On Day 2 of Simplify PKI 2021, David Mahdi returned to give another cracking session, this time on Machine Identities. Machine identities is a concept he touched upon briefly in his previous session on Journey to a World Class Crypto Center of Excellence (get insights from the session here), and in this session, he gave a full-blown account on machine identities, their impact on cybersecurity, and management practices. Let’s dive in.
Digital business is booming. For digital business to work, there has to be trust between the various digital components, and cryptography is fundamental in bringing that trust.
One of the crucial elements in building digital trust is Identity and Access Management (IAM). With the secure identity requirements engendered by Digital Transformation, IAM is poised to be the Next Big Thing. Gartner predicts the IAM market to grow to $19 billion in 2024 from the current (2021) $11 billion.
However, IAM has one major concern- it’s focused primarily on humans. IAM handles authentication, identity management, identity orchestration, digital signatures, access to private networks, etc. only for humans. Modern identity decisions are at the intersection of various business units and teams, such as DevOps, Cloud, Security, IAM, and Infrastructure and Operations (I&O) teams.
This approach may have been relevant years ago, when humans had complete control over networks. However, with identity becoming the new perimeter, that is no longer the case. IAM has a major missing part, and that is machine identities. Machine identities are nowhere in the picture, even in the current state of digital business.
Gartner defines five pillars that support the overarching IAM concept, namely, Identity Governance and Administration (IGA), Privileged Access Management (PAM), Authentication, and Access Management. At the core of the four technology pillars, lies IAM Program Management, which deals with the people and processes part.
But, where do machine identities fit in these pillars?
As Mahdi says, they fit in everywhere. They are an elemental part of each IAM pillar. And not just IAM – machine identities are present in almost every facet of cybersecurity, such as Zero Trust security, and also fast-growing areas outside of cybersecurity, such as Robotic Process Automation (RPA). However, according to Gartner’s research over the years, Machine Identity Management as a market is nowhere as mature as IAM; in fact, it’s still relatively new.
Why do we need Machine Identity Management?
To enable Zero Trust
Zero Trust doesn’t mean you don’t trust anything; it means you trust something only when you recognize it as a part of your trust network. Machine identities help establish this trust. When you use your personal device to access your company’s resources, the company’s network has to trust your device to let it in. This trust is bestowed upon the device by provisioning a certificate on it. The next time your device requests access, the company checks the certificate on it, authenticates it, and authorizes the device.
To collaborate with DevOps
Developers need certificates to code-sign their software, identify container workloads, and as identities for supervised and unsupervised bots in RPA. In RPA, bots interact with each other to accomplish a task, after which they vanish, and a new set of bots are created. Careful identity management is required to establish and maintain trust in such dynamic environments.
Machine-to-machine interactions are far exceeding human-to-machine interactions, which is why the emphasis now needs to be on managing identities, data, and contacts. This further substantiates the earlier statement that identities are the new perimeter. All of Gartner’s research in this space points to the fact that machine identity management is essential in 2021 and beyond.
But first, what are Machine Identities?
To define what machine identities, let’s compare them to the familiar human identities. Human identities can be defined by roles, such as employees, partners, customers, vendors, and consultants. Likewise, machine identities could be workloads, such as containers, virtual machines, applications, and services, or devices, such as mobile, IoT/OT, desktop, and computers. Identities could also lie somewhere between humans and machines, such as bots. A supervised bot could be the clone of a human, acting as a proxy and handling those repeatable tasks that a human would normally do. In this case, the bot is more of a human identity, or a derived version of a human identity. An unsupervised bot would be a machine. An example of an unsupervised bot would be a chatbot, which gets created as soon as a customer opens the chat pop-up. The chatbot would have been configured to handle all the interactions on its own, and needs to be authenticated to access other machines to fetch data and present it to the customer. For this authentication, the chatbot needs an identity, which is not a smartcard or an OTP or a token. The identity in this case is usually a certificate or a key, which is created as soon as the chatbot gets instantiated.
In such dynamic environments, machines and their identities could span thousands, or hundreds of thousands in number. Spreadsheets are no longer a viable option to manage this enormous volume of identities. Organizations need automation if they are to manage machine identities efficiently.
The Identity Lifecycle
Every identity, human or machine, goes through a lifecycle. Let’s take a look at the human identity lifecycle. Say you’re opening a new bank account. The first stage in the identity lifecycle is on-boarding, or identity affirmation. This is the stage where you submit your identity proofs, such as your driver’s license, social security number, etc. Once the bank does a background check and affirms your identity, it registers you as a user.
The next stage is ongoing access, or user authentication. Now, every time you need to access your account, you enter the username and password that you created during on-boarding, or get authenticated through an OTP sent to your registered mobile number or email address, or even through the biometric authentication on your mobile device.
Finally, we have identity recovery. This isn’t essentially a stage, but rather an event contingent on the user forgetting the password, or losing the authenticated device. This is the stage where password resets happen. Fraud detection is another aspect of this stage, where the app makes sure a malicious bot isn’t trying to access your account, or that your account hasn’t been hacked.
Machine identities, too, go through a similar lifecycle. First, the machines are discovered – which part of the network they’re in, their type (server or client), etc. Then, their identities such as keys and certificates are generated. Again, there are variations to how the generation happens, based on the type of deployment. Keys could be generated on-prem and pushed to the cloud, or they could follow a BYOK (bring your own key) approach, or they could be generated in one cloud and used in another in multi-cloud deployments.
Next comes distribution. This is the stage where the generated identities are stored in a secure place, called the trust anchor. This could be a secure vault in laptops and mobile devices, or hardware or software security modules.
Following distribution are rotation and revocation. An identity cannot be used forever because that makes it susceptible to hacking. It has to be renewed, or destroyed and regenerated. A case in point is the unsupervised chatbot example we saw earlier. Chatbots are ephemeral – they get instantiated when the user clicks the chat pop-up, they handle a session, and die away. When they vanish, the identities associated with them need to be destroyed.
There are numerous technologies in the identity space, such as HSM (which is the base technology that generates and stores keys), PAM, Key Management Systems (KMS), PKI and Certificate Management Systems, Secrets Managers, Secure Shell (SSH), etc. Most of these are interrelated and interdependent – they deal with the same set of identities for different purposes. Here, we see a convergence of these technologies, and having them integrated with one another helps an organization attain high levels of cryptographic maturity.
The Cybersecurity Mesh
Converging technologies doesn’t mean buying a new product – it means having a security roadmap and investing in products that help you achieve that common goal. The way to go about this would be to break down existing silos between teams and technologies, and create a cybersecurity fabric that spans your devices, technologies, business units, and deployments. The cybersecurity mesh should be programmable – teams just have to declare their intent and the mesh delivers the desired result, like trust scores, policy compliance levels, etc. Having a cybersecurity mesh approach helps organizations become more crypto-agile, empowering them to adjust, adapt, and change faster.
Click here to read about David Mahdi’s session on Journey to a World-Class Crypto Center of Excellence.