Machine Identity Management (MIM) strategies enable organizations to maintain visibility over credentials and keys used to secure access to machines, and to govern, manage, and automate machine credentials. However, a proliferation of machines, including IoT devices, connected to IT networks and a shortage of skilled IT security workers are acting as stumbling blocks to enabling such strategies. A Keyfactor study shows only 40% of organizations have organization-wide MIM and cryptography strategies in place.
Organizations are at a severe disadvantage when managing and protecting their digital infrastructure, a new report by Keyfactor and Ponemon Institute has found. Through the 2021 State of Machine Identity Management reportOpens a new window , the Ohio-based provider of digital identity management solutions revealed that there is a significant gap in the planning and implementation of appropriate digital safeguards by enterprises to manage machine identities, keys, and certificates.
Machine Identity Management (MIM) requires an organization to define and govern digital identities like keys and certificates associated with machines. Such machines include workloads, applications, containers, IoT, and other devices besides conventional machines. According to Gartner, MIM “encompasses a number of technologies, that today remain mostly siloed (i.e., X.509 certificate management, SSH key management, as well as secrets and other crypto-key management).â€
To delve deeper into the labyrinth of Machine Identity Management, Toolbox spoke with Chris HickmanOpens a new window , chief security officer at Keyfactor. Hickman said that, so far, most organizations have relied on disparate toolsets, homegrown solutions, and manual spreadsheets to manage and keep track of their machine identities. However, he warns that “these methods quickly fall apart at scale, and far too many have fallen victim to outages, breaches and audit failures as a result.â€
MIM is a relatively recent concept. Gartner introduced it to more accurately reflect and account for the proliferation of cryptographic keys and certificates used to establish trusted connections with IoT devices and virtual machines. Machines use these cryptographic keys, certificates, and secrets to authenticate and communicate securely, much like usernames and passwords that we rely on to access applications and devices.
Internet-connected devices are witnessing an extraordinary boom in numbers, thanks to the push for digital transformation. The shift to cloud computing has multiplied the sheer volume of machine identities many times over, with the increasing use of virtual machines (VMs), containers, and infrastructure as code. And as companies shifted to remote-first strategies virtually overnight owing to the onset of the COVID-19 pandemic last year, the need for remote access and cloud-based applications skyrocketed.
Certificate-based authentication became critical to enable this increased level of connectivity, including remote VPN access, multi-factor authentication (MFA), and device authentication. However, the COVID-19 pandemic forced IT and security teams to work remotely, making the task of managing keys, certificates, and public key infrastructure (PKI) much more challenging.
See Also: Venafi Closes on $100 M Funding to Support the Growth of its Machine Identity Protection Solution
According to Keyfactor, machine identities are one of the most poorly-protected components of IT systems and networks. “Most companies invest millions into managing human identities, using tools such as multi-factor authentication (MFA), single sign-on (SSO) and password management. Despite the fact that machines outnumber humans by more than three to one, machine identities are often overlooked in enterprise identity and access management (IAM) strategies,†said Hickman.
Keyfactor and Ponemon Institute’s study found that 40% of organizations surveyed have an organization-wide MIM and cryptography strategy, which means there is a lot of room for improvement. The remaining 60% of organizations have limited (42%) or no strategy (18%) in place to govern machine identities.
The survey also found that over half (53%) of organizations do not have an accurate inventory of SSH keys and have no centralized management of SSH credentials such as passwords, keys, and certificates. 44% of them also rely on CA vendor-provided tools, 40% rely on spreadsheets, and 33% leverage in-house solutions to manage digital certificates.
“Machine identities (e.g., TLS certificates, SSH keys, code signing keys, etc.) are increasingly the target of attackers that seek to impersonate trust and infiltrate software supply chains and enterprise networks. Mismanaged machine identities lead to costly application outages, audit failures or worse, a serious security breach,†Keyfactor said.
Keyfactor’s report also states that 55% of respondents said their organizations have a shortage of IT security workers dedicated to public key infrastructure (PKI) management. As a result, 88% of organizations experienced at least one unplanned outage in the past 24 months due to expired certificates, while 41% said they faced four or more outages. Organizations also suffered five audit failures and compliance incidents on average in the past 24 months.
Challenges in Implementing MIM
The biggest challenges to implementing centralized Machine Identity Management strategies by organizations are constant changes in technology and a lack of skilled employees.
Data Source: Keyfactor, Ponemon Institute
See Also: Top 10 Identity and Access Management (IAM) Solutions
Why MIM is Critical
Data from the report underscores the importance of MIM strategies. A judiciously implemented MIM strategy that can handle the discovery, management, and automation of machine credentials, can not only alleviate the pain points of managing machine identities but protect the organization from external threats seeking to exploit machine-level errors.
With this in mind, Hickman lays out four key areas that can be addressed through MIM. They are:
- Visibility: Imparts organizations the ability to stay on top of all available keys and certificates, who they belong to, what policies they comply with, or when they expire.Â
- Governance: Ensures the application of consistent policy/oversight over how digital identities for machines are issued, who can and has access, when to rotate or renew, etc.Â
- Protection: The right MIM strategy will provide privacy and protection against externally-driven compromises.
- Automation: Reduces human effort, eliminates errors, and shortens time to execute tasks such as handling the lifecycle of certificates (from servicing requests to issuance and installation, and eventually revocation or renewal).
“The role of machine identity management is to handle the discovery, management, and automation of credentials used by machines. These solutions should also be designed to address the scale and complexity of modern IoT, application development (or DevOps) and multi-cloud use cases,†Hickman adds.
Keyfactor’s 2021 State of Machine Identity Management Report results from a study conducted by Ponemon Institute of over 1,162 respondents employed in IT security/InfoSec, engineering, IT operations and DevOps/DevSecOps, etc., across 12 industries in North America and EMEA.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!