Rise of the machine identities
Article by Attivo Networks regional director for A/NZ Jim Cook.
The shift to remote work and cloud adoption has led to an ‘explosion of identities’.
Research from the non-profit Identity Defined Security Alliance (IDSA) found that 83% of companies saw an increase in the number of identities accessing system resources in the past year.
Most of these new identities may not, however, be ‘human.’
Instead, they may be bots, serverless functions, administrative roles in cloud accounts, scripts, and other infrastructure-as-code software artefacts that have permission to access systems and execute functions.
On some estimates, non-human or non-people identities outnumber human or people identities by hundreds or thousands to one. Forrester expects the number of non-human identities to “grow at more than twice the pace of human identities.”
Analysts estimate that organisations now have “an average of 7750 identities with access to sensitive cloud data”. That mirrors our own experience: organisations used to dealing with hundreds of identities are now dealing with thousands or more.
The sheer number of identities brings added complexity, particularly when securing them all, and the situation remains challenging.
Analysts at KuppingerCole noted last year that the level of security applied to machine identities is often “lower than for human authentication. This poses a security risk to an enterprise network and can lead to breaches and hacks, if not treated with adequate care,” they said.
Understanding the risk
Last year, Gartner released a publication titled ‘Managing Privileged Access in Cloud Infrastructure’ that included several concerning statistics and predictions.
The data analyst estimated that by 2023, 75% of cloud security failures would result from inadequate management of identities, access, and privileges, a significant increase from the 50% estimated in 2020. Gartner notes that the growing number of identities and entitlements substantially increased both the complexity and risk involved.
Security professionals do acknowledge the problem. IDSA found 80% of professionals increased their focus on identity security in the past two years, and confidence “in securing machine identities, including service accounts, applications, and machines or IoT identities” is growing.
Still, confidence scores are up by single-digit percentages year-on-year and less than 50% in all cases, suggesting there’s still more organisations can do to address the security challenges posed by the growing number of identities.
Scoping the problem
With so many human and non-human identities to manage, permission sprawl has become a severe issue. The widespread shift to remote working, cloud migration and increasing adoption of DevOps practices have further elevated the need to limit the ability of attackers to obtain excessive rights or the privileges they need to move across domains.
The dynamic nature of the cloud can make it challenging to track access and accountability.
Some identities have more access and resources than they truly need in the interest of convenience. Similarly, some organisations sync Active Directory (AD) identities with the cloud, which means an endpoint exposure can quickly become a cloud breach. The recent SolarWinds breach is an excellent example of this.
It can be problematic to have a consistent and comprehensive view of the entire cloud environment, making it difficult to assess risk. Multi-cloud environments, each with a separate user interface, can exacerbate this issue.
While many organisations use traditional identity and access management (IAM) tools and techniques in the cloud, their static and longstanding access increases rather than reduces security risks.
Chasing end-to-end visibility
Modern cloud solutions must be able to discover all identities, resources, and entitlements at any scale. Tracking entitlements over time is also essential to find changes attackers make and validate that obsolete permissions are no longer active.
Visibility to cloud identity issues is critical but alone does not suffice.
Organisations must also have end-to-end visibility from the endpoint to Active Directory to the cloud, helping defenders visualise entitlements and risk from multiple points of view.
Defenders also need to mitigate risks clearly and quickly as they become apparent, which means possessing a more expansive view of the network and potential attack paths to detect and derail attackers wherever they are active.
Only with more effective and comprehensive cloud permission management — and the visibility needed to address policy drift and exposures and detect live identity-based attack activity — can modern organisations truly begin to protect themselves.
A new category of tools for both identity visibility and Identity Detection and Response (IDR) have emerged in this space. These tools focus on protecting credentials, privileges, cloud entitlements, and the systems that manage them, giving organisations a critical new weapon in their arsenal to find and fix credential and entitlement weaknesses and detect live attacks on a real-time basis.
In addition to looking for attacks targeting identities, IDR solutions create a defence layer by providing fake data that redirects the attacker to a decoy. They can also automatically isolate the compromised system and assist in the incident response by collecting forensic data and gathering telemetry on the processes used during the attack.
Without these identity security defences, businesses will lack the continuous visibility and detection insights needed to prevent attackers from compromising and exploiting identities to access more valuable and profitable internal targets.