Achieving IAM Agility with Machine Identities

Machine identities are exploding in the enterprise — and many organizations are struggling to keep up.

That’s according to Keyfactor’s 2021 State of Machine Identity Management report, which surveyed more than 1,100 IT and security professionals. Over half of respondents indicated their organizations don’t know how many keys and certificates they have. A full 62% revealed that the growing use of keys and certificates has significantly increased the operational burden on their teams. Against this backdrop, 55% were concerned about the increasing risk of key and certificate misconfiguration. 

What exactly does all of this mean for enterprise security teams? It’s a situation that needs correction, and while organizations are well aware of the risks, many need help finding the best way forward. To learn more about exactly what that takes, Keyfactor led a webinar with Sean Ryan, Senior Analyst on Security and Risk at Forrester. 

Here’s what you need to know.

Most identity and access management (IAM) programs focus on the “human workforce,” including employees, partners, and contingent workers. Organizations have long used public key infrastructure (PKI) to manage these user identities, including access control, passwords, multifactor authentication, and so on.

But in today’s world, machine identities like service accounts, bots, and APIs get introduced more and more often. This requires security teams to recognize and manage the uniqueness of this “non-human workforce” in the same way they do for the human workforce. However, applying PKI and other traditional IAM practices to the non-human side of things isn’t as simple as “rinse and repeat.”

The need for this shift becomes especially apparent as we move into a more dynamic model of working. For example, in today’s API-driven economy, things change rapidly, and organizations require significant high volume, high-velocity access. Consider the case of a cloud DevOps team that builds new services and connects into different microservices using API calls. Because these API calls need to talk to each other and access different information, they also need credentials to secure those communications and access. 

Against this backdrop, enterprises are seeing machine identities grow at twice the rate of human uniqueness, and as they continue to pop up all over the place, a lot of organizations can’t get a clear picture of how many certificates they have or where they reside. And the more complex these machine identities become to manage, the more security risks and potential operational issues organizations face.

Unfortunately, traditional practices for IAM can’t keep pace with the evolving landscape and today’s more dynamic business practices. Foundational practices, like applying a zero trust philosophy, remain essential and provide a good jumping-off point, but they don’t go far enough on their own.

As a result, security teams must consider new types of investments to organize their practices in more efficient and automated ways that can keep up with the fast pace of machine identities.

Some of the key challenges and considerations for security teams include:

• Discovering new identities: The way most organizations discover new machine identities today is not centralized. New machine identities crop up alongside new business needs in different parts of the organization, and there’s no standardized check-in policy. This situation makes it nearly impossible for security teams to properly discover and report on all of the identities in play.
• Dealing with a higher volume and higher velocity of key management: Cloud-based API workloads are built to be session-based and highly ephemeral. On the one hand, this is a good thing: It’s a great security posture and teams should adopt for other types of machine identities that don’t sit on those cloud platforms. But on the other hand, it introduces some new management challenges, like making sure that things don’t break and that teams can operate at this high velocity while still managing a high volume of ephemeral identities consistently and securely.
• Strengthening credentials: Time and again, organizations adopt weak credentials that are hard-coded and very easy to crack. This situation leads to a poor security posture that exposes the enterprise to all kinds of easy-to-execute attacks.
• Avoiding static, long-lived certificates: Organizations have extended the life of certificates by as much as 30 years, which creates serious security risks. Essentially, not rotating certificates often creates easier pathways for attackers to not only breach the organization but dwell inside of it for months or even years.

Fortunately, there is a way forward for security teams to extend IAM to machine identities effectively and account for the high volume, high-velocity nature of today’s non-human workforce. 

The way forward centers around three critical solutions:

Encryption needs to become the bedrock of enterprise security, with keys and certificates getting applied to every type of identity that exists. This includes all kinds of certificates, SSH keys, code signing, IoT devices, and more.

Importantly, managing this encryption at the necessary volume and velocity requires built-in automation to provide a centralized view of highly distributed identities. Specifically, organizations need an orchestrated system that provides a high level of visibility for admins to manage all of the keys and certificates in play in a controlled and consistent way. With this type of system in place, security teams should identify and remediate problems quickly to avoid them turning into major issues.

Many machine identities in place today have really powerful access that can be used to exfiltrate large amounts of data and access databases with customer records and intellectual property. 

This level of access makes it essential to introduce an added layer of security that applies privileged access controls to machines in the same way organizations have long done for human users (because today there’s often less oversight and monitoring for non-human accounts than there is for human accounts). 

Applying privileged identity management to machines should include regularly rotating credentials to protect against replay attacks and securing vaults to protect RPA and IoT secrets.

Finally, organizations must pay attention to and manage the entire lifecycle of machine identities as elements like access rights and owners change over time. This management needs to get into specifics like what changes over time (e.g., access and owners) as well as who’s making and approving those changes and why they’re doing so. Having this audit trail in a centralized place is extremely important for strong governance.

Some critical best practices in this area include: 

1. applying the principles of least privilege to give machine identities only the access they require to do the job, 
2. decommissioning orphaned machine accounts that are no longer in use
3. enforcing separation of duties so that if someone takes over a machine identity they can’t both make a request and approve that request at the same time.

Today’s enterprises have a big challenge in front of them as more identities of differing types get created (and decommissioned) at a faster pace than ever before, thanks to trends like cloud migrations, the rise of machines, and the shift to Agile and DevOps. This situation can lead to more security and operational blindspots if it’s not handled correctly.

But dealing with these highly dynamic challenges is possible, and it starts with adopting an Agile approach to IAM for both the human and non-human workforce based on the principles of: 

• Just-in-time access: Making machines request access and authenticate every time rather than staying logged in
• Context-aware access: Understanding the context of why a machine needs certain access
• Just-enough privileges: Only giving machines access to the systems and permissions they need to do their jobs
• Automation: Building in automation to move at the necessary speed for all identities across their entire lifecycle and to provide visibility into that full lifecycle

Overall, the pace of digital transformation means that most enterprises are experiencing a significant increase in volume, velocity and variety of identities — both human and non-human — that require access to systems both on-premise and in the cloud. This trend shows no signs of slowing down and will continue to strain IAM practices if organizations don’t take action accordingly.

Interested in learning more about what it takes to achieve IAM agility with machine identities? Watch our full webinar with Forrester to get the details.