People rely on usernames and passwords to identify themselves to machines so they can gain access to data and services. Machines also need to authenticate themselves to each other so they can communicate securely. To do so, they rely on cryptographic keys and digital certificates, which serve as machine identities.
Organizations will spend over $10 billion protecting human identities this year, but they are just getting started with machine identity protection. When you look at the growth numbers, however, you see a striking disparity in the priority of investement. The number of humans on enterprise networks will remain relatively flat over the next few years, while the number of machines that need identities—including virtual machines, applications, algorithms, APIs and containers—is growing exponentially. Because cybercriminals understand the power of machine identities, they are quick to exploit those that are underprotected.
But, just how many organizations are taking necessary steps to protect their machine identities, especially when compared to human identities? To better understand the gap between implementation of security controls for human identities and those for machine identities, Venafi sponsored a survey that evaluated similar security controls for each type of identity.
Unfortunately, our survey revealed that enterprises aren’t effectively protecting their machine identities. For example, just half (54%) of organizations have a written policy on key length and randomness for machine identities, but 85% have a policy that governs password length for human identities.
“Identities are widely recognized as a key element in the threat landscape,” says Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. “Machine identities are a relatively new, and very effective, point of attack, but there is a huge gap between the security controls applied to human identities and those applied to machine identities. This is a problem because the future of digital business relies heavily on machines.”
Additional findings from the study include:
“Enterprises are seeing dramatic growth in container usage, artificial intelligence, microservices and IoT devices, as well as machines in cloud and virtualized environments,” concludes Bocek. “Everyone—from CISOs to security architects and security practitioners—must prioritize the protection of machine identities for their organizations’ digital
transformation to be successful.”
Are making sure your machine identities are protected?