Why do we always separate credential management and machine identity management?
Mon, 14/03/2022 – 11:50
A fragmented identity management landscape
Before attempting to answer the above question, it is essential to understand that machine identities and human credentials are two important components of the overall Identity and Access Management (IAM) program. In a widely distributed business and IT environment, where identities are now the new perimeter to defend, controlling access to data is crucial.
Robust access control is also the cornerstone of a Zero Trust security approach, the strategy of trusting devices, workloads, and people in an untrusted environment. But there is no single solution for machine identities and human credentials. Even though most organizations invest heavily in protecting human credentials, many security vendors still offer different approaches to managing the keys and certificates that make up machine identities. And despite the relatively larger number of machines, the investment in machine identity management lags far behind that of human credential management.
The Thales Access Management Index 2021 report illustrates a highly fragmented landscape at the enterprise level. A third (33%) of respondents said they use at least three authentication access management tools. Coordinating so many systems can, at a minimum, create operational complexity, but it can also increase the risk of errors or misconfigurations creating security holes.
Managing machine identities is just as important as managing human credentials
Machine identities validate the authenticity of non-human entities connected to corporate networks. These entities can be tangible, such as IoT sensors, mobile devices as well as abstract infrastructures like containers and microservices. The prevalence of machine identities, combined with a general lack of understanding of how to protect them, has made them a target for cybercriminals, who misuse them as effective attack vectors to infiltrate corporate networks and exfiltrate data.
Research demonstrates that machine identities have become staples on the dark web and a key part of Crime-as-a-Service toolkits, especially for threat actors who lack the technical skills of a traditional striker. They provide multiple ways for threat actors to infiltrate networks. For example, cybercriminals can exploit machine identities to evade detection by hiding in encrypted traffic. Impersonating a trusted machine to access sensitive data or to roam a network is usually an effective tactic for threat actors. It is therefore essential to prevent such attacks by investing in the protection of the identities of your machines.
On the other hand, weak user authentication exposes credentials to attackers to steal or compromise. The Verizon Data Breach Investigations (DBIR) 2021 report indicates that credentials are the most sought-after asset in data breaches. The compromised credentials are then used to launch other attacks, such as privilege abuse and impersonation attacks to exfiltrate personal data.
A holistic identity management program
Organizations must advance their capabilities to deal with increasingly sophisticated adversaries. Improving machine identity management and access management is a critical part of moving organizations beyond perimeter-based security models and toward a Zero Trust approach.
The following considerations should be carefully considered when selecting identity management solutions:
- Provide clear visibility of all identities and credentials
The basis of any security program is the ability to identify all machine identities and user credentials. As organizations move away from passwords and increasingly rely on digital certificates and keys for machine and human identities, knowing your identity landscape will help you determine the best policies and practices. to protect those credentials.
- Ensure integration
While you may rely on different vendors to manage your machine identities and user credentials, it’s important to ensure seamless integration of these solutions. Potential functionality gaps can lead to painful and complex configuration settings and security breaches, leaving your organization vulnerable to credential attacks.
- Control and govern the management program
Although cloud service providers have launched native identity and access management solutions, the best practice is to separate the duties and opt for a neutral solution. In the Thales AMI 2021 survey, 59% of respondents agree that organizations must maintain control over the security of their access.
- Protect cryptographic keys
Machine identities and user credentials are only effective if the associated keys are protected. It is good practice to use a FIPS-140-2 accredited hardware security module (HSM). HSMs act as trust anchors and provide great assurance that secret keys are protected from the prying eyes of an intruder.
- Automate management
As the number of identities held by organizations grows, manually managing those credentials is a recipe for disaster. Automation helps minimize effort and reduce errors, while enforcing access policies across the enterprise.
Is your machine’s identity management integrated into your identity and access management strategy?
Guest blogger: Anastasios Arampatzis
Over the past two years, businesses have become increasingly digitized and interconnected. Remote work and the migration to the cloud have created new standards and new business models. Although technology has created new opportunities, new security challenges have emerged.
Organizations are moving from perimeter-based security to an identity-based approach. Machine identities and human credentials now work together to protect an organization’s most valuable asset: data. Shouldn’t credential management and machine identity management solutions also work together?
*** This is a syndicated blog from the Security Bloggers Network of the Rss blog written by brooke.crothers. Read the original post at: https://www.venafi.com/blog/why-are-we-still-separating-credential-management-and-machine-identity-management