The Forrester Research-Venafi study, Securing the enterprise with Machine Identity Protection, surveyed 350 IT and security decision-makers in five countries and found that companies were aware of the need to effectively manage machine identities – but often struggled to keep up with the number and type of identities being added to the network.
Fully 70 percent said they are tracking less than half of the potential identities – which can range from networked and mobile devices to sensors, cameras, cloud-based web services, authentication frameworks, virtual servers and even blockchain-based ‘smart contracts’ that are rapidly asserting themselves across the business.
An influx of automation – led by processes such as increasing DevOps usage and adoption of artificial intelligence – was adding new complexity to the challenge by further isolating humans from the authentication processes that are undertaken every time two machines talk to each other.
Regular exchanges of cryptographic keys were enabling broader use of encryption – but they are also creating new opportunities for cybercriminals to avoid human-based network defences by, for example, using a publicly-available key to lend credence to a malicious phishing email.
“Everyone is racing to add encryption, but the security architectures we have in place weren’t necessarily made to have encrypted networks,” Venafi chief cybersecurity strategist Kevin Bocek told CSO Australia. “So we’ve got large parts of our security infrastructure that we’re making ineffective.”
Some 43 percent of all respondents said managing machine identities will be a higher priority than managing human identities in the future – but Australian respondents were well ahead of the pack, with 62 percent of respondents suggesting that machine identities would be more important within the next two years.
“Every day we see attacks happening using machine identities and their capabilities,” Bocek said. “It’s a less well-understood problem, and certainly one that is under-invested in.”
“Machines are exploding, and our adversaries understand the opportunities this presents – whether by stealing an identity, establishing their own machine identity and having it become trusted, or using the power of encryption to hide their work.”
Diversity of machines means diversity of attacks
Smart-home vulnerabilities are just one example of the implications of poor machine authentication, however, and a number of industry efforts have sought to improve the authentication and security of such devices.
Trend Micro, for example, this month launched an IoT security program based on its Zero Day Initiative (ZDI) to help developers identify vulnerabilities and shortcomings before their devices are shipped into an unsuspecting world.
“What we find to be the most common vulnerabilities are software defects, bugs and logic flaws,” Sense of Security chief technology officer Jason Edelstein recently noted in a statement. “This clearly shows we are rushing devices to market with little thought to how we protect the users.”
“To address the security flaws, it is important we start bringing a cyber security mindset into the planning and design phase. Companies shouldn’t take the security of products for granted and must continuously test and review the security of new products, through application security reviews and penetration tests. This helps pinpoint specific vulnerabilities and identifies underlying problems before the product comes to market.”
Part of the problem has stemmed from the fact that machine authentication happens automatically, and well outside the scope of human monitoring. Cryptographic certificates are generated, exchanged, and withdrawn in their thousands every day, and the lack of visibility leaves little way to pick up on a spurious authentication that could lead to a network compromise.
“The problem is that we can’t keep up,” Bocek said. “We need to set up a process by which we as humans can interpret whether the machine identity process is running correctly, or running to process.”
Continuing evolution of digital services wasn’t helping, either, as the trend was towards more diversity in the use of cloud service – not less. This expanding attack surface would lend weight to calls for companies to expand their DevOps processes into DevSecOps, in which both security and development efforts would progress in lockstep with controls over infrastructure and the machines connected to it.
“The codification and engineering of security are here to stay, and are only going to accelerate,” said Bocek. “That’s a huge shift for people that don’t just have to know about policy or architecture, but have to know about coding too. You have to set up these processes right from the beginning, because otherwise the machines are just going to run wild.”