This article was originally published by Forbes as part of the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs, and technology executives.
Zero trust is an acknowledgment that legacy network controls like firewalls and VPNs are not enough to secure the enterprise. This has become increasingly true due to digital transformation, cloud computing and DevOps trends.
The framework is built on the notion of “never trust, always verify” and views trust as a vulnerability. This has left identity as one of the sole remaining tools for controlling access to services, applications and other business-critical operations.
Identity is key to securing the fast-growing digital footprint of today’s enterprises. This has resulted in the pursuit of zero-trust strategies and greater use of public-key infrastructures (PKI) and digital certificates. But along the way, a critical component of a secure enterprise has gotten out of control. Machine identities, which are growing exponentially and can be as equally vulnerable to compromise, are not getting the proactive attention necessary to ensure secure operations.
The mechanisms for properly managing and protecting machine identities, such as X.509 certificates, symmetric keys and secure shell (SSH) keys, can leave organizations exposed to credential-based exploits used by ransomware operators.
The recent growth of machine identities can also create weaknesses. A report from CyberArk found that machine identities outnumber humans 45-1 and that 68% of non-human identities have access to sensitive data and assets.
Organizations need to take a comprehensive identity approach to secure humans and machines. Considering an efficient use of PKI can help to gain better control of the identities on their networks.
Machine Identities’ Growth Has Outpaced Protections
Business is conducted in a cloud-based, service-oriented world. Companies are leaving legacy infrastructure and on-premises operations behind. In place, they are pushing toward agile, scalable and responsive cloud architectures that have moved transactions into the cloud and out to the edge.
But organizations’ attack surfaces are also being expanded, and threat actors have noticed, focusing on credential-based attacks that compromise user identities as a way into networks. Zero-trust strategies focused on continuous validation of identities are bulwarks against those attacks, but most implementations are not comprehensive enough.
A recent survey by my company, Keyfactor, and the Ponemon Institute underscores the challenges that have arisen in the headlong rush toward digital transformation, particularly concerning machine identities.
Survey respondents have PKI in place, but many said they struggle with complete certificate visibility. More than half say they didn’t know how many keys and certificates were in use in their organizations. The lack of control over certificates has had significant fallout, with 81% of respondents saying they’d had two or more disruptive outages caused by expired certificates in the previous two years, an increase of 77% from last year’s report. It takes respondents, on average, three hours to respond to a certificate-related outage, although 39% said it takes four hours or more.
Shorter certificate lifecycles (which have been reduced from five years a decade ago to 398 days) also have made certificate issuance and management more challenging. Organizations may have once had a set-it-and-forget-it attitude toward cryptography—some PKIs from 15 years ago are still in use—but today’s environment demands attention to a faster refresh cycle.
The shift into the cloud, the growth of the remote workforce and the emphasis on zero-trust security strategies have generated greater use of PKI, keys and digital certificates. But the proliferation of machine identities still needs to be addressed. To gain control, organizations need to grasp the fundamentals of proper PKI and certificate management.
The Steps To Securing Machine Identities
PKI provides an identity backbone that can ensure secure connection between users, devices and applications for encryption, authentication and digital signatures by providing unique digital identities through the issuance of digital certificates.
Keeping up with the explosion of machine identities requires a comprehensive approach made up of several important features.
1. A Solid Strategy
Organizations need an enterprise-wide strategy for managing cryptography and machine identities. Oftentimes, there is no common owner for a cryptography strategy in the enterprise because PKI and machine identities are so widely used by different teams across the organization. CISOs and security leaders need seamless orchestration across business units to make sure systems are protected and employees can work efficiently without introducing vulnerabilities.
A standard end-to-end methodology includes efforts that define policies and responsibilities, develop a cryptographic inventory, identify and remediate vulnerabilities, continuously monitor and audit and automate the lifecycle in an agile manner.
2. Being Crypto-Agile
Companies should focus on crypto-agility, which is the ability to adapt quickly to impactful cryptographic events, such as a certificate authority compromise or a new attack that weakens a cryptographic algorithm.
Through crypto-agility, businesses can execute a proactive approach to securing identities and can respond to breaches or incidents at optimal speed. Looking ahead, as more enterprises modernize their PKI and migrate to the cloud, we can expect an increasing number to focus on crypto-agility in their incident response plans. This will further prepare them to handle today’s emerging identity-related threats.
3. A Mature CCoE
A crypto center of excellence (CCoE) can offer leadership, define ownership and provide guidance on using PKI and machine identities. A CCoE does not necessarily own and operate all the tools for PKI and machine identity management, but rather it serves as a center for policy, governance and best practices.
As part of this, business leaders must think through which security and non-IT leaders must be involved. Those involved must be able to act as advisors and subject matter experts and deliver best practices across the company.
4. The Right Identity Management Toolset
It is critical to take the time to understand different solutions available to help scale and automate identity management. Naturally, you will need different tools for elements such as identity management versus certificate management, but the more ways to consolidate these needs and toolsets, the better.
In all, there is a correlation between the growing digital footprint in today’s modern enterprise and the security challenges inherent to properly managing and protecting machine identities. But with the right tools and strategies in place, security leaders can find a path forward.