Of course, machine identity risks are not always critical. But it’s still important to understand how important they are to your organization’s security posture. To make it easier for you to review, I’ve put together a list of the most common problems that result from weak protection of the keys and certificates that control machine identities. Read on to see if your organization is at risk for one of the five following consequences.
When certificates are issued, they’re assigned an expiration date. If a certificate isn’t replaced before it expires, it can trigger a certificate-related outage on the system that it supports. That unplanned outage and the associated downtime will continue until a new certificate is issued and installed. Without the correct intelligence, such as knowing exactly where a certificate is installed and who owns that system, certificate-related outages are notoriously difficult to diagnose.
Most security controls trust digital communications that are authenticated using machine identities. But when the private keys and certificates that serve as machine identities are compromised or forged, cybercriminals can use them to appear legitimate, allowing them to circumvent security controls. Cybercriminals also use stolen machine identities to gain privileged access to critical systems so they can move deeper into your network and stay hidden for extended periods of time.
Slow Incident Response
The longer a security threat, outage, or breach continues, the greater the potential for serious damage. For example, if one of your Certificate Authorities (CAs) was compromised, could you replace all the certificates from that CA quickly? Other large-scale security events that require timely response include the discovery of a machine identity using a vulnerable algorithm like SHA-1, the exploit of a cryptographic library bug like Heartbleed or when a leading browser decides it will no longer trust certificates issued by one of your CAs. When you need to respond to any type of event that affects machine identities, time is critical.
Organizations typically spend an average of four hours per year managing each digital certificate that serves as a machine identity. With thousands, or even hundreds of thousands, of machine identities, the resulting overhead can add up quickly. Administration of machine identities can be complicated by other factors, such as administrators who are unfamiliar with certificates or trust stores. And if your machine identity operations aren’t running smoothly—which is the case in most organizations—the time required can escalate fast, especially when there’s an outage or breach.
Negative Audit Findings
Machine identities are increasingly subject to corporate, government, and industry policies and regulations, including several standards that focus specifically on cryptographic key and certificate management and security. Because most organizations don’t have a strong machine identity protection program, it’s not unusual for auditors to discover that an organization is unable to monitor machine identities, enforce policies, or maintain effective management, all of which create significant security and reliability risks. If you’re tasked with addressing negative compliance findings and you don’t have a machine identity protection program in place, you face a lengthy, manual project.
From service outages to security breaches, weak machine identities can wreak havoc with your business. When a machine identity is compromised and used in a cyberattack or causes an outage, the negative consequences can be significant. You may suffer from a damaged reputation, loss of revenue, costly remediation and higher management costs. But you can avoid all of that grief if you put in place an effective machine identity protection program.