COMMENTARY: In a world where machines are becoming increasingly autonomous and interconnected, managing machine identities has become more critical than ever. The number of machine identities now far surpasses that of humans. Gartner estimates that machine identities outnumber human identities by 45 to 1.
Machine or non-human identities (NHIs) such as application programming interfaces (APIs), service accounts and bots or robotic process automation (RPAs), perform important jobs across the enterprise. They connect services across the cloud ecosystem and manage repetitive administrative tasks. Just like human identities, NHIs require authentication to access critical resources. These identities are typically secured through secrets such as API keys, certificates and open authorization (OAuth) tokens.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Managing machine identities is complex, and if not handled with precision, can introduce serious vulnerabilities into an enterprise. Their unique challenges include:
- Widespread development of secrets: Secrets are often generated by a member of the DevOps team or a business user who lack the security training and awareness of traditional IT administrators. These secrets are often stored in scripts or configuration files in clear text, which are easily accessed by multiple users across various environments.
- Secrets lifecycle management: Proper management of secrets involves overseeing their entire lifecycle, including regular rotation to prevent compromise. Many organizations struggle to automate and enforce this process. As organizations grow and diversify their technology stacks, the resulting complexity leads to significant gaps in visibility and governance over the lifecycle of machine identities, leaving many of them unmonitored or dormant.
- Elevated privileges: Like many users, machines frequently require elevated privileges to function, making them prime targets for exploitation. An attacker who gains control of a machine identity can move stealthily within a network and execute malicious actions with significant impact. To combat these risks, it’s essential to maintain visibility over all machine identities. Adopting best practices like routine credential rotation, setting alerts for suspicious activity, and swift action when threats are detected can help contain these risks.
Best practices for managing NHIs
The lack of attention to machine identity management represents a real and risky blind spot for identity security. CISOs and identity access management leaders should adopt the following best practices to reduce security gaps and minimize risk:
- Prioritize the discovery and removal of dormant or unused NHIs across cloud, SaaS, and business apps: Ensure each machine identity has a clear purpose and a defined owner to reduce risk. Put governance around each identity and be able to track it. Once set, NHIs often stay in place longer than employees. Organizations must align users to individual machine identities or families/groups of machine identities, so they have a human user tied back to the activities. They need to create succession policies in case the responsible party leaves the company or moves to another role.
- Manage privileged access: NHIs behave as privileged users. Organizations should elevate privilege on a just-in-time basis and deactivate the privilege when the machine identity is not active. They need to review what access these identities have and what resources they access to ensure they have the least privilege necessary. They need visibility into whether the access gets revoked or otherwise changed to ensure compliance with internal policies.
- Follow best practices for secrets management: Robust practices include secret vaulting and enforcing regular secret rotations to reduce exposure and mitigate the risk of static credentials being exploited. Anecdotal evidence shows that in some organizations, as high as 75% of secrets remain static, significantly increasing the risk of exploitation.
- Adopt secretless authentication methods whenever possible: This approach is akin to adopting passwordless authentication to secure human identities. Secretless authentication gets supported by cloud platforms like AWS, Azure and Google Cloud Platform (GCP) and it works like this: When a new virtual machine (VM) is launched on AWS for example, it’s automatically assigned a pre-configured role that grants access to other AWS resources without requiring explicit authentication through secrets. This role-based access is seamlessly managed by AWS, eliminating the need for storing and handling secrets within the instance itself. This approach simplifies security, and also aligns with zero trust principles and security by design.
- Apply automation, establish governance: Automation reduces human error and ensures that best practices such as secret rotation and secure storage are applied consistently across all environments. Effective governance has become crucial for maintaining oversight of machine identity management, including the enforcement of policies regarding who has the authority to create, access, and control machine identity secrets.
NHIs are a relatively new and growing exploited attack surface. As they multiply, the security risks will only continue to grow. Enterprises must adapt by eliminating this blind spot and making machine identity management an important part of their identity security strategy. By establishing a set of best practices around secrets management and NHI governance, organizations can reduce the risk of cyberattacks and establish identity security as a fundamental business enabler.
Ehud Amiri, senior vice president, product management, Saviynt
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
