Cybersecurity Awareness Month’s Week 4 theme of “Cybersecurity-First” offers an opportunity to help IT and infosec professionals educate their teams about the importance of cybersecurity. This blog is intended as a tool to help educate your organization on why public key infrastructure (PKI) and machine identities matter, and the role they play in becoming a cybersecurity-first company.
If you’ve worked in cybersecurity – you probably wouldn’t describe it as an art, nor a science. It’s not exactly a Netflix drama series either (think Mr. Robot). In reality, it’s a grind.
Protecting networks, devices, and data against the threat of attack is not an easy assignment, and the pressure to stay ahead of cybercriminals weighs heavy. At times it can be an adrenaline rush, other times it can be mundane and repetitive.
It can involve responding to tickets, searching for anomalies, reviewing logs, working on long-term strategies, evaluating technologies, and most importantly, educating end-users on the importance of cybersecurity (even when it means answering “stupid” questions).
Building a cybersecurity-first culture extends well beyond your IT stack and the teams that implement it. Unfortunately, many articles focus on the latest technology (the “science”) or the lack of skilled personnel (the “art”) in cybersecurity, but they fail to recognize the importance of education, especially for non-technical users and business leaders.
In this blog, we aim to educate teams about an essential but often misunderstood and overlooked component of cybersecurity – machine identities.
The identities you know vs the identities you don't
Let’s start with something familiar – identity. Our identity is everything. It extends from who we are to what we have access to. Humans rely on identities every day to drive their cars, travel internationally, purchase goods and services, and access everything from their Instagram account to their laptop at work or home.
Our familiarity with identity means that most IT leaders and practitioners recognize and understand the importance of identity and access management (IAM). It’s why organizations spent nearly 14 billion dollars on IAM in 2021, making it one of the top budget items for information security spending amongst cloud and application security.
To date, most of the IAM focus has been dedicated to protecting user (or human) identities. To meet the requirements of IAM, they leverage tools like single sign-on (SSO), multi-factor authentication (MFA), and privileged access management (PAM).
The problem is that humans are only part of the workforce.
More machines, more identities
Machines far outnumber humans today. But far from any sci-fi notions of a dystopian robot-ruled future, machines help free us, humans, from dangerous, time-consuming, or just plain boring tasks that we’d rather avoid.
These machines are made up of hardware devices, such as mobile devices, IoT/OT devices, servers and desktops, and software-defined workloads, including containers, virtual machines (VMs), services, and applications.
Just like humans, each machine needs one or more unique identities to authenticate and securely communicate with one another. Unlike their human counterparts, though, machine identities receive far less attention.
According to Gartner, “Commonly deployed IAM tools such as access management (AM), identity governance and administration (IGA), and PAM tools have historically been geared toward the more imminent need for managing human identities. Equal focus must now be paid to the management and governance of machines.”
Commodity or Critical Infrastructure?
When we start thinking about managing machine identities, such as X.509 certificates, that’s where things get blurry for most people. Despite the widespread use of keys and certificates by developers, IT admins, infrastructure engineers, and the like, very little is known about them.
The underlying problem is machine identities and the public key infrastructure (PKI) that sits behind them are viewed as “commodities.” In other words, anyone and everyone in the IT organization needs a certificate, but most don’t know where to procure them or how to properly configure and install them. Different teams and end-users seek the easiest and cheapest solution, which leads to uncontrolled sprawl of issuers (CAs) and certificates.
What happens? Whether by an adversary, partner, contractor, or internal employee, certificates can easily be misconfigured and misused. In the past year, we’ve seen several incidents result from this uncontrolled issuance and use of machine identities:
- Fortinet, Palo Alto, Cloudflare, and dozens of leading tech companies experienced service issues when the IdenTrust DST Root CA X3 (used by Let’s Encrypt) expired.
- NSA warned organizations to avoid using wildcard TLS certificates to minimize the risk from a new form of TLS decryption attack known as “ALPACA.”
- Fortnite experienced a widespread hours-long outage that started with an expired wildcard TLS certificate installed across hundreds of different production services.
- Microsoft blamed a key rotation issue for a large-scale outage that affected many of its Microsoft 365 services for more than 14 hours.
Taking control of the situation requires a fundamental shift in mentality. PKI and machine identities are not a “commodity,” they are critical infrastructure that underpins the security and availability of virtually every device and workload in the enterprise.
Tips and strategies to get started
How do you take control of the situation? It starts with education and awareness, then by looking at your technology and processes. Everyone from end-users to IT leaders needs to better understand the importance and role of machine identities in the initiatives they are undertaking. Here we’ve compiled a few tips and strategies to get you started:
For PKI and security teams:
- Teach employees within the IT organization about the importance of certificates and how they should be handled. Create cheat sheets and guides for how to obtain certificates, how to ensure they align with policy, and if automation is not in place, how to properly install and renew their certificates.
- Make sure end-users and application teams have a quick and simple way to obtain certificates. If you cannot fulfill certificate requests efficiently for your users, you can bet they will look elsewhere. Self-signed certificates and insufficient built-in CAs (e.g. Kubernetes Secrets, HashiCorp Vault) should not be used blindly.
- Develop your toolset for visibility and automation. Education is where it starts, but it’s the technology that will drive best practices. Evaluate certificate management solutions that provide discovery and lifecycle automation capabilities.
- Avoid using wildcard certificates. Sure, wildcard certificates are a short-term solution, but the risk far outweighs the reward. Look no further than the recent NSA warning or the 5+ hour Fortnite outage to see why they should be avoided. Instead, consult your PKI or security team on how to obtain trusted certificates.
- Do not use self-signed certificates on production systems. Self-signed certificates have their place, but not in production or public-facing domains. Improperly handled self-signed certificates can be leveraged by cybercriminals for man-in-the-middle (MitM) attacks to impersonate trust.
- If certificates are a pain, help drive the business case. If you’re frustrated with having to request, install, and renew certificates manually, chances are your PKI/security team is tired of it too. Rather than point fingers, help drive the business case for more automation that can make things easier on everyone.
For IT leaders:
- Make machine identities a priority in your IAM strategy. Shifting the perception of cryptography as a highly technical concept to an already well-understood concept of “identity” will help drive better understanding and standardization across the business.
- Define machine identities and develop a clear plan Help define a clear picture of machine identities in your environment and develop an enterprise-wide policy framework for how they should be used and managed.
- Help form a crypto center of excellence (CCOE). Once you’ve established a baseline strategy and policy, you’ll need to ensure that your teams develop clear guidance for certificate users. That includes assigning ownership of tools and processes to be used for different types of machine identities.