In traditional computing and business settings, digital identities—user names and passwords—were used to validate the authenticity of humans. But, as technology evolves and business models adapt to the global shifting environment, a new form of digital identity has emerged: machine identities. As a Venafi research report suggests, machine identities are becoming even more important than human identities for protecting critical corporate resources and data.
Machine identities are credentials used to validate the authenticity of non-human entities connected to corporate networks. These entities can be tangible, like IoT sensors, APIs, mobile devices as well as abstract infrastructures like containers and microservices. Machine identities protect a wide range of transactions including:
As a result of the wider scope of these use cases, the attack surface connected with machine identities is expanding much faster than human identities. The number of machines being deployed on enterprise networks is growing exponentially because the types of machines that need identities is expanding beyond traditional physical devices and servers.
Each of these machines requires an identity that must be managed throughout its lifecycle. As the number of machines continues to proliferate, it results in the volume of machine identities increasing. Protecting these machine identities throughout their lifecycle—from issuance to revocation—is becoming more challenging. Moreover, the potential consequences brought about by ineffectively secured machine identities is proving to be extremely damaging to businesses, their customers and partners.
Because of their prevalence, machine identities have become a lucrative target for cyber criminals acting as effective attack vectors for infiltrating corporate networks. Research demonstrated that machine identities have become hot commodities on the dark web. Many of these machine identities are being sold as packages with a range of complementary, intuitive services, including:
This is indicative of the emerging ‘business model’ of cyber criminals. Machine identities have become a key part of Crime-as-a-Service toolkits, particularly for threat actors who lack the technical skillset of a traditional attacker. They provide threat actors multiple ways of infiltrating networks. For example, cyber criminals can leverage machine identities to evade detection by hiding in encrypted traffic. Impersonating a trusted machine to gain access to sensitive data or to pivot across a network. Therefore, the return on investment for a single machine identity is huge considering the likelihood of success.
“Hacked human identities from well-known websites can be purchased on the dark web for 0.00003c per username and password. In comparison, machine identities like TLS certificates range in cost from $260 to $160.0”
Despite the impact that a stolen or fraudulent machine identity can have on business operations, organizations fail to protect machine identities. Instead, they invest more money into the protection of human credentials. There is clearly a disconnect between the actual risk and the proactiveness of businesses. Among the many factors for this disconnect are:
“The Venafi research discovered that 85% of respondents had a company written policy on password length and complexity, but only 54% had a policy detailing key length and randomness.”
To better understand the gap in applying effective security controls for human identities versus ones for machine identities, Venafi commissioned a global study of more than 1,500 IT security professionals from a range of company sizes and verticals. Download the report here, and find out how machine identity protection compares to human identities and what you can do to close the gap.