Skip to main content
banner image
venafi logo

Why You Can’t Achieve Zero Trust without Machine Identity Management

Why You Can’t Achieve Zero Trust without Machine Identity Management

no-zero-trust-pki-without-machine-identity-management
September 20, 2021 | Anastasios Arampatzis

According to the Verizon 2021 Data Breach Investigations Report (DBIR), privilege abuse was the biggest cause of data breaches. Lack of or poor implementation of controls to effectively manage human credentials as well as machine identities are a key reason for privilege abuse.

Commenting on the seriousness of the problem, David Smith and Bernard Wilson, US Secret Service agents, wrote in the report appendix: “The zero-trust model for access quickly became a fundamental security requirement rather than a future ideal. Prevention of lateral movement, least privilege, and “never trust, always verify” have proven to be strong indicators of an organization’s ability to prevent or recover from unauthorized presence in its network environment.” Robust machine identity management and access controls are key ingredients of Zero Trust security. But first things first—what is Zero Trust security?

Learn more about machine identity management. Read our Dummies Guide.
What is Zero Trust security?

Let us be clear; Zero Trust is not just, “another technology”. Zero Trust is a strategic approach to securing access to your resources, whether they are data, IoT devices, or cloud workloads. Coined by John Kindervag back in 2010, this breakthrough security approach is based on the mantra “Never trust, always verify.”

Zero Trust assumes that all network traffic is unsecure and considers trust to be a vulnerability rather than a security trait. The model requires that all access requests are authenticated and authorized, no matter if they originate from an internal source or from an external requestor.

Zero Trust differentiates greatly from traditional security approaches where requests originating from within the corporate network were considered as trusted. However, this notion of trust created several security gaps that attackers were more than happy to exploit. Once gaining access on the network, attackers—including external threat actors and malicious insiders—are free to move laterally undetected and exfiltrate sensitive data and intellectual property.

According to NIST, the objective of Zero Trust is “to prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.” This means employing authentication, authorization, and minimizing implicit trust zones. The access rules are made as granular as possible to enforce least privilege.

NIST’s blueprint for a Zero Trust Architecture, NIST SP 800-207, defines two approaches to Zero Trust: identity-centric and network-centric.

The key component of the identity-centric approach is the identity of users, machines, and services requesting access to corporate resources. Humans authenticate themselves with some form of authentication, increasingly relying on multi-factor and passwordless authentication. Machine identities on the other hand, depend on cryptographic keys and digital certificates.

A network-centric approach relies on micro-segmentation implemented through Next-Generation Firewalls (NGFW) or Software Defined Networks (SDN). However, for this approach to be effective and efficient, a robust identity management regime is required to authenticate users and machines before being authorized to access resources.

Why is machine identity management important for Zero Trust security?

The acceleration of enterprises migrating to the cloud, and the proliferation of IoT devices, containers and microservices have exploded the number of machines owned by every corporation. As David Bisson notes in a blog, “Machines control the flow of sensitive data. They shape innovation and are fundamental to the way all businesses operate. As a result, the way in which they connect and authorize communication makes them a primary security and operational risk for organizations.”

To authenticate and authorize these machines to access corporate resources, organizations leverage cryptographic keys and digital certificates to serve as machine identities. As the number of machines increases, machine identities are skyrocketing, making their management both essential and difficult.

“Machine identity management helps organizations gauge how much trust they can place in the identity of their machines—particularly as they interact with other machines. To facilitate that goal, machine identity management handles the life cycle of credentials used by machines. These machine identities may include credentials, such as secrets, cryptographic keys, X.509 and code signing certificates, and SSH keys,” explains David Bisson.

Compromised machine identities pose severe risks for businesses. They can become attack vectors for adversaries to invade corporate networks, hide their activity and escape security controls to gain access to data and systems. Hence, it is no wonder that Gartner has named machine identity management a foundational technology for securing organizations and enforcing a Zero Trust strategy.

How to protect machine identities

Many organizations have tried in vain to manually manage the rising number of machine identities. These methods are not suitable for modern enterprises and certainly do not scale. On the contrary, manual management techniques often foster siloed procedures, errors and security gaps, leaving the organization without visibility into the number and status of machine identity ownership.

A solid machine identity management policy should invest in a solution that allows the organization and the security teams to:

  • Gain clear visibility of all deployed machine identities
  • Ensure ownership and governance
  • Protect associated cryptographic keys
  • Automate distribution and rotation

Venafi Trust Protection Platform is a comprehensive solution for managing all TLS, SSH and code signing machine identities. You can protect machine identities across teams and departments in on-premises, cloud, cloud-native, multi-cloud, and hybrid environments.

Do you have any zero trust gaps in your machine identity management strategy?


Related Posts

 

Like this blog? We think you will love this.
 Bild eines verärgerten jungen Mannes, der mit dem Kopf in der Hand auf seinen Computerbildschirm starrt
Featured Blog

Erneuerung, Neuausstellung, Widerruf – so vereinfachen Sie das Zertifikatsmanagement

Nachfolgend finden Sie einige Informationen zu jedem dieser Verfahren.  

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more