We’re just over two months into the new year. And hopefully, you’ve already started checking off some of your cyber security new year’s resolutions. But while your plan undoubtedly includes several key cyber security improvements, you may have overlooked one critical element—protecting machine identities.
Machine identities are one of the most poorly understood and weakly-protected components of your network infrastructure. What are machine identities? In short - Everything digital including applications, devices, servers, load balancers and more. Most organisations focus all their attention on protecting the user names and passwords that control human identities ( the industry spends about US$ 8 billion a year on this). But, if you’re like most organizations, you probably don’t spend anything protecting the cryptographic keys and digital certificates that serve as machine identities.
And that’s a critical security issue. When cyber criminals steal, forge or compromise a certificate on your network, they’ll appear to be trusted and they may gain privileged access to critical data and services. Your security solutions can’t detect this kind of malicious activity, so attackers can easily pivot across your network, locate valuable data and exfiltrate it through encrypted tunnels. And all of this happens without being detected, unless you take steps to protect yourself.
Here are five things you can do this year to make sure that your machine identities stay secure:
Commit to zero certificate outages this year
If you are experiencing certificate-related outages, it means that you don’t have visibility into your entire machine identity lifecycle, and you’re not able to proactively manage certificate expiration. Start with putting together a list of all your machine identities including where installed, who owns them, and how they’re being used. Once you have this information you will be able to automate the entire machine identity life cycle, including the management of certificate requests, issuance, installation, renewals, and replacements and completely eliminate certificate related outages.
Protect your encrypted tunnels
Because the number and type of machines on your network is constantly changing, you need an ongoing program that continually updates your machine identity intelligence. After you’ve established a baseline of normal machine identity usage, you can start monitoring machine identities and flagging anomalous use that can indicate a machine identity compromise. As part of this program be sure you have automated alerts and notifications in place to inform you of unauthorized changes or impending actions that need to be taken.
Take two steps closer to crypto agility
In the event of a Certificate Authority compromise or error, you need to be prepared to quickly replace all of the impacted certificates. (Google’s distrust of Symantec is another great example of why you need this type of agility). Automating the entire lifecycle of machine identities will allow you to quickly respond to any security incident that requires bulk remediation across multiple certificates. Once you’ve replaced the impacted certificates, you need to be able to validate that each machine identity that has been changed has also been installed properly and is working correctly. Automated validation is a critical management capability that helps you with ongoing management and security and shows the progress of large-scale replacement events and demonstrates compliance.
Set up and enforce certificates security policies
To keep your machine identities safe, you need to set up machine identity security policies and workflows. This helps you govern every aspect of machine identities—issuance, configuration, use, ownership, management, security, and decommission. Enforcing policies also ensures that every machine identity your organization complies with relevant industry and government regulations. Automating the enforcement of machine identity policies ensures that you’re maximizing the security of every machine identity that your organization uses and ensures that you can product audit-ready evidence whenever you need it.
Look for ways to optimize operational efficiencies
Providing end-users with an easy way to request machine identities allows you to quickly deliver secure machine identities to any business unit. Plus, integrating self-service solutions with DevOps and cloud platforms allows your developers to seamlessly request and install certificates that meet your security requirements without incurring any delays. You can also improve the effectiveness of your overall network and security systems by making sure they have easy access to current keys and certificates.
It’s important to remember that protecting machine identities is just as important to your identity and access management program as protecting human identities. Follow these five steps and you won’t have to worry about compromised machine identities being used against you.
Are you ready to start protecting your machine identities?