When attempting to manage and secure company identities and credentials, you may think predominantly in terms of people and their roles within an organization. How do we make sure that Janet from Quality Assurance has the credentials to access the needed assets, and how do we make sure that no one else can access those credentials?
But human identities are only one piece of the security puzzle. While employees, partners, vendors, customers, and consultants might be some of the most crucial sources of security vulnerabilities in your organization, the volume of machine identities is increasing, creating additional points of entry for hackers and malware.
The 2022 State of Machine Identity Report from the Ponemon Institute (from which we get the statistics below unless otherwise noted) reveals the latest data on just how complex machine identity management can be.
What are Machine Identities?
Machine identities are the digital keys, secrets, and certificates that establish the validity of digital transactions. They include X.509 certificates, SSH and encryption keys, and code signing certificates for secure communication between servers and VMS, workstations, scripts and bots, applications, services, etc.
Public Key Infrastructure is Exploding
With the adoption of remote work, cloud-based services, IoT, and Zero Trust initiatives, the number and importance of public keys and certificates being used by organizations is increasing rapidly. The days of one or two CAs behind the four walls of the data center are behind us, and managing machine identities should be at the forefront of your security posture. In the Gartner Hype Cycle for IAM report in 2021, Gartner Managing VP Tricia Phillips said:
“Digital transformation has led to an explosion in the number of machines – such as workloads, code, applications, and containers – that need to identify themselves and communicate.”
Some of the most common elements of PKI include:
- Internal private PKI software (AD CS, EJBCA, etc.)
- Managed or SaaS-delivered PKI (EJBCA SaaS, PKIaaS, etc.)
- Self-signed certificates (OpenSSL)
- Built-in certificate issuers (Kubernetes, HashiCorp Vault, etc.)
- Private CA service provided by a cloud service provider
- Public CA service (DigiCert, Entrust, Let’s Encrypt, etc.)
Making sure machine identities are protected is becoming a costly and time-consuming task. The majority of organizations say that the growing use of keys and certificates has significantly increased the operational burden on their IT teams and that they’re concerned about the increased workload and risk of outages due to shorter TLS cert lifespans.
Additionally, over half of the organizations polled say their organization doesn’t even know exactly how many keys and certificates they have.
The Risks of Machine ID and PKI Sprawl
If neglected, machine identities can create huge gaps in your security, as any vulnerabilities can enable a threat actor to move laterally from one system into others on the network.
In the last two years, over 95 percent of organizations have experienced all three of the following PKI-related issues:*
- Audit Failures: Unexpected audit findings due to gaps in PKI, key and certificate management
- Machine ID Compromise: Theft or misuse of keys by mistake, malicious insider, or external threat actor
- Certificate Outages: Application or service failure due to an expired or untracked certificate.
The Pains of Certificate Outages
Because they can bring operations to a halt, certificate outages tend to receive the most focus. Nearly 40 percent of outages take over four hours to identify and remediate, which can be costly and damaging to a company’s reputation. The Let’s Encrypt outage in September 2021, for instance, affected operations at major corporations like Cisco, Palo Alto, Bluecoat, AWS, Auth0, Fortinet, Heroku, and others.
But outages are just the tip of the iceberg, indicating bigger risks below the surface that need to be addressed, including manual processes, wildcard certificates, weak cryptography, and misconfigured or exposed CAs.
Machines Are Taking Over
“The number of machines (workloads and devices) now outnumbers humans by an order of magnitude, and organizations must establish tooling and processes to control those identities.” – Gartner: Managing Machine Identities, Secrets, Keys and Certificates, Erik Wahlstrom, 16 March 2022
If you don’t feel like you have a good grasp of how to secure your public key infrastructure, you’re not alone:
- 50% of companies do not have sufficient staff dedicated to their PKI
- 42% of companies still use spreadsheets to manually track digital certificates
- 59% of companies do not have centralized management of SSH credentials
- 50% of companies have no formal policies or access controls for code-signing keys
Additionally, about 40 percent of organizations have only a limited PKI strategy for specific applications or use cases, and 16 percent don’t have any strategy at all.
How to Tackle the Problem
1. Start With Visibility
You have to know what certificates you’re using to effectively secure them. Discovering and creating an inventory of your certs and CAs will give you an overview of which ones have the highest priority.
- Use multiple sources of data
- Triangulate the data points
- Understand key information, including Issuer, Owner, Use/Application, Approver, etc.
2. Establish Ownership
Create a cross-functional working group to establish ownership for tools, processes, and strategy and to provide oversight and bridge gaps between business units. Then define machine identities for your organization, identify use cases for your PKI and machine IDs, and analyze your existing “identity fabric” or toolset.
3. Simplify & Consolidate
The more identities and sources of information you have, the more possibility for mistakes and/or vulnerabilities. Once you have a good handle on what PKI management tools are at your disposal, pare them down. Ask yourself questions like:
- “Do I need 5 different PKI and CA deployments?”
- “Should I be looking at 3 different sources to track certificates?”
- “Do I need separate tools to manage X.509 vs SSH identities?”
- “Does every developer need a code signing key?”
4. Lay the Groundwork
You need to define policies and best practices for your public key infrastructure.
- Educate teams on the importance of PKI and digital certificates
- Define and distribute best practice guidelines
- Reinforce good habits and shift away from self-signed and wildcard certs
- Lay out strategies to make the right tooling decisions moving forward
5. Shift Your Strategy from Ops to SecOps
Most security teams spend at least 50% of their time on maintenance and operational tasks. The key is to automate, automate, automate. Automation decreases risks related to human error and misconfiguration and ensures that you can scale with new demands. Additionally, automation enables integration with existing DevOps and cloud workflows.
6. Prepare for Crypto-Agility
Security threats adapt quickly to security controls, so you have to be ready to adapt just as fast. To maintain operations and prevent incidents related to PKI, you need to constantly educate yourself and maintain a crypto-agile security posture:
- Evaluate existing crypto–keys, algorithms and crypto-libraries
- Plan for an enterprise-wide shift to new keys and algorithms
- Automate and test processes to prepare for incident response
- Keep track of progress on PQC algorithms
Get the Full Report from Ponemon
Check out the Ponemon Institute’s 2022 State Machine Identity Management report to stay informed with the latest cybersecurity data and analysis. With an in-depth analysis of the threat landscape for PKI and machine IDs at your disposal, you can make informed decisions about what security measures to put in place to keep your organization safe and operating at full capacity.