For many years, the technology industry has been working on ways to verify people when they do business online, with passwords and multi-factor authentication. With the advent of digital transformation, cloud, and IoT, however, there’s been a rise in the need for verification for authenticate and authorize machines of all types from cloud workloads to Kubernetes clusters to mobile apps. Similar to how people need to be authenticated to access their online services, all the new services and devices in use must have identities — machine identities.
The rise of these machines has expanded the attack surface and most companies aren’t aware of the risk. As a result of this rapid rise in software-based “machines,” Forrester estimates that machine identities are growing at twice the rate of human identities and Gartner has recognized Machine Identity Management as a new category within Identity and Access Management and listed it among the top 8 security trends for 2021.
Machine identity management concerns the visibility, intelligence, and automation of digital certificates and other identities, such as SSL/TLS, SSH and code signing certificates. Policies are defined and enforced, machines audited and certificate lifecycles monitored. Problems arise because technologies like X.509 and SSH key management systems remain siloed and often are incompatible with modern cloud environments, which makes it difficult to stay on top of expired and forgotten certificates. TLS certificates have declining lifespans, dropping from five years in 2012 to just one year in 2020. SSH keys never expire, are rarely removed from environments and the same keys are often used to access multiple machines. And code signing keys are often not secured because they are generated and used by developers, and increasingly so by automated processes that humans could never keep up with. According to a 2018 Forrester survey, more than 50% of organizations found it challenging to protect their machine identities.
Cyberattacks leveraging compromised or mismanaged machine identities are increasingly common. Such cyberattacks climbed by more than 430% between 2018 and 2019 while cyberattacks and APTs that misuse them increased 1,600% over the past five years, according to a 2020 Venafi report. In the attack on SolarWinds, bad guys weaponized digital certificates that are designed to protect the software supply chain. An expired digital certificate delayed the discovery of the Equifax breach in 2017. Stolen encryption keys allowed attackers to steal customer data from Marriott in 2018 and attackers used a stolen GoDaddy SSH key to steal nearly 30,000 SSH credentials from its customers in 2020.
Attackers can leverage unprotected machine identities to gain access to networks and pivot across multiple systems once inside. They also provide attackers the opportunity to create persistent back doors and distribute malware to unsuspecting network users. SSH-based malware, like Trickbot, has allowed attackers to infect multiple targets, to pivot into other areas of target networks and steal additional SSH keys. Stolen TLS certificates are also used in man in the middle attacks and data exfiltration. And because they allow attackers to masquerade as legitimate entities, fraudulent certificates also enable them to evade existing defense mechanisms.
Less concerning than cyberattacks but still an economic and operations risk for organizations are service outages that can arise when digital certificates expire. An expired certificate led to a temporary outage with the Microsoft Teams online service last year, which affected millions of users. And a backlog of 30,000 lab test results in California’s Covid-19 reporting system last summer was attributed to an expired digital certificate in a government server.
Costs from these types of attacks are not insignificant. A report released last year by research firm Air Worldwide found that unprotected machine identities caused global economic losses of between $51 billion and $72 billion a year.
Machine identity management should be a part of every organization’s security program. A good place to start is to get visibility into the use of machine identities — like TLS digital certificates, which easily expire. Then, with intelligence gained from visibility, move to automate the entire lifecycle of machine identities to establish strong authentications. There are services that provide visibility into the machine identity infrastructure and that automate these processes. Throughout, developers are critical since their applications rely on machine identities. Ultimately, machine identity management is about providing the fastest and easiest way for developers to use machine identities while maintaining security.
Most organizations understand their security exposures related to standard network attacks, email phishing, application vulnerabilities and identity access controls, but the emergence of machine identities and the risks they pose are not on their radar. Attackers who are blocked by strong defenses in other areas, are exploiting exposures from mismanaged machine identities to exploit the trust these systems are designed for in order to steal data, conduct espionage and spread malware.