We recently spoke with Nathanael Coffing, co-founder and CSO of Cloudentity about identity management in the age of the cloud, and specifically the challenge of securing machine identities. Read more in this Q&A:
Why is lack of visibility and governance of machine identities increasing security risks?
Machine identities now outnumber human identities in business environments due to the rapidly growing number of APIs, IoT devices, bots and services in use today. Machine-to-machine communications have become the largest source of traffic as the requirement to share data between businesses via APIs, services and things continue to increase complexity and corresponding security risks. The identities of machines, APIs, services, things and bots must be unique, managed and protected by the enterprise, similar to employee and customer identity. Visibility and strong machine identity are mandatory in order to meet the zero-trust requirements and protect the evolving perimeter.
A recent example of compromised machine identity is the vulnerabilities that were found in the Linux TCP/IP stack, which put industrial control devices at risk of being hacked. In order to secure the enterprise when the traditional network perimeter no longer exists, you need full visibility and to be able to control who has access to every data element by authenticating everything in the transaction; the machine, the service, the user and dynamic authorization to protect any data being communicated between machines.
How are identity and access management (IAM) strategies evolving to prioritize machine identities?
To address this increase in machine identities, security leaders must rethink the scale and breadth of their traditional identity and access management (IAM) strategies. WIth secure machine and service identity in place coupled with transactional authorization, cybersecurity remains airtight and controls risk and lateral movement when new APIs, devices and apps are introduced.
Historically, IAM has focused on human identities authenticating to access systems, software and apps on a business network. However, with the rise of containers, APIs and other technology, a secure IAM approach must utilize cryptographic certificates, keys and other digital secrets that protect connected systems and support an organization's underlying IT infrastructure.
How do you ensure workforce and resource shortages don’t prevent IT teams from properly addressing machine identities?
Automation is essential when addressing machine identities. IT and security teams need the right software tools, otherwise, there’s no way they’ll have the bandwidth to manage the thousands or millions of machines. Core to that functionality is the ability to discover known/unknown machines, services and APIs, classify those services and automatically add them into the Identity and Authorization ecosystem. There are four essential standards that companies need to scale: two are the well-known OpenID Connect protocol and advanced OAuth service. The other two are the Secure Production Identity Framework for Everyone (SPIFFE) and a declarative policy language like Rego provides service identity and rich authorization policies to protect the data moving between machines.
Platforms that focus on Machine Identity and Authorization must provide authorization covering not just what a requester can do within the application but also whom the request was made on behalf of and consent controls to protect privacy as it moves between machines. The system discerns the “who, what, where, when, and why” and confirms that the owner has consented to the sharing of that data and the person requesting access isn’t a fraudster. Externalized Authorization & Automation saves development teams hours, even weeks, of backend work and allows apps to go to market faster, while also making sure that the product meets strict security and compliance standards.
How should enterprises prioritize cloud and Zero Trust strategies?
With the shift to cloud, Zero Trust is now the new security standard, in which all users, machines APIs and services, must be authenticated and authorized before being able to access apps and data. In the cloud, there is no longer a traditional security perimeter around the data center, so the service identity is the new perimeter.
In a Zero Trust model, you must authenticate all services, users and data separately and then authorize the data that flows between them. By placing access and data exchange enforcement as close to the service or API as possible, you can include Zero Trust controls for all decision points when signing in and accessing devices or apps that hold sensitive data. This prevents hackers from gaining unauthorized access and mitigates the risk of programmatic data leakage.