We're Not Protecting Machine Identities
A study finds organizations spend millions on personal identity, but virtually nothing on protecting machine identity.
The Salt Lake City based cybersecurity provider commissioned the June 2018 study, “Securing The Enterprise With Machine Identity Protection,” which included responses from 350 senior IT security professionals, 26% from financial services, who are responsible for their organizations’ identity and access management from the U.S., U.K., Germany, France and Australia.
“It is shocking that so many companies don’t understand the importance of protecting their machine identities. We spend billions of dollars protecting user names and passwords but almost nothing protecting the keys and certificates that machines use to identify and authenticate themselves,” Venafi CEO Jeff Hudson explained. She added, “The number of machines on enterprise networks is skyrocketing and most organizations haven’t invested in the intelligence or automation necessary to protect these critical security assets. The bad guys know this, and they are targeting them because they are incredibly valuable assets across a wide range of cyberattacks.”
Key findings from the study revealed almost all companies responding believed effective protection of machine and human identities are equally important to the long-term security and viability of their companies. However, eight out of 10 respondents struggle with deliverying important machine ID protection capabilities.
“Managing user and machine identities and privileged access to business data and applications is an enormous undertaking that has serious security ramifications,” the Venafi report suggested. Traditionally, the emphasis for identity and access management programs has been people-centric, but recent increases in the number of machines on enterprise networks, shifts in technology and new computing capabilities have created a set of challenges that require increased focus on protecting machine identities.
Additional findings from the study revealed nearly half, 47%, believed protecting machine identities and human identities will be equally important to their organizations over the next 12-24 months, while 43%, think machine identity protection will be more important. Meanwhile, 61% said their biggest concern regarding poor machine identity protection management is internal data theft or loss.
Seventy percent admitted they are tracking fewer than half of the most common types of machine identities found on their networks. When asked which specific machine identities they track: 56% said cloud-platform instance machine identities, 49% each said mobile device machine identities and physical server machine identities; 29% said secure socket shell keys (which provides administrators with a secure way to access a remote computer), and 25% said machine identities of microservices and containers.
The study acknowledged newer technologies, such as cloud and containerization, have expanded the machine definition to include a wide range of software emulating physical machines. Additionally, these technologies are producing a surge of new, swiftly shifting machines on enterprise networks. “To effectively manage and protect machine identities, organizations need complete visibility of all machine identities across their networks; actionable intelligence about each machine identity; and the capabilities to effectively put that intelligence into action at machine speed and at scale.”
The study maintained the necessity to protect machine identities is not part of a tech-hype cycle expected to subside in a few months since businesses nowadays must ride a rising tide of machine identities driven by the adoption of new tech including IoT, cloud, mobile, as well as new, automated business processes. “In addition to these changes, organizations are coping with an influx of security automation, DevOps, and containerization initiatives that further complicate effective machine identity protection.”
Venafi recommended to successfully secure the enterprise’s assets in a de-perimeterized world (which removes the boundary between an organization and the outside world), identity and access management programs can no longer focus exclusively on protecting human identities.