David Mahdi, Chief Identity Officer, Transmit Security, says machine identities of all kinds will keep proliferating in the network – opening environments to serious risks.
Most people think identities are for humans. In the minds of many, they’re characterised by the passwords, photo ids and security tokens that permit us access to the systems we use every day.
In fact, the 2022 IDS alliance report Trends in Securing Digital Identities showed that nearly three quarters of organizations consider employee identities the most likely to be compromised.
Yet there’s a whole world of transactions happening within those systems – machine to machine communications that need to be treated with the same vigilance.
Most of the work within a given network is done by machine-to-machine interactions. These far outstrip the number of digital identities a human being could have and the average enterprise maintains over 45 times more machine identities than they do personal identities.
Though they might be invisible to the naked eye, these machine identities and interactions are core to everything we do on connected systems: These are the servers, the workload containers, the cloud buckets and the digital infrastructure which form the very basis of modern working.
The sudden rise of machine identities
We’re living in an age of Digital Transformation and not a month passes in which a new application or technology is announced that promises to “disrupt” the old order. These machines have quickly filled the enterprise and have done so much quicker than our ability to effectively manage them.
The diversity of these machine identities presents more problems. They can be the virtual machines, cloud instances, containers or any other number of profoundly important ‘machines’ which often form the backbone of an IT infrastructure.
Within those, are contained even more machines. These are all managed in different ways and often come with their own tools to organize and monitor.
Similarly, new IoT devices are constantly connecting to the networks and enabling new capabilities across a range of use-cases from supply chain management to autonomous vehicles.
In the age of cloud – these machines are constantly accessing multiple identity providers such as Amazon Web Services and the same machines can wind up with multiple identities from different providers.
A 2022 study from Dimensional research showed that 98% of organizations have experienced a quick growth in identities brought on by the rise of cloud, interconnection of third parties and machines identities. As a direct result of this, 84% suffered an identity related breach in the last 12 months. It’s not hard to see why – the more identities an organization has to manage, the more difficult they are to manage, and the more opportunities an attacker has to exploit those identities.
How machine identity breaches happen
Machines are often very easy to create in the form of containers, cloud instances and workflows which can be spun up and closed in minutes. The speed at which these machines can be created and the difficulty in managing the volume to which they quickly grow, make them very hard to monitor. In fact, only about 40% of machine identities are being tracked. To make matters worse – 68% of these systems handle very sensitive data.
On top of that, machine identities are commonly only verified with a single factor of authentication – a ‘secret zero’ master key – that when exposed allows attackers to impersonate a compromise workload and get at all of its associated privileges and secrets.
Unfortunately, these are often exposed in source code, DevOps scripts and even repositories like GitHub. This is done partly because it’s so difficult to manage machine identities and leaving those master keys within publicly accessible code often provides an easier way to do so. However, it also gives attackers an easy route to directly compromise that identity.
What happens when machine identities are neglected
There are a few examples of what can happen when hackers successfully compromise machine identities.
- In 2019, an attack on Capital One allowed 140,000 Social Security numbers and 80,000 linked bank accounts to be stolen because a hacker used a Server Side Request Forgery (SSRF) to access the company’s Amazon Web Services and extract hard coded credentials which gave them access to Capital One’s systems.
- In 2022, Uber was the victim of a breach which gave hackers full access to Uber’s systems. Hackers could only do this because they managed to find PowerShell scripts that contained admin-credentials that were hard-coded within. Those credentials gave them access to a range of internal services including their OneLogin accounts, Amazon Web Services and their G Suite of applications. To make matters worse, this gave hackers access to Uber’s access management systems – thus by exploiting one vulnerable part of the identity infrastructure, hackers could enslave Uber’s entire identity infrastructure.
As machine identities have become an ever more central part of the digital enterprise network, they’ve grown in volume, become ever more difficult to manage and transformed into a key vector for attack.
The cost of these machine identity related breaches isn’t small.
According to one report from AIR, estimates that losses in the US alone from unprotected machine identities amount to anywhere between $15.4 to $21.5 billion.
That alone accounts to between nine percent and 13% of the total losses for breaches in the US.
Globally, the report estimates that global losses would range between $51.5 and $71.9 billion.
It’s an old story within IT security. New technologies emerge, they’re widely adopted and breaches spiral out of control because security measures haven’t kept pace.
Machine identities of all kinds will keep proliferating in the network and organizations need to find ways to effectively manage them, or risk opening their environments to serious risks.