Defend your Institution by Also Applying Zero Trust to Machines, Not Just Humans

Defending your business against identity-based intrusions with Zero Trust is a well-recognised cybersecurity approach, and many businesses strive to build their cybersecurity defences with this mindset.

Zero Trust places emphasis on identity management and access control that moves past the outdated “trust, but verify” default approach and instead mandates a “never trust, always verify” mantra that is therefore a natural answer to many compliance regulations.

However, many organisations still face problems with their key identity-related security controls. In fact, a recent study by the Identity Defined Security Alliance’s (IDSA) reveals credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).

Cyber attackers don’t “hack” in anymore, they log in

Compromised credentials allow a hacker to simply log in using weak, default, or stolen usernames and passwords. This risk is further heightened by the current economic climate and the impact of the COVID-19 pandemic, which led to an acceleration in digital transformation and a resulting expanded threat landscape that has further stress-tested organisations’ identity and access management (IAM) practices. This has created new cybersecurity challenges around identity- and access-related risks across data centres, cloud, and DevOps environments.

However, identities today aren’t just people. They include, amongst others, workloads, microservices, and applications. In today’s reality, non-person identities or machine identities actually represent the majority of users in many organisations. Despite this, companies continue to focus their access controls on human users.

Whereas privileged human users in an organisation may be a relatively small group, the challenge with machine identities is that they are often associated with privileged accounts and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where privileged task automation plays a dominant role.

Rethink your IAM strategy

Providing effective IAM services in the face of competing challenges demands multiple, often interdependent changes. To ensure success, it’s critical that security and risk management leaders with responsibility for IAM manage these through a well-governed program.

Ultimately, these new types of machines and modern cloud-native application architectures are driving organisations to rethink their IAM strategies, as otherwise they would be exposed to a blind spot that their cyber adversaries can easily exploit.

A recent Gartner Report, titled “Managing Machine Identities, Secrets, Keys, and Certificates,” confirms that, “an uneasy feeling of not being in control and the lack of accountability are often well-founded.” It mentions the existence of shadow IAM deployments that issue, manage, and control keys, secrets, and certificates; the occurrence of ghost Secure Shell (SSH) keys across the organisation’s different devices and workloads; and the lack of good guidance around the usage of machine identities as a few examples of how companies are struggling to deal with machine identities.

The report recommends going back to the drawing board and developing an enterprise-wide identity, secrets, and key management strategy. It should include basic steps such as defining a common nomenclature for a machine identity, distinguishing between how machine identities are stored in central and local identity repositories and the credentials the machines use, assessing the different technologies that can assist in managing machine credentials, and establishing ownership of the machine and credentials.

Advancing your authentication model

Once organisations have implemented these basic steps, they must move towards a more dynamic approach that addresses the major security issues without impacting usability and agility. When implementing ephemeral certificate-based authorisation, the target systems are accessed without the need for permanent access credentials. This establishes a “zero standing privilege” stance based on Zero Trust principles which ensures all access to services must be authenticated, authorised, and encrypted for a short time frame only.

For each session (be it for a human or a machine), the ephemeral certificate is issued from the certificate authority (CA), which serves as the trusted third party and is based on industry standards such as X.509. This encodes the user identity for security purposes and has a short lifetime, avoiding the risk of man-in-the-middle attacks, controlling access to the target system based on user roles, and not leaving privileged sessions standing open to be exploited.

The rules for particular roles are generated according to security policies and access requirements. The CA then obtains the rules for each role from the traditional enterprise directory (e.g., Microsoft Active Directory) and uses them to determine proper authentication. This approach alleviates setting up access for each individual user/machine and enables streamlined updates to groups of users/machines.

Integrate identity with security for full protection

Although less than half of businesses have implemented key identity-related access controls, according to the IDSA research study, it’s the key to starting your journey to better cybersecurity hygiene and stronger defence against the reality of today’s threats.

Acknowledging that an identity-centric approach to security based on Zero Trust principles doesn’t only apply to humans, but also to machines is pivotal to businesses ensuring they stay protected against common modern attacks.