7 machine identity management best practices

Machine identities are a large, and fast-growing part of the enterprise attack surface. The number of machines—servers, devices, and services—is growing rapidly and efforts to secure them often fall short.

Cybercriminals and other threat actors have been quick to take advantage. Cyberattacks that involved the misuse of machine identities increased by 1,600% over the last five years, according to a report released last spring by cybersecurity vendor Venafi.

Research firm Gartner named machine identity as one of the top cybersecurity trends of the year, in a report released last fall. In 2020, 50% of cloud security failures resulted from inadequate management of identities, access, and privileges, according to another Gartner report. In 2023, that percentage will rise to 75%.

“We spend billions of dollars every year on identity and access management for humans—from biometrics to privilege access management—yet very little time of investment goes toward defending our machine identities,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “Yet just as with human identities, in the hands of the wrong person, a machine identity can be put to bad use.”

Businesses often put too much trust in the machines on their networks, says Chris Owen, director of product management at Saviynt. “This means they can connect to other networked resources without human intervention or traditional forms of authentication,” he says. “So, if a machine gets compromised, attackers could move around the network using these machine-to-machine pathways.”

Fortunately, enterprises are starting to wake up to the issue. According to a report released by Ponemon Institute and Keyfactor in March, 61% of IT professionals say that the theft or misuse of machine identities is a serious concern—up from 34% last year.

Awareness is the first step to tackling the problem, but companies can take other, more specific steps to start getting the machine-identity issue under control. Here are seven of them.

1. Know your certificates, keys and digital assets

According to Ponemon, the average IT organization has more than 267,000 internal certificates, an increase of 16% compared to last year. Certificates and keys are associated with operational infrastructure, with IoT, with on-premises IT infrastructure, with cloud infrastructure, and with containerized infrastructure. Some of these certificates and keys are old. Some are hard-coded. Some are intertwined with other identities.

According to a survey by Vanson Bourne of IT security decision makers on behalf of AppViewX released last fall, 61% of organizations lack full awareness of certificates and keys for their digital assets. Of those who lack visibility, 96% said they’ve experienced consequences. The most common problem? Cybersecurity breaches, reported by 55% of respondents. System outages were reported by 35% of respondents, and 33% reported financial losses.

Ian Reay, vice president of engineering at Hitachi ID Systems, says he’s seen instances where companies got into serious problems as a result of not knowing what was happening with machine identities. For example, one major U.S. organization was doing maintenance on its marketing printers and needed to change the passwords.

“Just the printers. What could go wrong?” Reay asked. “They followed all the change controls and changed their passwords. Then they realized that their production systems were going offline, and they didn’t know why.”

A couple of very stressful hours of global outages later, they realized what had happened. “About 20 years ago, one of the administrators used the printer account for other purposes,” Reay says. “It became entangled. It was used for both printers and for the production environment. That is incredibly hard to see and predict ahead of time.”

When they tried to change the password back to the old one, they couldn’t. The old password no longer met their Active Directory password policies. Senior executives had to get involved to allow an exception to the password policy.

Enterprises tend to have multiple lists, lists that are fractured, badly maintained, and full of mistakes, Reay says. “What we found with our customers, even the ones leading the pack, most aren’t in a position to tackle this problem. It’s too daunting.”

2. Change keys and certificates frequently

When keys and certificates are static, it makes them ripe targets for theft and reuse, says Anusha Iyer, co-founder and CTO at Corsha, a cybersecurity vendor. “In fact, credential stuffing attacks have largely shifted from human username and passwords to API credentials, which are essentially proxies for machine identity today,” she says.

As API ecosystems are seeing immense growth, this problem is only becoming more challenging. Improper management of machine identities can lead to security vulnerabilities, agrees Prasanna Parthasarathy, senior solutions manager at the Cybersecurity Center of Excellence at Capgemini Americas. In the worst case, attackers can wipe out entire areas in the IT environment all at once, he says.

“Attackers can use known API calls with a real certificate to gain access to process controls, transactions, or critical infrastructure – with devastating results.”

To guard against this, companies should have strict authorization of the source machines, cloud connections, application servers, handheld devices, and API interactions, Parthasarathy says. Most importantly, trusted certificates should not be static, he says. “They should be changed or updated frequently. They should never be hard coded into an API call.”

Parthasarathy admits that it can be difficult to change certificates for every transaction, but with more frequent updates, enterprises will have a more secure environment. In addition, companies must have processes in place to revoke certificates and keys immediately when devices or processes are decommissioned. Gartner recommends that companies remove implicit trust from all computing infrastructure, and replace it with real-time, adaptive trust instead.

3. Adopt machine-identity management solutions

Gartner puts machine-identity management under the category of identity and access management (IAM) technologies. According to the firm’s latest hype cycle, machine-identity management is now nearing the peak of inflated expectations, and is still two to five years away from the “plateau of productivity.”

According to the Vanson Bourne survey, 95% of organizations are implementing or are planning to implement automated machine-identity management workflows, machine-identity management as a service, or the ability to manage certificate lifecycles on hybrid deployment models. However, only 32% have fully implemented modern machine-identity management. According to the survey, 53% of organizations still use spreadsheets as the core of their machine-identity management, and 93% have spreadsheets somewhere in the process. 

One problem, says Chris Hickman, CSO at Keyfactor, is that in most organizations, ownership of machine identity is implied rather than being expressly assigned. “Therefore, many organizations end up with a siloed approach to machine-identity management and worse still, many of these identities are managed by no one,” he recommends that companies establish core, cross-function groups with specific responsibility for the management of all machine identities.

4. Embrace automation

According to the Vanson Bourne survey, companies that have automated workflows as part of their machine-identity management see significant benefits. Of those who have automation in place, 50% are able to track all certificates and keys, compared to just 28% of those who don’t have automation in place. Only 33% of organizations have fully implemented automated workflows, with 48% still in the process of doing so. Another 15% have plans to put automation in place and only 4% don’t have any plans for automation in this area.

IT security decision makers said that they expect automation to reduce costs, reduce time spent managing keys and certificates, and simplify and streamline workflows. “Automation is essential,” says Venafi’s Bocek. “Digital transformation initiatives stall without automated management.” Automation will also reduce the possibility of human error, he adds, which can open the way to security breaches.

5. Include the cloud in machine identity management plans

As companies move infrastructure from on premises to the cloud, 92% have had to rethink and change the machine identity management solutions, according to the Vanson Bourne survey. And 76% say that the solution they have in place isn’t fully capable of supporting cloud or hybrid deployments.

A “single pane of glass” approach to machine-identity management isn’t yet practical in multi-cloud environments, said Gartner analyst Laurence Goasduff in a recent report. Companies can implement a single overarching framework that centralized some functions but leaves room for native tools, he says.

According to the Vanson Bourne survey, fewer than half of companies plan to have a single machine-identity management solution that covers all cloud deployments. Instead, 37% plan to have a separate machine-identity management system for each cloud, with a central policy to cover them all, and 22% plan to have separate systems without a central policy.

6. Include robots in machine-identity management plans

Throughout the global pandemic, companies have accelerated their automation strategies. According to Forrester, the global robotic process automation software market will reach $6.5 billion in 2025, up from $2.4 billion in 2021. These software robot identities also need to be managed, said Goasduff in the Gartner report. “Start by defining best practices and guiding principles for how to integrate RPA tools into the identity fabric,” he said, “and treat RPA’s software robots as another workload that needs a machine identity.”

7. Include machines in zero-trust plans

Zero trust is a top, if not the top, security priority for enterprises today. According to a survey released this February by the Information Security Media Group, 100% say that zero trust is important to reducing security risk. It was at the heart of U.S. President Biden’s cybersecurity memorandum earlier this year.

Zero trust isn’t just about requiring users to be fully authenticated at all times. It also applies to processes and devices. “Managing device identities is especially important in the newer zero-trust security model,” says Bo Lane, head of solution architecture at Kudelski Security. “When an enterprise device is not given any special trust status on the network, it must have a way to identify and authorize interactions with other devices, services or data.”

According to a Fortinet survey released earlier this year, 84% of organizations have a zero-trust strategy in place or in development. However, the ability to authenticate devices on an ongoing basis is a struggle for 59% of enterprises, the survey showed.