of identity to include both person-centric and machine-centric identity protection strategies.

 

 

On every network, human interactions are intertwined with automated machine-to-machine functions. Person-centric identity models include personal identity verification (PIV), usernames, passwords, smart cards and biometrics to unequivocally establish identity through the simplest mechanisms possible. But how do NPEs know which other machines to trust or not to trust? They use cryptographic keys and digital certificates to serve as machine identities and establish trust for machine-to-machine connections and communications.
 

Leaving machine identities unsecured creates significant vulnerabilities. We spend billions of dollars each year protecting human identities, but almost nothing protecting machine identities. Bad actors from nation-states to insiders know this and now devote more time and resources to stealing machine identities. Even though any type of identity data still proves to be a valuable target, recent research shows NPE data is more valuable by a factor of up to 100.
 

Compromised machine identities allow cyber criminals—whether hackers, organized crime or nation states—to leverage keys and certificates in their attacks. They hijack the trust established by keys and certificates to bypass security controls and obscure their activities. This includes mis-issuing certificates, breaking weak certificates, code-signing malware, legitimizing spoofed websites, creating fake HTTPS, conducting man-in-the-middle attacks, eavesdropping on communications, and misusing SSH keys to pivot undetected throughout networks.
 

When looking to the current and future state of identity management and security, a lack of machine identity management has the same impacts as weak person-centric identity, including national security threats, public safety, and fraud.
 

Right now, there’s a big focus on the importance of properly implementing and protecting HTTPS communications across Civilian and DoD agencies. Modernization efforts and cloud migration add exponential complexity to this. But when the dust settles, your agency will have thousands of machine identities to manage and safeguard. At that point, how do you think the protection will vary from person-centric identity to machine identity in your agency?
 

Contact us to discuss why machine identity management should be part of an all-encompassing approach to identity, going beyond a person-centric approach.

 

 

Related posts

 

Like this blog? We think you will love this.
encryption-key
Featured Blog

What Is Encryption Key Management?

Why Is Key Manag

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Lindsy Drake
Lindsy Drake

Lindsy Drake writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more