The importance of machine identities and non-person entities (or non-human identities) in the enterprise is often overlooked.
Machine identities govern the confidentiality and integrity of information [flow] between machines. To ensure their unique identities, machines use keys and certificates, similar to people’s use of usernames and passwords (source Venafi).
Automation is being used to drive optimization and scalability, among other benefits. And its prevalence in the IT space and enterprises in general – from cloud providers to cloud-native platforms – has grown. It is here to stay, from the factory floors and connected cars to the cloud and applications’ delivery, to cloud, on-prem and hybrid environments.
The need for an identity-centric approach
An identity-centric approach is vital to the organization’s security strategy.
From an identity security perspective, machine identities are often a subject that is harder to tackle compared to their human and non-human related counterparts (i.e. service and application accounts owned and controlled by individuals in an organization). This is primarily due to the lack of visibility for the identities involved across all environments and the perception that machine identities and their use is less exposed to attacks, hacking and/or abuse.
However, machines and systems need to communicate. Thus, implicit, residual trust exists and frequently remains in place, regardless of the associated trust mandated by an organization’s zero-trust agenda, if proper controls do not exist and/or are not enforced.
Operational Technology (OT) and Internet of Things (IoT) driven organizations, for example, the ones operating at the edge or leveraging edge-related services, from vending machines to organizations that natively operate in a highly distributed infrastructure (global manufacturers, telcos, media companies, energy sector, etc.), are seeing this first-hand.
There are frameworks like SPIFFE, which acts as a universal identity control plane for distributed systems, and related initiatives, which have made great strides towards automating and securing distributed infrastructures, starting with identities and providing a secure identity to every workload.
From a workload perspective, and to offer practical examples concerning approaching zero trust, several workload areas are defined below.
Workforce Context – pertains to securing and protecting all identities (IDs), physical & non-physical IDs, throughout their life cycle management. This is generally addressed in the IAM/CIAM space to resolve authentication (AuthN) and authorization (AuthZ) use cases. It should be noted that AuthZ is typically done at the coarse level for human IDs. Applications are usually designed to address the granular level of authorization. Machine IDs are often overlooked as they relate to visibility, what capabilities/functions these IDs provide, and who owns them. Lately, organizations have leveraged a privileged access security (PAS) platform to implement controls, address audit and compliance issues associated with privileged IDs, and protect these identities.
Workload and [IDSA’s] Compute Context – pertains to applications and integrations (applications, platforms, cloud interop, etc.). Machine IDs are prevalent in these environments (i.e. any hyperscaler/cloud provider leverages machine identities to streamline operations and automation). Examples of this type of automation range from scaling horizontally to adding more systems when the workload is increasing (i.e. web stores scaling up during high-demand shopping seasons), to scaling down, failing over or rebuilding systems to a good, known working state, in case of failure (i.e. restoring service after ransomware attacks). The automation and use of non-person entities in general (service accounts, application accounts, etc.), and machine IDs, in particular for providing services faster and at scale, creates blind spots in organizations. This is especially prevalent when machine ID sprawl, visibility and ownership are not considered.
An example is the automotive industry, which has made good progress in this area, as the number of attack vectors in connected cars, and the automotive industry in general, is significant. At a minimum, drivers’ and passengers’ safety is at risk. Obviously, setting up guidelines and standards to prevent loss [of life], and allow connectivity and interoperability, while delivering services securely, becomes critical.
A good practical example is ISO/SAE 21434, which sets up the cybersecurity standard for connected cars. It addresses the challenges associated with cybersecurity, interoperability and connected devices and systems by providing a set of guidelines to secure high-level processes in connected cars.
Workspace Context – Machine IDs and NPEs, in general, are used throughout the networks, data tier and automation platforms, and devices – including IoT and OT environments.
Mitigation and prevention
A number of steps and best practices are vital to mitigating risks related to NPEs and related security. Start with foundational elements:
- Inventory IDs and ensure the organization has an Authoritative Identity Source. Identities’ uniqueness is important and should be considered when addressing the identity security strategy.
- Ensure visibility in the ITC (IT & Communication), OT and IoT infrastructures and related environments. SCADA is the area most exposed from an attack surface perspective and where identity security is traditionally overlooked and overly exposed to security breaches.
- Assess and understand [IDs and data] exposure, and prioritize investments considering the technology/technical impact on the business and the regulatory risks for the organization.
- Bridge gaps with flexible and modular technologies to allow growth and adoption, while enabling the business to operate continuously and recover quickly when breaches and attacks occur.
Preventative measures are critical, but with more organizations using OT and IoT security capabilities and software, prevention only is no longer an option. Without an incident response strategy, organizations focused on prevention are missing the necessary capabilities to respond and recover from attacks, and have blind spots in their security strategy.
Knowing the organization’s response to incidents, breaches, etc. and the related capabilities of machine IDs and NPEs is critical to today’s increasingly digitized businesses and the current digital world. Mitigation and prevention measures, coupled with a solid response plan, are the best and optimal way to minimize the impact of potential issues that will occur while doing business.
Increasing visibility and eliminating blind spots is critical for the future
OT and IoT-driven environments are in particular prone to attacks, which can have substantial financial and supply [chain] implications, in addition to the typical reputational damage that can occur in the event of an incident (i.e. cybersecurity events like ransomware, hacking, etc.). Recent attacks on critical infrastructure prove the widespread impact of such attacks (i.e. Colonial Pipeline).
Because of these factors, Llyod’s will start declining cyber insurance for state-sponsored attacks in 2023. Likely other insurers will follow suit. Cyber-attack exclusions and cyber protection incentives are starting to become the norm.
So what can we learn from this? The takeaway is that having a well-rounded strategy and understanding where to start, what components to leverage, and how embarking on a zero-trust journey benefits the organization is crucial for the future. Aside from the potential of reducing and mitigating risks, it will offer financial incentives and the benefits of a resilient, better-protected enterprise and overall digital ecosystem.
Increasing the visibility and eliminating as many blind spots as possible to avoid business disruptions, provides the levers necessary to address new and existing cybersecurity challenges, along with the increased speed of delivering secure services, in a manageable and predictable way.
About the Author: The Zero Trust Technical Working Group subcommittee was formed in July 2020. The team, led by Stefan Lesaru, includes Martin Kniffin, Amanda Rogerson, Paul Mezzera and Adam Creaney.