Machine Identities and Secrets

Machine Identity - Avoid the Crisis

Tom McNamara

December 9, 2023

Prepare for the coming crush of machine identity management before it is a crisis situation.

As we come to the close of 2023 it seems like a good time to review the situation with machine identities and what the future might hold. On the topic of trusted identity, most of the attention has been on human identity and digital human credentials. But machine identities may be equally or more important very soon. Machines include all connected devices, workloads, applications, and cloud services, and they significantly outnumber humans on the planet (there are about 8 billion humans and 25 billion Internet of Things (IOT) devices are expected by 2025). The ratio is getting larger fast. Machine identities are a huge security blind-spot for digital enterprises.

It has been three years since the disclosure of the Sunburst attack (AKA SolarWinds Hack); the event that was a wake-up call to the cybersecurity community on the inability to prevent insider threats. This led to the US Government executive order on “Zero Trust” (an attitude or posture, not a goal!) that created an entire cybersecurity sector for threat intelligence, detection, and response. [ sidenote: I support the principles of zero trust but hate the term because we should be aiming for the goal of high trust.] Although Sunburst exploited PKI certificates for code signing, it revealed a vulnerability that threat actors can obtain a PKI certificate (a cryptographic key pair) and could likely exploit it in a machine identity attack. This can only be bad news for cybersecurity professionals.

The Machine Era is Now

Managing a massive number of machine identities is a significant challenge. With more cloud migrations and the continued growth of containerized applications and microservice architectures, management of machine identities will overstress centralized identity services and force greater identity trust segmentation. A brute force approach to manage the growth in machine identities. But it may not achieve the security, speed, agility, and scale needed while meeting the demands of NetOps, CloudOps, DevOps and DevSecOps teams. The downside with more identity trust segmentation is an increase in cross-segment identity trust verification (already a challenging and complicated orchestration of key exchanges and sharing.)

The dramatic growth in machine identities requires a rethink of how enterprises achieve ‘zero trust’ principles in parallel with a massive wave of machines appearing on the Internet. Since identity is the foundation for everything in cybersecurity, we believe the situation requires a decentralized identity approach that augments existing PKI services. Here is why.

Centralized identity services that automate certificate assignment to machines cannot verify the workload trust when the certificate is issued. They automatically respond to a Certificate Signing Request (CSR) and issue a certificate to the requestor. Although the Certificates Authority (CA) may be trusted, the workload requesting the certificate cannot be. Each certificate that is issued by a CA is a completely new identity for the workload. So, replacement certificates provide no recognition of the workload’s history. The certificate does not assure the workload’s intrinsic chain of trust.

PKI certificate abuse is real. Approval for Google’s proposal to reduce the validity of TLS certificates from 398 days to three months is likely, and it will overwhelm many enterprises' ability to renew identity certificates four times a year. These certificates are essential for transport layer security (TLS) to secure data in transit. With shorter certificate lifetimes, the likelihood of increased outages and identity exploitations will increase. That means business losses to cybercrime are also likely. The need for automated decentralized identity management to avoid outages and security weaknesses is acute.

Automate certificate management solutions offer the promise of reduced management complexity, but it comes at the cost of architectural overhead. Developer and DevOps involvement is still necessary and, in some cases, expensive skills and experience are mandatory. In our conversations with Devs and DevOps, we often hear complaints about their certificates management tools. Automated replacement does not work the way it should, and things break often requiring expertise to troubleshoot and resolve the issue. There is low observability into certificate problems and teams struggle with resolving outages quickly.

Quantum computing is one year closer to practical use, putting more pressure on finding a next-gen PKI cryptographic solution. Since this is a mathematics (prime number factoring) challenge, new algorithms may also be vulnerable to AI advances. PKI could become the Achilles heel of identity and transport layer security. Its loss would be catastrophic to a global digital economy.

Decentralized Identity for the Machine Era

A solution to these challenges is available today, and it is one that can operate in parallel with the existing PKI identity approach for a graceful transition. Automated decentralized identity management meets zero trust principles (it verifies identity trust of machines each time they interact). It is scalable (each machine is deployed with a ‘sidecar’ identity manager). It is highly theft resistant (the identity credential rotates at a high frequency), It establishes and preserves a chain-of-trust in the workload itself. It is “PKI-free” (it does not rely on cryptographic keys and is future-proof). It is simple to implement and enables stronger, complete, end-to-end symmetric encryption at either the transport or application layer.

The machine era is here, and accelerating with artificial intelligence and the IOT. It is critical for organizations to prepare for the looming machine identity crisis now. Since decentralized identity management can operate in parallel with existing machine identity solutions at a lower cost, it is both strategic and prudent to prepare for a rapid transition now and avoid a panic transition in a future crisis.

Digital organizations must verify and securely manage trusted identities for a massive number of machines, workloads, applications, and cloud services with agility. Weak cryptography, expired certificates and misconfigured identities create exploitable vulnerabilities that threat actors target to steal proprietary information, disrupt business-critical systems and carry out ransomware attacks.

Now is the time to begin a proof of concept or pilot for your specific use case.

Hopr has been recognized by Gartner as a technology innovator in Automated Moving Target Defense (AMTD). Our automated decentralized identity management capability is an integral part of our AMTD platform and is available to AWS cloud customers via the AWS Marketplace. If you prefer, we offer a free discovery call to explore your use case. And you can find more information here.

Keep Reading

IAM in a Box

Containers are an important part of modern cloud engineering. They evoke the idea of portability and relocation. But in the cloud this is often inhibited because they become anchored to external services within a particular cloud environment, and it becomes difficult to relocate them to a different environment. This article describes how containers can be freed and portability restored.

Author Avatar
Tom McNamara

July 8, 2023

An Unintentional Secret - Automated TLS and its Zero Trust Fallacy

Transport Layer Security (TLS) and its companion, mutual TLS (mTLS) are stalwart security protocols known for encrypting communications over the Internet. When they are applied to root domains (such as is the case for Web domains and browsers) they represent identity trust. However when they are implemented with automated PKI certificates, they lose an important security quality: identity trust. Due to the speed and scale of cloud automation, the intermediate certificate authorities that issue PKI certificates eliminate vetting of the receiving identity (a containerized workload).

Author Avatar
Tom McNamara

July 8, 2023

Machine Identity - Who’s Who in the Cloud?

Identities for machines operating in the cloud, like humans in the natural world, are an important quality that is essential to trust, authorization, and authentication. Machines are identified by cryptographic material that takes the form of a certificate. But in the cloud, it is challenging to find, track, and manage the many certificates that are dynamically assigned and used. New approaches to managing machine identities in a zero trust cloud environment are needed to realize secure business operations in the cloud.

Author Avatar
Tom McNamara

July 8, 2023

Keeping Secrets Is Hard

Keeping secrets is hard because they have to stay secret to deliver security. And for machines and workloads in the cloud the consequences to lost secrecy can ripple through the entire business and bring down many digital operations in an instant. Leakage of digital secrets occurs almost naturally over time; disclosure eventually happens and secrecy is lost. But the risk of lost secrecy and the impact to cloud operations is minimized with the right tools.

Author Avatar
Tom McNamara

July 8, 2023

When Zero is a Good Thing

As businesses migrate more of their critical processes and data to the cloud and procure SaaS solutions, their attack surface grows significantly. This makes it harder to achieve a zero trust posture, and more risk occurs for employees with the Secret Zero to everything. While tools such as Machine Identity Managers and Secrets Managers (vaults) are improvements for today, they do not solve the growing problem of competition between zero trust and ever-scaling attack surfaces. A strategic solution that responds to the challenges in new ways is needed. (click to read more)

Author Avatar
Tom McNamara

July 8, 2023

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Use CasesHow It WorksUnique FeaturesHopr ConnectHopr Connect GatewayPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr enables on-demand, verified-trust, ultra-secure application networking across clouds, organizations, and ecosystems.

Our Zero Trust and quantum-proof solutions form a future ready Cloud Native Automated Moving Target Defense (AMTD) around workloads, APIs, and data in transit.

Easily and securely network cloud applications located in any environment, disrupt cyber threats, and proactively strengthen cyber resilience.
copyright 2021-2023 | Hopr Corporation
CHIPS™, MAID™, and SEE™ are trademarks of Hopr Corporation
CHIPS™ technology the MAID and SEE™ protocols
are protected by US Patents and patents pending.