Machine identity management crisis looming

Managing machine identities is looming as the next big security challenge, a study reveals, with few organisations capable of protecting them as they increasingly form the basis of online communications

The majority of global IT decision makers believe protecting machine identities is as important to security as protecting human identities – and potentially even more important, a survey shows.

However, most of 350 IT decision makers polled in the UK, Germany, France, Australia and the US said they struggle with the delivery of machine identity protection capabilities, according to a study from research firm Forrester and security firm Venafi.

The study notes that although the global identity and access management (IAM) market is worth over $8bn, most of that is spent on human identity protection.

This is despite the fact machine identities form the foundations of all online trust and communications between digital actors, from apps to mobile devices.

This issue is coming under even greater scrutiny as the number of devices and new technologies businesses use has exploded, resulting in a raft of new machines entering the workforce to play a central and often autonomous role in everyday business operations.

As a consequence of this trend, survey respondents said there is a range of concerns relating to machine identities being compromised, including company data theft or loss (61%), customer data theft or loss (58%), loss of consumer trust (48%), process disruption (41%) and business downtime (41%).

While 80% of respondents confessed they struggle with delivering basic machine identity protections, 70% admitted to tracking less than half of all their machine identities, which the report said is likely to increase as the number of machine identities in use continues to skyrocket.

When asked which specific machine identities they track, just 56% said cloud platform instance machine identities, followed by mobile device machine identities and physical server machine identities (each 49%), secure shell (SSH) keys (29%) and machine identities of microservices and containers (25%).

“It is shocking that so many companies don’t understand the importance of protecting their machine identities,” said Jeff Hudson, CEO of Venafi. “We spend billions of dollars protecting user names and passwords, but almost nothing protecting the keys and certificates that machines use to identify and authenticate themselves.”

The number of machines on enterprise networks is increasing rapidly, he said, but most organisations have not yet invested in the intelligence or automation necessary to protect these “critical” security assets.

Machine and human identities

However, the survey shows that while 47% of respondents, including the majority of UK respondents, predict that in the next two years machine and human identities will be of equal priority, 30% believe machine identities will be a slightly higher priority and 13% think machine identities will be a much higher priority. Only 8% think machine identities will be a lower or much lower priority.

“The bad guys know this, and they are targeting them because they are incredibly valuable assets across a wide range of cyber attacks,” said Hudson.

According to an earlier Venafi study, cyber criminals are paying up to $1,200 on the dark web to buy digital identities to help them evade detection, distribute malware and attack enterprises.

In summary, the report said recent increases in the number of machines on enterprise networks, shifts in technology and new computing capabilities have created a set of challenges that require increased focus on protecting machine identities.

“To effectively manage and protect machine identities, organisations need complete visibility of all machine identities across their networks, actionable intelligence about each machine identity, and the capabilities to effectively put that intelligence into action at machine speed and at scale,” the report said.

Read more on IT risk management