As we come to the close of 2023 it seems like a good time to review the situation with machine identities and what the future might hold. On the topic of trusted identity, most of the attention has been on human identity and digital human credentials. But machine identities may be equally or more important very soon. Machines include all connected devices, workloads, applications, and cloud services, and they significantly outnumber humans on the planet (there are about 8 billion humans and 25 billion Internet of Things (IOT) devices are expected by 2025). The ratio is getting larger fast. Machine identities are a huge security blind-spot for digital enterprises.
It has been three years since the disclosure of the Sunburst attack (AKA SolarWinds Hack); the event that was a wake-up call to the cybersecurity community on the inability to prevent insider threats. This led to the US Government executive order on “Zero Trust” (an attitude or posture, not a goal!) that created an entire cybersecurity sector for threat intelligence, detection, and response. [ sidenote: I support the principles of zero trust but hate the term because we should be aiming for the goal of high trust.] Although Sunburst exploited PKI certificates for code signing, it revealed a vulnerability that threat actors can obtain a PKI certificate (a cryptographic key pair) and could likely exploit it in a machine identity attack. This can only be bad news for cybersecurity professionals.
The Machine Era is Now
Managing a massive number of machine identities is a significant challenge. With more cloud migrations and the continued growth of containerized applications and microservice architectures, management of machine identities will overstress centralized identity services and force greater identity trust segmentation. A brute force approach to manage the growth in machine identities. But it may not achieve the security, speed, agility, and scale needed while meeting the demands of NetOps, CloudOps, DevOps and DevSecOps teams. The downside with more identity trust segmentation is an increase in cross-segment identity trust verification (already a challenging and complicated orchestration of key exchanges and sharing.)
The dramatic growth in machine identities requires a rethink of how enterprises achieve ‘zero trust’ principles in parallel with a massive wave of machines appearing on the Internet. Since identity is the foundation for everything in cybersecurity, we believe the situation requires a decentralized identity approach that augments existing PKI services. Here is why.
Centralized identity services that automate certificate assignment to machines cannot verify the workload trust when the certificate is issued. They automatically respond to a Certificate Signing Request (CSR) and issue a certificate to the requestor. Although the Certificates Authority (CA) may be trusted, the workload requesting the certificate cannot be. Each certificate that is issued by a CA is a completely new identity for the workload. So, replacement certificates provide no recognition of the workload’s history. The certificate does not assure the workload’s intrinsic chain of trust.
PKI certificate abuse is real. Approval for Google’s proposal to reduce the validity of TLS certificates from 398 days to three months is likely, and it will overwhelm many enterprises' ability to renew identity certificates four times a year. These certificates are essential for transport layer security (TLS) to secure data in transit. With shorter certificate lifetimes, the likelihood of increased outages and identity exploitations will increase. That means business losses to cybercrime are also likely. The need for automated decentralized identity management to avoid outages and security weaknesses is acute.
Automate certificate management solutions offer the promise of reduced management complexity, but it comes at the cost of architectural overhead. Developer and DevOps involvement is still necessary and, in some cases, expensive skills and experience are mandatory. In our conversations with Devs and DevOps, we often hear complaints about their certificates management tools. Automated replacement does not work the way it should, and things break often requiring expertise to troubleshoot and resolve the issue. There is low observability into certificate problems and teams struggle with resolving outages quickly.
Quantum computing is one year closer to practical use, putting more pressure on finding a next-gen PKI cryptographic solution. Since this is a mathematics (prime number factoring) challenge, new algorithms may also be vulnerable to AI advances. PKI could become the Achilles heel of identity and transport layer security. Its loss would be catastrophic to a global digital economy.
Decentralized Identity for the Machine Era
A solution to these challenges is available today, and it is one that can operate in parallel with the existing PKI identity approach for a graceful transition. Automated decentralized identity management meets zero trust principles (it verifies identity trust of machines each time they interact). It is scalable (each machine is deployed with a ‘sidecar’ identity manager). It is highly theft resistant (the identity credential rotates at a high frequency), It establishes and preserves a chain-of-trust in the workload itself. It is “PKI-free” (it does not rely on cryptographic keys and is future-proof). It is simple to implement and enables stronger, complete, end-to-end symmetric encryption at either the transport or application layer.
The machine era is here, and accelerating with artificial intelligence and the IOT. It is critical for organizations to prepare for the looming machine identity crisis now. Since decentralized identity management can operate in parallel with existing machine identity solutions at a lower cost, it is both strategic and prudent to prepare for a rapid transition now and avoid a panic transition in a future crisis.
Digital organizations must verify and securely manage trusted identities for a massive number of machines, workloads, applications, and cloud services with agility. Weak cryptography, expired certificates and misconfigured identities create exploitable vulnerabilities that threat actors target to steal proprietary information, disrupt business-critical systems and carry out ransomware attacks.
Now is the time to begin a proof of concept or pilot for your specific use case.
Hopr has been recognized by Gartner as a technology innovator in Automated Moving Target Defense (AMTD). Our automated decentralized identity management capability is an integral part of our AMTD platform and is available to AWS cloud customers via the AWS Marketplace. If you prefer, we offer a free discovery call to explore your use case. And you can find more information here.