There’s no such thing as a bad machine, only bad machine behavior. Like when they give up digital secrets that lead to catastrophic data breaches.
Setting aside a future with near-sentient robots, machines already surround us and make life better. They let us pay and shop, socialize and learn, and even read this article. And with the rapid advances of ChatGPT and AI, the benefits from machines will develop even faster.
Yet while everyone understands and values protecting human identities, the opposite side of that coin—protecting non-human identities—has just started to get the attention it deserves. As it must.
Simply put, a non-human identity is the digital identification of a device, from PCs, servers and mobile phones to MRI machines and power grids. Machines underpin all of our lives, and their non-human identities allow them to make high-speed connections with each other and securely exchange secrets to do their jobs. In fact, machine identities are now estimated to outnumber human identities by 40 to 1 and growing.
Keeping these machines, and the services they deliver, safe depends on the digital secrets that protect their non-human identities. Much like human identities, securing the digital identities of machines, applications, APIs, virtual machines, IoT devices, bots and other automated entities from those who wish to do harm from unauthorized access presents a challenge.
When a non-human identity secret gets leaked or it gets inappropriately accessed, it can lead to catastrophic results. Managing these secrets has become a major challenge for security teams today.
“Secrets sprawl” is part of the problem. When secrets and tokens are scattered everywhere — across clouds, services, and tools — they grow unchecked until there are too many of them to track.
Keeping track of them all and knowing their status are other issues. Secrets each have their own lifecycle, starting off in code repositories, moving through CI/CD pipelines and ending up in running apps and services. At every step, there's a risk of slipping up and letting a secret out. In development, it's easy for secrets to get embedded in source code or configuration files and forgotten. When pushing code through integration and deployment, secrets pass through various hands and systems, upping the chances of exposure. And once in production, the fast-paced and scattered nature of cloud services makes keeping tabs on all the secrets a real challenge.
The result: today’s practices put organizations at risk through vulnerabilities introduced by compromising machine identities.
Breaking this cycle requires implementing a non-human identities and secrets management approach that's capable of keeping up with the variety and volume of secrets across their entire lifecycle. The solution isn't just about plugging in a new tool and calling it a day. Here's a breakdown of the important implementation considerations to ensure secrets are locked down tight:
- Visibility: Security teams cannot protect what they cannot see, and they do not know where all the secrets are. Secrets are spread across vaults, such as AWS secrets storage, Azure KV, and GitHub secrets, as well as software supply chain code repositories, CI/CD, cloud services and collaboration apps. The problem is that these stolen secrets create significant, hard-to-find security risks. Closing this gap requires new, secrets-specific tools that find where secrets hide without protection. Analysts require complete visibility and a comprehensive inventory of all secrets, identifying what and where they are across all these environments, to eliminate the blind spots that are pervasive in today’s IT infrastructures.
- Context: Once secrets are identified, the problem becomes understanding the context around and status of each secret. Without that information, teams cannot determine the level of risks and necessary remediation. Today security teams lack tools to deliver this level of actionable context for each secret. An effective tool must offer a detailed map showing the relationships between applications, secrets and cloud services. In addition, it must also have status data for each secret to show its potential vulnerability, such as creation date, security capabilities, last rotation time and whether it’s in a protected vault or not.
- Monitor and automate responses with AI: Real-time monitoring of all secrets for any abnormal behavior has become a real challenge. It’s extremely critical in non-human identities that communicate at light speed and in huge volumes. If a secret gets accessed from an unusual location, that’s an important signal of a potential threat. Failure to identify that behavior in near real time can mean disaster. NHI-aware organizations need to ensure these threats are identified by an alert to security, and also remediated immediately with automatic processes. An emerging approach that holds great promise is using AI to streamline and improve how organizations handle security threats. Properly used, AI can automatically analyze all collected data associated with a security incident, providing a comprehensive summary for security analysts. It can potentially uncover hidden, complex, coordinated attacks that might otherwise go unnoticed by intelligently linking seemingly isolated incidents. Using AI can also help eliminate alert fatigue for security analysts numb from notification overload by helping filter the noise and identifying the real threats.
- Protect existing workflows: The CI/CD highway that speeds code to production unfortunately also offers an on-ramp to hackers. While injecting secrets directly into this pipeline automates their deployment, it also creates risks that spread like wildfire if they are compromised, as some of the blockbuster supply chain attacks in recent years demonstrated. Countering this threat requires ensuring that CI/CD secrets are securely handled and correctly implemented in every release. This can only be accomplished with automated processes that put guardrails on developers to streamline the process, reduce manual errors and maintain a tight security posture within deployment workflows. But this vigilance doesn’t end with CI/CD. Every aspect of the IT infrastructure — communication platforms, collaboration tools, code environments, secure vaults, cloud infrastructures and beyond — demands the same level of scrutiny and integration of secrets management practices. Best practices require that secrets are not only securely deployed, but also consistently protected across all their creation, storage and exposure points.
- Continuous real-time monitoring: Last but not least, analysts need to keep an eye on the entire environment. Setting up continuous monitoring across machines that communicate often and at very fast speeds means deploying systems that watch over non-human identities and secrets like hawks, 24/7 in near real time. The system must generate alerts on any unusual activity, such as access patterns that don't match the norm, unexpected changes or anomalies that could suggest a breach. This real-time detection is critical for swift response, allowing teams to address potential threats before they escalate into a full-blown crisis.
So machines are not inherently bad. But, like children, they need guardrails to keep the secrets they use in milliseconds and the organization safe. These best practices will help keep them on the right path.
Itzik Alvas, co-founder and CEO, Entro Security