Thursday is World Password Day. This event serves reminds consumers to “layer up” their logins by enabling multifactor authentication on their devices and online accounts.
World Password Day is a collaborative effort supported by dozens of companies, non-profits and cybersecurity organizations to raise awareness about the importance of improving password security. Through the efforts of World Password Day, millions of internet users across 251 countries have pledged to use better password habits – a good step toward addressing the threat of cybercrime.
However, is this important day missing a crucial element of identity protection? After all, businesses still need to address another growing identity and access management (IAM) concern: protecting their machine identities.
There are two actors on every network: people and machines. People rely on usernames and passwords to identify themselves to machines so they can gain access to data and services. Machines authenticate themselves and communicate with one another through the use of digital keys and certificates, which serve as machine identities.
Every year businesses spend billions of dollars protecting user identities. Indeed, the industry invests in many password security awareness events like World Password Day, but it spends very little on machine identity protection. Cybercriminals see this vulnerability and target the much more powerful and valuable machine identities for the access they grant across corporate networks.
“I think we need to expand events like World Password Day to include machine identities so that we can educate and encourage businesses to improve their machine identity protection practices and avoid unnecessary security risks,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “As the number of machines in businesses continues to grow, protecting machine identities become even more critical.”
A good first step for many organizations is to learn how they use machine identities on networks.
In the blog, Carter outlines five ways in which organizations use machine identities to protect sensitive machine-to-machine communication:
Securing web transactions. SSL/TLS certificates are critical to the security of web transactions, such as online banking and e-commerce. These certificates create an encrypted connection between a web browser and web server. If cybercriminals gain access to these critical machine identities, they can eavesdrop on encrypted traffic or impersonate a trusted system in a phishing attack.
Securing privileged access. Most organizations use SSH to secure system-administrator-to-machine access for routine tasks. SSH is also used to secure the machine-to-machine automation of critical business functions. SSH keys ensure that only trusted users and machines have access to sensitive network systems and data. However, if cybercriminals gain access to an organization’s SSH keys, they can use them to bypass security controls and gain privileged access to internal network resources and data.
Securing DevOps. DevOps teams use cloud-based, self-contained runtime environments, known as containers or clusters, to run individual modules called microservices. Each microservice and container should have a certificate to identify and authenticate it and to support encryption. These certificates serve as machine identities that allow containers to communicate securely with other containers, microservices, the cloud and the internet. Because DevOps teams are optimized for speed and have tight deadlines, developers may skimp on key and certificate security, thereby exposing their organizations to unnecessary security risks.
Securing communication on consumer devices. Digital certificates provide the foundation for authenticating mobile devices that access enterprise networks. They can also enable access to enterprise Wi-Fi networks and remote enterprise access using SSL and IPSEC VPNs. However, without central machine identity oversight, it’s difficult to protect these functions on mobile devices. If certificates are duplicated on multiple devices or past employees continue to use unrevoked certificates, an organization’s security risk increases.
Authenticating software code. Software is often signed with a certificate to verify the integrity of the publisher. When used properly, these certificates authenticate the code, which lets users and machines know it’s a trusted source. However, if cybercriminals steal code-signing certificates from legitimate companies, they can use them to sign malicious code or tamper with legitimate code. Because the malicious code is signed with a legitimate certificate, it doesn’t trigger any warnings, and unsuspecting users will trust that it is safe to install and use.
Bocek concludes: “Cyber criminals are becoming bored primarily targeting people, so they are now exploiting the power of machine identities. Unfortunately, because many organizations don’t understand the risk, they haven’t invested in the intelligence or automation necessary to protect their machine identities.”