Machine identities are growing faster than human identities, with a growth rate of 10 to 45 times higher. This complexity is compounded as more organizations adopt multi-cloud and hybrid strategies, a trend forecasted to continue through 2024. There’s also the rise in endpoints, as more machines become IoT-connected, leading to widening attack surfaces.
Meanwhile, existing regulations are also evolving. HIPAA’s Final Rule amendments provide new guidance on how entities must manage patient data, posing new challenges for healthcare providers connecting devices to networks. CCPA regulations passed in 2023 are now enforceable, with businesses required to implement the Global Privacy Control where users use their browsers to signal privacy preferences to websites and services.
In response, the One Identity Unified Identity Platform is enhancing machine identity offerings. These enhancements support use cases ranging from account management and privileges, to ownership assignment and enforcing separation of duties at different levels. After all, trends and challenges in identity management span the full enterprise, from device and machine, to user and consumer. A coordinated approach is essential to close gaps and reduce risks of identity compromise, while increasing efficiency and overarching governance.
That’s why machine identity management is central to allowing processes and systems to run – without the sprawl that’s a constant threat to fragmented enterprise environments. Machine identity management also helps mitigate the risks of human error, which the World Economic Forum attributes to 95% of cybersecurity issues, noting that insider threats (both intentional and accidental) account for 43% of all breaches.
Ultimately, the focus is on identifying evolving challenges to leverage emerging opportunities effectively.
Evolving challenges in machine identity management
When a new employee joins, a new human identity is created. Similarly, every time a virtual machine (VM) is needed or a new application is integrated, a new machine identity is generated. Much like a human employee needs offboarding, a machine identity also requires a lifecycle management process encompassing creation, reading, updating and deletion.
Managing these lifecycles is critical for businesses. These need close monitoring to avoid backdoors being left open from ownerless resources and unmonitored endpoints. While storage left unattended can be identified because of the related expense, identities don’t use up resources in the form of GB of storage. Without obvious operational costs, they can more easily slip under the radar. Particularly within IT teams operating in complex structures, sometimes the result of mergers or acquisitions, or rapidly changing DevOps environments.
Machine identity management is also a crucial element for organizations wanting to implement Zero Trust. This relies on PKI certification to continually prove identity, coupled with encryption keys for moving and storing data. The mix of public key meeting private key allows machines to prove their identities and gain relevant access. What’s more, the private key is part of the machine and can’t be shared or taken from a repository in the same way that a password can.
Speed and agility remain crucial, ensuring that access is granted to the right people for the right purpose at the right time. This is especially true for high-throughput areas that call for high availability. When the machine stores the key, there’s no need to retrieve or remember it, ensuring the real-time agility that’s necessary for modern enterprises to compete.
However, the concept, strategy, and execution of agility is now evolving.
Harvest now, Decrypt later: The need for crypto agility
Think of algorithms such as AES, SHA-2, 256-Bit ECDSA and various other public key infrastructures. All are used for processes including identification, certification, authorization and software distribution. While these algorithms offer encrypted protection today, threat actors are still harvesting the data. They’re playing the long game – waiting for the time to come when these algorithms can be decrypted by emerging technology such as quantum computing.
Organizations need a way to orchestrate and update certificates without constantly updating encryption mechanisms and algorithms that protect assets. The answer is crypto agility, which allows organizations to respond and replace old crypto algorithms and protocols when they’ve been compromised.
Crypto agility also requires quantum-secure integration with machine identity and access management systems and protocols. IT leaders will need to build databases of cryptography metadata, to gain better visibility and control of secrets used for machine-to-machine communications. However, it’s not simply a case of knowing what needs re-encrypting with new algorithms, which access policies to update, or when to validate identities.
That’s why we’re exploring new mapping processes for certificates and identities, increasing agility while ensuring adherence to cybersecurity standards.
Mapping certificates and secrets to machine identities
Certificate mapping allows machines to communicate securely at scale – when the right rules are in place. Manual assignment isn’t practical when there are many users, each requiring certification and renewals. Plus, businesses are already dealing with the fact that up to 25% of internet certificates are a security threat, either expired or self-signed, at any one time.
Instead, mapping the subject and user values can streamline the process, with user entries staying the same, leaving the certificate to renew automatically. Although developers may need identities for the machines they’re using in day-to-day development. So any privileges associated with the identities need to be monitored. And that calls for existing DevSecOps processes to be more closely integrated with machine identity approaches.
As part of this effort, we are introducing a certificate vaulting feature that securely stores and releases certificates, along with our DevOps vault. These will complement One Identity’s existing secrets management tools. For example, the secrets vaults that contain strong encryption, access controls and audit logging features.
Extending these to the new vaulting tools will simplify certificate management and assignment, while allowing opportunities to accelerate automation.
Privileged task automation
Robotic Process Automation (RPA) can be used to manage machine identities at scale, automatically detecting, alerting and deactivating dormant identities. This eliminates reliance on manual resources and multiple authorities, which can slow down access and approvals. We’re investigating how machine identities, especially in RPA, can efficiently automate privileged tasks without requiring user access. By automating complex logic, this approach aims to boost operational efficiency and consistency while minimizing human error.
Behavioral analytics, to uncover anomalies or require further authentication, can further harden the security posture and improve identity hygiene. Of course, introducing automation calls for a careful balance between allowing access and maintaining security, such as obscuring the identity of a machine. There needs to be a seamless experience for users relying on the smooth completion of tasks with identities being authorized and authenticated.
Grouping certificates can form part of a foundation for centralizing and automating machine identity management. Categorization may be based on factors such as the location of tasks carried out, server or client, expiry dates and whether external or internal. Once these categories are established, it’s possible to implement group policies, with an Access Control List or Role-Based Access Control. This approach aligns with the Principle of Least Privilege, using granular access policies and permissions to manage authentication.
Some tasks will always require human input to manage. Where that’s the case, and automation isn’t possible, there’s another option to simplify and accelerate the process. That’s achieved by harnessing the growth in natural language processing (NLP) to create virtual assistants that support identity management.
The role of AI-driven natural language processing
AI-driven natural language processing offers a way to enforce existing processes behind an access request. For example, combining a machine’s identity and textual data with its time and location to better govern and approve or deny access. NLP tools can use text vectorization to map and process words – for example, those entered into an Access Control List – into numbers ready for machine learning algorithms.
AI-driven NLP is already being used to uncover threats based on text and speech. One example is pattern recognition, where AI is able to run through access requests at scale and identify potentially anomalous behaviors or actions. So there’s also plenty of potential for using NLP for information requests within the One Identity Unified Identity Platform. We’re currently exploring ways to harness NLP capabilities for handling information requests that come from the Unified One Identity Platform.
The potential of these emerging technologies also means new threats are appearing. So the question is: How can business, IT and technology leaders prepare for whatever comes next?
How to stay ahead with the One Identity Unified Identity Platform
Automation, AI, crypto agility – these will all reshape identity management in countless ways. Some of the related challenges are already top priorities for many CISO, CTO and IT leaders. Whether that’s complex certificate management, achieving agility in cryptographic standards, gaining visibility and control, ensuring privileged access management, scalability concerns, integration with DevOps and cloud environments or regulatory compliance requirements.
Other challenges may be less apparent, but there is one thing that’s certain. The One Identity Unified Identity Platform will be at the forefront of unifying, verifying and adapting to these emerging technologies. And always with the goal of making sure businesses have up-to-date solutions and answers to what’s needed for machine identity management – now and in the future.
