Machine Identity Management Explained
We spend considerable time and focus on securing identities used by individuals and groups within our environment. While these are essential activities, we sometimes lose sight of a whole other set of identities, often highly privileged, that are just beneath the surface; those are the machine identities in our environment.
Read on to understand what machine identities are, the implications of security risks to these identities and accounts, and best practices for machine identity management across your environment.
What are Machine Identities & How are they Used?
Let’s get a couple important definitions out of the way.
In computing, a “machine” can refer to any non-human entity. So, a machine, and thus, a machine identity, can encompass applications, software robots (such as found in robotic processing automation (RPA) workflows), applications, endpoints (servers, desktops, IoT, etc.), websites, containers, service accounts, and much more.
A machine identity can be defined as a mechanism to allow people and other machines, applications, systems, and processes to have confidence the machine with which they are communicating is the one they expect it to be. These identities are used within systems, over LAN/MAN/WAN, via Bluetooth, Wi-Fi, and the internet, to name a few.
Just about every communication between two ‘machines’ is identified at some level, whether that’s just allowing certain network addresses to communicate through a firewall, to multifactor authentication (MFA) involving certificates, keys, IP address, and location services. Every website you visit should be using the secure HTTP protocol (HTTPS) and applying TLS 1.2 or 1.3 to encrypt that connection. This ensures the machine identity of the website is correct.
Common approaches to authenticating machine identities include:
- Secrets – something that the machine has and can present as part of an authentication
- Digital certificates – electronic document to prove ownership of a public key (e.g., often used with websites to ensure the web server is really in the domain referenced)
- Username and password – just as you would expect to use yourself
- IP address – where addresses are assigned by system administrators and are rarely changed
Challenges with Managing and Protecting Machine Identities
The biggest challenge with machine identities is that the ‘machine’ needs access to the identity to use it. It seems self-evident but it’s worth highlighting – humans have a couple of unique capabilities that we simply can’t give to a machine.
The first of the abilities is that humans can remember something. You might argue that machines can also ‘remember’ things – they have RAM and disks where data can be stored. While this is true, unlike a machine, removing your ‘storage device’ and installing it in another ‘system’ does not, currently, result in access to your passwords. While passwords can be coaxed, or bought, from a human, it is highly likely that the person will be aware it has happened. Stealing a machine identity can be done in complete stealth, unless some important cybersecurity controls have been properly implemented.
We can try to further secure machine identities by removing them from the machine itself and storing them elsewhere, e.g., in a Hardware Security Module (HSM). This does increase the security of the system where we expect theft of the machine. This approach is valuable in virtualized environments where the theft of a machine can be accomplished through cloning, where the machine remains in place, but a copy is removed for analysis. Unfortunately, this approach does not help when a malicious user is already within your network. The HSM stays accessible to them, and the machine identity used to authenticate the machine to the HSM is, necessarily, on the machine itself – and the cloned machine.
How can we improve security of machine identities?
There are many ways identity management and security pros try to secure machine identities. Let’s now look at five of the most important security fundamentals to strengthen protection around machine credentials and identities.
1. Vulnerability Management
Most attackers will arrive in your environment through a laptop or workstation. These are the endpoints that are accessing external systems across the public internet. They are also the devices most likely to have USB sticks plugged into them, as well as being subject to the lowest levels of control. The users have non-privileged accounts so there is less risk – right? This is true, assuming your users do indeed all have non-privileged accounts and abide by the principle of least privilege (PoLP). However, most successful attacks exploit vulnerabilities in the system and its software to gain access to privileged accounts – user and machine.
The first of the essential cybersecurity controls for protecting machine identities is an effective vulnerability management system (VMS). Most organizations run a VMS, but analysis from cyber breach reports tell us, year after year, that well-known and entirely preventable vulnerabilities continue to be a primary route to privilege.
Vulnerabilities are classified in a variety of ways to help us assess the risk associated with each. This assessment started with a simple high, medium, low and informational classification and has added the Common Vulnerability Scoring System (CVSS) across a number of iterations, where various parameters are scored to deliver a 0-10 rating.
Perhaps the most valuable piece of information your VMS can give you is the number of known exploits for each vulnerability. Known exploits are the documented attacks that can be launched against the vulnerability. Known exploits are also commonly found in attack ‘kits’ making them extremely easy to use.
Always address the known exploits first—this advice cannot be stressed enough. To use an office building analogy, this is closing and locking the doors and windows.
2. Endpoint Privilege Management
The next 3 entries--Endpoint Privilege Management, Privileged Password Management, and Secure Remote Access—are three core privileged access management (PAM) solution areas and can be deployed independently, or as a combined solution, depending on the vendor platform.
Let’s start with Endpoint Privilege Management.
We’ve locked the doors and windows, but some people have keys, bunches of keys, or even all-access passes. If an attacker can find a user with direct access to privilege, they won’t need a vulnerability.
Removing direct privileged access from users is the second essential piece of securing machine identities. This is achieved through Endpoint Privilege Management tools, which offer the ability to elevate privilege for specific applications and processes at run-time via tightly controlled policies. The privilege is granted to the process, not the user, and is the least privilege needed to allow the application or process to run appropriately, further reducing the risk introduced into the environment.
The ability to add multi-factor authentication prior to elevation further constrains the opportunity for privilege misuse, without adding significant friction to the user’s experience.
After just these first two foundational elements of a successful cybersecurity approach, our attacker is left as an unprivileged user with no unlocked access points. A significant step forward.
3. Privileged Password Management
The next area the attacker will look typically look to exploit is standard accounts and shared privileged accounts. These include default superuser accounts, and the support team accounts that exist to manage and support the environment.
A standard user who occasionally logs into a remote system using a privileged account offers the perfect opportunity for an attacker to harvest those credentials and move onto another system – one potentially with critical data or a critical machine identity that will deliver value.
Privileged Password Management (PPM) enables you to automatically take control of privileged accounts for both humans and non-humans/machines, and secure them in a system that controls the user’s access to them.
All embedded/hard-coded credentials should be replaced with code that uses API calls to the PPM solution. Privileged Password Management solutions periodically change the passwords associated with all types of privileged accounts, or even after every use of the most sensitive accounts. Password management practices such as this eliminate password re-use and brute-force attacks as the password is changing frequently. An attacker is unlikely to try to access the target while the user is active as that will normally kick them off and raise suspicion. They will wait until the user completes their session only to find the credentials have changed.
Access into the privileged password management solution should be secured using MFA. One of those benefits of being a human is we can use something we ‘have’ like a mobile phone as a secondary authentication mechanism which an attacker cannot access. Automatic log out on inactivity ensures we do not leave that valuable avenue open on a laptop or workstation left unattended.
4. Secure Remote Access
Don’t forget about users outside of your network. Most organizations have many people working for third-party companies connecting directly to our networks to support elements of our environment using privileged accounts. Use PAM/PIM to remove their direct access to privileged accounts and Secure Remote Access tools to remove direct network connectivity into the environment. This can be extended to internal support teams as well. With no direct route to the target systems, we increase the level of difficulty for the attacker.
5. Simplify Security
The last point I want to emphasize regarding the fundamentals of protecting machine identities is to keep the model simple. Each of the elements mentioned above can be simple. It takes a little more thought, and the right solution or toolset, but it is absolutely worth it. Simple means easier to design, maintain, manage, update, and, most importantly, respond to when something bad is happening.
Important Next Steps for Machine Identity Security
Many machine identities will be effectively secured with the controls above. Storing privileged credentials, keys, and secrets away from the machines will reduce the risk from the theft of the machines themselves – whether physical or virtual. We can use aspects of the fundamental machine identity, such as IP address and/or certificates, to secure access to the privileged accounts that the machine needs. Changing the certificate, key, secret, password, just as we have indicated for privileged identities above, prevents cached information from being exploitable through lateral movement across the network and/or additional privilege elevation.
Just as with privileged user identities, privileged machine identities benefit from layered security. By not relying on a single control point, you can also improve the ability to prevent unauthorized access. Access to the HSM is delivered through an identity managed by the privileged password management solution (in high volume, highly automated environments, a DevOps tool). Access to the solution is controlled using aspects of the machine identity that are impossible to change or fake without significant privileged user access. The layers work together, even if not directly integrated, to deliver an opaque, and thus, harder to penetrate, view to the unauthorized.
As much as possible, you want to prevent machines from locally storing the identities used in their operation. The layers, each with simple requirements, will quickly add up to a significant obstacle to an attacker. The harder it is for them to move forward, the greater the chance you will see events indicating their presence. And, with this simple model built on a strong foundation of security controls, you’ll be able to respond with speed and confidence.
Related Reading on Machine Identity Management
Brian Chappell, Chief Security Strategist, EMEA & APAC
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.