Long before the invention and adoption of the cloud, the importance of protecting user identities, the identities of people, was obvious. File systems and operating systems going as far back as the 1970s, if not earlier, have had user access built-in. People are assigned usernames and passwords, and files and folders are configured to be accessible only to certain users or user groups.
There are many different methods of authentication, but passwords are one of the oldest and most frequently implemented. If I want to install a new package on my Linux desktop, I’d better know my root password! An attempt by a cyber attacker to privilege escalate within my operating system may entail trying to crack my root password. This is why organizations spend lots of money and resources to make sure that only authorized users have access to their authentication credentials. These user identities can apply to individual devices, local networks, wide area networks, online services, and cloud networks of all kinds.
Users have identities, but so do machines, including those in the cloud. A classic type of machine identity is a TLS certificate for an HTTPS website, or any other sort of TLS/SSL encrypted internet service. Code-signing certificates are machine identities that help to verify that software is authentic and legitimate. Also, machine identities, such as SSH keys can help assure that only authorized clients can securely gain remote access to sensitive computer systems via the SSH protocol. But what I’d most like to talk about today is how TLS certificates can be used as machine identities for microservices and containers within cloud networks.
If a cyber attacker acquires my user identity, they can pretend to be me on my social networking, gain access to my email, to my local operating system or even my online banking activities. That sort of access could be very harmful to me.
The stakes are higher when it comes to machine identities in the cloud. Unlike user identities, machine identities can be used to impersonate entire servers and huge computing resources used by thousands of people. Instead of spoofing just one user, systems that impact large numbers of people can be spoofed.
Imagine what could happen when these different types of machine identities fall into the wrong hands! Especially in the cloud, where most businesses or teams don’t have good machine identity visibility it's often out of sight, out of mind.
If machine identities are acquired by cyber attackers, the consequences could be extensive. A cyber attacker could pretend to be an authorized computer or network resource within a cloud network and wreak havoc upon systems that store or process sensitive data, such as medical or financial data, or proprietary information. They could draw authenticated users to their maliciously deployed machines, or to machines they have hijacked. There are many other terrible possibilities.
Most organizations are not as familiar with securing machine identities as they are with securing user identities. According to Forrester’s paper, Securing The Enterprise With Machine Identity Protection, commissioned by Venafi, while 96% of companies agree that securing both user and machine identities is essential to their the long-term security and viability, 80% experience difficulty with the delivery of important machine identity protection capabilities. 70% reported tracking less than half of all their machine identities. Ouch!
Given its dynamic nature, the cloud is one of the areas where tracking machine identities is particularly significant. If organizations could get a better handle on securing their machine identities, it would benefit the functionality of their cloud networks greatly. Here’s how.
Proper cloud network functionality requires effective load balancing. Cloud networks can also make load balancing possible in the first place. One of the major benefits of cloud networking to smaller organizations is that they enable them to deploy effective load balancing without requiring the sort of on-premises infrastructure that only larger organizations can maintain. Traditional, hardware-based load balancing can require a lot of redundant servers and network devices. Network traffic and activity can be evenly distributed amongst many servers, but when the demands are greater than typical, some hardware and infrastructure that doesn’t get used as much is absolutely necessary to have so that no particular machine has to deal with more than it has the capacity for.
A cloud network makes it possible for an organization to use infrastructure that’s shared with other organizations. So, software-based load balancing becomes a possibility. Networks can have extra capacity when needed without an organization having to directly maintain the additional infrastructure that’s required. And virtualization makes a lot more functionality possible!
Think of all of the possible machine entities in a cloud network that each have their own machine identities. If human error results in some of those machine identities being improperly configured, that could result in bottlenecks at the authentication vectors. Figurative traffic jams can have a domino effect on the data flow of entire cloud networks!
You know what’s another waste of data? Authentication vectors at load balancers trying to identify machine identities which have been hijacked by cyber attackers is a real waste of effort. When machine identities are properly secured and deployed, a load balancer’s authentication capacity can be dedicated to legitimate entities.
Think of your cloud network’s public key infrastructure (PKI.) That system manages a lot of your cloud network’s machine identities. Cloud entities often only have a lifespan of a few weeks. Considering how each machine entity requires identifiers like cryptography certificates, improperly managed certificates can linger. Specific certificates can continue to exist for much longer than they’re needed, and they become at risk of being maliciously or mistakenly acquired by unauthorized parties. It’s kind of like how when SSL certificates for HTTPS are tied to domains, those certificates can erroneously be assigned to other entities when ownership of a domain is transferred. A lean and efficient PKI makes sure that machine identifiers expire when their associated entities no longer exist.
There are all kinds of other possible cloud functions which all have their own machine identity management systems. From Oracle/SAP implementation to integration with on-premises infrastructure as part of a hybrid cloud network, secure and authentic machine identities help keep everything running smoothly. What benefits your network’s overall security also makes everything else work better. Machine identities are often neglected, and that absolutely must change.
Don't let your machine identities be deployed without proper protection! To learn more join us for #VenafiLive on December 13, a livestream event you can attend from anywhere to discover how Machine Identity Protection can help your organization. You can register here.