With companies shifting to the cloud, several new identities like API’s, Bots, Vendor accounts etc will need closer management. During your digital transformation, you will need to create identity-centric strategies to secure your hybrid environment while operating in sophisticated and complex IT ecosystems.
Traditionally, human identities such as that of the employees, contractors and vendors were only defined. But with the coming in of new technologies, you need to focus on robotic process automation (RPA), service accounts, programmatic functions within IaaS/PaaS ecosystems and Internet of Things (IoT) devices as identities. These are the non-human identities that change how you need to create and manage access to information.
“The number of identities for people, things, services and robotic process automation bots keep growing and the walls between identity domains are blurring Identity and Access Management architecture.”
-Gartner senior director Homan Farahmand
Many organizations still lack key identity-related security controls and a few forward-thinking companies that have started securing their IAM architecture typically focus on just the human users. With ever growing digital transformation the number of non-human identities outweighs human users. Non-human identities represent the majority of “users” in a lot of organizations. Such identities are often associated with privileged accounts. This is true especially in DevOps and cloud environments, where task automation plays a superior role. These often pose a serious threat, since machines, IoT, service accounts and application identities are not always considered when establishing identity centric security controls.
The main concern here is that the keys and certificates used for such identities could end up in the wrong hands. The malicious actors could then misuse those identities to inject themselves into encrypted communication channels, impersonate trusted services and gain access to highly classified data.
Compromised machine identities become powerful tools for attackers. They allow them to conceal hostile activity, dodge security controls and steal a wide range of classified data. Cybercriminals routinely target such non human identities because they usually have privileged access and are often poorly understood and weakly protected
The cyber security industry has spent decades architecting secure human identity systems to manage usernames and passwords. The recent addition of biometrics and multifactor authentication has enhanced the security of human identities. To stay competitive and secure the highly classified organization data fully, CIOs must put systems in place to secure the identities of machines. Unsecured non-human identities have the risk of leaving businesses vulnerable to data theft.
“Attacks and vulnerabilities that leverage machine identities have grown by 478% the last 5 years and annual worldwide economic losses due to poor security of the non-human identities are predicted to reach $71.9 billion”
Need to protect non-human identities
Prevent non-human identity theft. Forged keys and certificates can give access to the confidential data by breaking into the encrypted tunnels.
Keep up with the explosive growth of machines. Non-human identities represent the majority of “users” in a lot of organizations and are often associated with privileged accounts. Theft of such credentials leads to severe damage to the company’s reputation.
Secure cloud-driven machine proliferation. With the dynamic evolution of cloud services you need to be able to swiftly evaluate the credibility of machines, including the virtual machines, microservices, cloud workloads and containers.
Protect the identities of connected things. There are millions of new device identities that are now connected to the Internet, that includes sensors, industrial equipment, robots etc. You need to secure all these identities to avoid vulnerabilities. Many of these devices transmit and store critical information using encrypted channels that are managed by non-human identities.
Interact safely with new types of machine identities. As machines become more smart, they are replacing humans in jobs that require reasoning, perception, logical thinking, memory and learning. Our rising dependence on smart machines makes it ever more important to validate and guard their identities.
Companies have lost millions of dollars because of a TLS certificate related outage or have data stolen because an unknown SSH key built an unbroken backdoor that the cyber criminals used to penetrate an organization. This doesn’t include the time and resources wasted when developers take precious time away from their core development activities to focus on managing their non-human identities.