Venafi: Five Ways Organizations Use Machine Identities
May 2, 2019
Organizations spend billions protecting usernames and passwords, but machine identities are often ignored
SALT LAKE CITY – May 2, 2019 – On May 2, World Password Day reminds consumers to “layer up” their logins by enabling multifactor authentication on their devices and online accounts. Held annually on the first Thursday of May, World Password Day is a collaborative effort supported by dozens of companies, nonprofits and cybersecurity organizations to raise awareness about the importance of improving password security. Through the efforts of World Password Day, millions of internet users across 251 countries have pledged to use better password habits – a good step toward addressing the threat of cybercrime.
According to Kevin Bocek, vice president of security strategy and threat intelligence for cybersecurity market leader Venafi, businesses still need to address another growing security concern. “There are two actors on every network: people and machines,” said Bocek. “People rely on usernames and passwords to identify themselves to machines so they can gain access to data and services. Machines authenticate themselves and communicate with one another using digital keys and certificates, which serve as machine identities.”
Every year businesses spend billions of dollars protecting user identities. While the industry invests in many password security awareness events like World Password Day, it spends very little on machine identity protection. Cybercriminals see this vulnerability and target machine identities because they are much more powerful and valuable than human identities.
Machine identities are used to protect many types of sensitive machine-to-machine communication; Bocek outlines five ways in which organizations use them:
Securing web transactions. SSL/TLS certificates are critical to the security of web transactions, such as online banking and e-commerce. These certificates create an encrypted connection between a web browser and web server. If cybercriminals gain access to these critical machine identities, they can eavesdrop on encrypted traffic or impersonate a trusted system in a phishing attack.
Securing privileged access. Most organizations use SSH to secure system-administrator-to-machine access for routine tasks. SSH is also used to secure the machine-to-machine automation of critical business functions. SSH keys ensure that only trusted users and machines have access to sensitive network systems and data. However, if cybercriminals gain access to an organization’s SSH keys, they can use them to bypass security controls and gain privileged access to internal network resources and data.
Securing DevOps. Developers use cloud-based, self-contained runtime environments, known as containers or clusters, to run individual modules called microservices. Each microservice and container should have a certificate to identify and authenticate it and to support encryption. These certificates serve as machine identities that allow containers to communicate securely with other containers, microservices, the cloud and the internet. Because DevOps teams are optimized for speed and have tight deadlines, developers may skimp on key and certificate security, thereby exposing their organizations to unnecessary security risks.
Securing communication on consumer devices. Digital certificates provide the foundation for authenticating mobile devices that access enterprise networks. They can also enable access to enterprise Wi-Fi networks and remote enterprise access using SSL and IPSEC VPNs. However, without central machine identity oversight, it’s difficult to protect these functions on mobile devices. If certificates are duplicated on multiple devices or past employees continue to use unrevoked certificates, an organization’s security risk increases.
Authenticating software code. Software is often signed with a certificate to verify the integrity of the publisher. When used properly, these certificates authenticate the code, which lets users and machines know it’s published by a trusted source. However, if cybercriminals steal code-signing certificates from legitimate companies, they can use them to sign malicious code or tamper with legitimate code. Because the malicious code is signed with a legitimate certificate, it doesn’t trigger any warnings, and unsuspecting users will trust that it is safe to install and use.
“We need to expand events like World Password Day to include machine identities so that we can educate and encourage businesses to improve their machine identity protection practices and avoid unnecessary security risks,” said Bocek. “As the number of machines in businesses continues to grow, protecting machine identities is critical. Cyber criminals are becoming bored primarily targeting people, so they are now exploiting the power of machine identities. Unfortunately, because many organizations don’t understand these risks, they haven’t invested in the intelligence or automation necessary to protect their machine identities.”