Machine Identities and Secrets

When Zero is a Good Thing

Tom McNamara

May 3, 2021

In competition a score of zero is never a good thing. No sports team wants to end a contest with the scoreboard displaying their score as zero. It’s also not a good situation for your bank account or your car gas tank. But there are a few areas of life where zero is a good thing. It's a good thing to have zero accidents or speeding tickets on your driving record. And it's good to have zero data breaches if you are a digital businesses; a “zero” that is becoming increasingly uncommon. But is it possible to achieve that record? Maybe, but it won’t happen unless businesses evolve their business strategy in three important "zero" areas.

Zero Trust

The term “zero trust” describes an operational concept where implicit trust is removed from all of the computing infrastructure used by a digital business and replaced with strictly managed, real-time, adaptive trust levels for just in time, and just enough, access to its resources.

With business processes and data migrating from controlled enterprise data centers with hardened, secure perimeters to the cloud and SaaS solutions, the trust that was formerly known can no longer be assured. In the cloud, business processes and data exist on multiple “machines” and workloads, such as containers, VMs, applications, and services are enabled and disabled dynamically.  A business cannot know for certain where their data is moving and on whose hardware the processing occurs. The cloud may bring mores security, but it also obfuscates much of the security that once was managed by employees within its data center.

A “Zero Trust” approach hardens security for the perimeter of a business' processing and data and also within its networks and operations. Machines must explicitly authenticate to one another before sensitive operations occur, and it requires access control policies that limit the machine operations that may occur (equivalent to authorization and ACLs for humans). And the authentication and authorization of machines must be backstopped with monitoring, logging, and auditing to assure the security of critical data and processes.

ACLs, VLANs, IP-based firewall rules, and IAM security policies developed for enterprise data centers lack the intra-application communication visibility required for granular security controls and policies. Merely applying enterprise data center policies to cloud deployments forces security teams to adopt manual communication tracing, which cannot scale.

Zero Attack Surfaces

Another area where zero is a good thing is with attack surfaces. Attack surface area is a metaphor for the size of the “target” an attacker can see and exploit. The larger the surface area, the more opportunities available to attackers and the more difficult it is to defend against them. Although attack surfaces for digital businesses can never be zero (they would have to disconnect from the Internet), it is important to keep the concept in mind for security purposes.

For reasons of cost and performance, businesses are moving more of their critical processes and data to the cloud and modernizing monolithic legacy applications by integrating (or replacing) them with modern architectures such as microservices and serverless, or relying on outsourced SaaS applications. Microservices are small pieces of code performing only a few (or even a single) functions that use and produce data to other workloads, usually through REST API endpoints. Consistent with zero trust principles, each microservice API requires an identity and a key (i.e., a secret) for connection and authentication to other workloads. These credentials are critically important to protect business processes from misuse and assure data integrity. To help businesses secure, monitor, log, and audit the many processes that run on their infrastructure, Machine Identity Management (MIM) and Secrets Management (SM) tools were modeled off of human IAM tools. 

But with many static keys across multiple vendor clouds, a lack of access control governance, multiple non-unique machine identities, high workload volumes, and a reliance on DevOps pipeline processes the machine IAM, adapting conventional human-based IAM tools to machines is not the solution. For one thing, the attack surface of critical business operations is significantly larger than what it might have been in the enterprise data center. Without proper management of machine identities and secrets, the security and continuity of business operations relies only on logging, monitoring, auditing. But these should not be the defense and instead should serve as backup safeguards. Also, conventional logging, monitoring, and auditing functions occur at the perimeter and do not apply to internal operations.

The Solar Winds security incident that captured the attention of the US cybersecurity establishment in December 2020 illustrated how some of the most critical assets of commercial and government operations were exploited by a sophisticated nation state actor. The attack exploited seams between name-brand software vendors, software supply chains, and privileged access management tools across cloud environments to misuse privileged accounts, issue new accounts and privileges and then move laterally inside businesses. With privileged access, the attackers carefully evaded detection by logging and monitoring tools. 

Secret Zero

At some point, machined identities and secrets managed by security tools and  stored in encrypted vaults require additional keys to protect the ones that are encrypted and stored. But eventually, all tools, including machine identity and secrets managers, become the responsibility of a human. This is where ‘Secret Zero’ lives. It is the one secret that controls all of the other secrets. Borrowing from the novel Lord of the Rings, it's the “one ring to rule them all.” For example, certain individuals in an enterprise are entrusted with the authority and credentials to access and operate the security systems and tools that protect critical business operations. Those individuals login to those systems and tools with their usernames and passwords and, hopefully, an MFA service. They configure tools, and establish user accounts and permissions, too. What happens if those get hacked? You guessed it, the attacker has access and authorities to the business’ crown jewels.

As a way to confirm the security of their digital resources, security-conscious businesses use professional “red teamers” (think ‘white hat’ attackers) to independently evaluate all possible vulnerabilities and exploitation paths into their networks and infrastructure. Red teamers love the human elements of an attack surface the most. They consider humans to be prime security vulnerabilities. Even with all of the sophisticated and automated MIM and SM technology, humans are still a weak point because they have the key (Secret Zero) that controls access to everything else. They are the soft underbelly of security that can bring down everything. And sophisticated attackers are patient; they aren’t in a rush and will spend the time needed to find and exploit human vulnerabilities.

What is the best defense?

As businesses migrate more of their critical processes and data to the cloud and procure SaaS solutions, their attack surface grows and competes with efforts to achieve a zero trust posture, and the risk for employees with the Secret Zero also increases. While today’s MIM and SM (vaults) tools are improvements, they do not solve the growing conflicts between zero trust, ever-scaling attack surfaces, and human vulnerabilities. These need a strategic shift in thinking and new solutions. At hopr, we’re re-thinking the problem and innovating solutions such as: secrets that self-rotate and self-synchronize at operational scales; workloads with identities that increase trust with time; decentralized secret storage with centralized secrets management; and secret zeros that remain hidden. Our innovations ensure machines, workloads, secrets, trust and security scale together and deliver security and cost benefits to digital businesses.