What do O2, the US Government, and Sennheiser have in common? All three have recently suffered as a result of issues with their machine identities, writes Scott Carter, Senior Manager US, at Venafi.
Machine identities are the cryptographic keys and digital certificates that secure private communication between ‘machines’ – such as the hardware, software, apps, and websites – used by consumers and businesses every day.
At the end of 2018, an expired digital certificate caused UK-wide network outages for O2 customers, while Sennheiser failed to secure its private keys, putting company and customer data at risk. In 2019, the US Government shutdown resulted in a selection of government websites becoming inaccessible, or subject to security warnings, due to issues with the digital certificates.
From preventing outages, to stopping attacks, machine identities are vital for organisations that want to protect sensitive data and provide a secure, reliable service for their clients.
The increasing use of AI, DevOps, containers, IoT devices, and other new technologies in businesses are causing an explosion in the number of certificates, yet 70 percent of IT decision makers have admitted to tracking less than half of all their machine identities. This is deeply troubling because decent cyber-security depends on an organisation knowing about its machine identities, and what its strengths and weaknesses are.
However, given the huge number of machine identities that need to be managed, it’s impossible to track them all closely. Therefore, firms need to look at quick and simple ways of knowing which are secure and which aren’t so they can take appropriate action. Here are four core questions that firms should consider when assessing the security of their machine identities:
- Do you know where your machine identities are hiding? The first step in managing machine identities effectively, and being able to respond to any incidents, is simply knowing where all of them are. More certificates are being created every minute and until businesses have a complete inventory of every single one, diagnosing problems is extremely difficult and fixing them even harder. As O2 recently found, it is akin to searching for a needle in a gigantic haystack – and the longer the problem is unresolved, the more damage that can be done.
- Can you be sure who owns the device where the machine identity is being used? In most organisations, a vast number of users can request a machine identity for countless systems and different groups. This process needs to be centralised so that security and operations teams have the oversight needed to effectively manage all the identities. Centralising certificate issuance means that when a security vulnerability is detected, such as a weak algorithm or impending expiration, the PKI or security team can remediate quickly or contact the right person to make sure it gets done.
- Are your machine identities as secure as possible? Modern encryption is based on the use of complex ciphers – the more complex the cipher, the more secure the encryption. However, as technology advances, it becomes more likely that certain ciphers can be broken which make the machine identities that rely on them weaker and more vulnerable to compromise. With new vulnerabilities regularly being found in protocols like SSH and TLS, organisations need to know the latest security risks. One of the most severe vulnerabilities in computing history, Heartbleed, required all affected certificates to be replaced. But even three years later, in 2017, there were still certificates in use that had not been remediated.
- How have your machine identities been set up? Each machine identity can have its own unique configuration – it isn’t one size fits all. Often vulnerabilities come from a misconfiguration which puts the machine identity at risk because of a specific combination of options. Ensuring machine identities have been set up in the most secure way can help to reduce the risk to machine identities, and the subsequent business impact.
Locating, securing and correctly configuring all your machine identities are the first steps to stopping them being manipulated and misused. Having knowledge of your machine identities also means organisations have the agility to remove, change, or add a certificate at a moment’s notice in response to changes in the threat landscape or changing business conditions.
But not all machine identities are created equal – because they can change so rapidly, assessing risks quickly can be difficult. Free certificates, for example, are sometimes considered higher risk, as anyone with a domain can purchase one, and it’s relatively easy to spoof the website of another company.
Knowing how reliable your machine identities are makes it easier to protect them, change them, or quickly remediate any issues that arise. This is why organisations must automate tracking of machine identities. Without visibility, organisations risk becoming the next O2 or Sennheiser, subject to a host of potential machine identity issues and faced with mounting costs and many angry customers, clients and partners.