When we think of machines and their rise, automatically, our mind goes to the series of sci-fi movies that have filled generations. The androids featured in Star Trek and Star Wars, a cyborg in Terminator, the intelligent machines in The Matrix, and even your friendly robo-hero, Wall-E—the machines have ruled a large part of movies.
Although we are far from the fictional turn of events featured in them, such as machines taking over the world, we are still heavily influenced by machines in this era. By definition, machines aren’t limited to your Alexa and Siri, or even the laptop in front of you or that phone at your fingertips—they start from the very basics. The applications, service meshes, containers, microservices, virtual machines, IoT devices, APIs, algorithms—basically every non-human entity which you interact with every day.
While we aren’t at immediate risk of being ruled over by the machines, we still are at significant risk due to this uprise in the number of machines. This rise, combined with the lack of focus on their security, is a big cause for concern. While machines are imperative for digital transformation, this effort has to be led with security in mind, not just innovation. Humans can only shape this effort with the smart use of the machine’s capabilities and not machines themselves.
Yet, of late, this security has been ignored. Time and again, the data breaches have spoken volumes about the careless nature with which we treat security—when it comes to machines, specifically. While human identity management has received some amount of attention, the identity of machines is still not a prime focus.
A famous neurologist, Stephen Polyak, once jokingly said, “Before we work on artificial intelligence, why don’t we do something about natural stupidity?”
So, let’s do something about it. In this read, let’s understand what machine identity is, what is the current state of these identities, and how we can improve it.
What is Machine Identity?
You and I have our email ids, government-approved IDs, and a bunch of other factors to verify we are who we claim to be. And on a business level, you create accounts with which you can perform certain activities—use an application, read data, and if you have a privileged account, you could even make admin-level changes in your organization. Bottom line is that you are entitled to these applications, their use cases because of your identity. Every time you want to access any of these, your identity is authenticated and then checked to see if you are authorized to it. These are carried out through 2-factor authentications, biometrics, among others.
Similarly, with the rise of machines, there are certain stringent methods to assign identities—digital certificates are used most commonly. This is necessary to ensure that the flow of data in a machine to machine communication happens only once they are authenticated (their identity is verified). This is a stamp of approval that your data is always shared across trusted machines.
According to a Gartner report, by 2020, for every human, there will be 4 devices. Think of the complexity and the boom of machines that lies in the future when you include every algorithm and application in question.
But is the security booming alongside? Sadly, no.
According to a Forrester-Venafi survey, 80% of the respondents stated they struggled with basic machine identity protection. And less than 25% of them focused on protecting machine identities of microservices and containers—which are crucial.
Why protecting machine identities is essential?
Besides the alarming statistics on the rise of machines and the lack of rise in security, there are several factors influencing machine identities and their protection.
We have moved from an on-prem environment to that of a hybrid or multi-cloud one. This means all the more involvement of machines in carrying out functionalities and data residing in centers away from you. And mostly we have moved from a static to dynamic infrastructure. You don’t just talk about the management of IT resources anymore, it’s in the language of provisioning and connecting. It is a constant cycle of requesting access, approving or denying it, and carrying out necessary tasks. There is a dedicated identity and access management market, but most of the focus is on human identities. A Forrester report predicts that the global IAM market will be worth $14.82 million by 2021.
This is proof that there is a dedicated focus on protecting identities, the problem lies in understanding how to extend it to machines as well. After all, machines are the ones executing the necessary actions. With the advent of cognitive technologies, they are also the ones that are evolving and learning how to make intelligent decisions based on data and the anomalies they bring.
It is not just about cloud computing anymore, technologies are driven by innovation, and the need to “stay relevant” is pushing old boundaries. The Internet of Things (IoT) is the most significant example of this premise. It is essentially communication and data transfer between a network of devices. Some of the devices in this network were barely even equipped to handle encryption, let alone advanced security policies. With the emergence of 5G, the capabilities of an IoT network are going to go beyond leaps and bounds.
You can read our blog, IoT insecurity to security to understand this better.
Even the smart devices in your homes aren’t free from threats. According to The Washington Post, a ring camera installed in a child’s bedroom was hacked, and the bad actor tried to communicate with the child too!
You can read our blog, Alexa, what is my cybersecurity status? to understand the risks with smart devices and how to protect your privacy.
The vectors through which a hacker can take advantage of the lack of stringent security measures are endless. With the increasing surface landscape of machines that are susceptible to such threats, it is crucial now, more than ever, to enforce the protection of machine identities.
How to protect machine identities?
Machines are identified by digital certificates that are assigned by dedicated Certification Authorities (CA). With this certificate, communication is possible due to the Public Key Infrastructure (PKI), which encrypts the data for machines that talk to each other.
Yet, there lacks a dedicated inventory to manage these certificates resulting in several security-related outages. According to a poll, CIOs reported system outages because of expired certificates. There is a severe dearth of attention in keeping track of them and update/renew them accordingly.
Not only this, several fake certificates are rolled out to get hold of data. According to a report by the Recorded Future, these certificates that impersonate the original ones are available for sale with a price range of $299 to $1799.
This shows there is a dire need to keep these in check, check the reliability of certificates, and implement measures around machine identities in general.
The domain of identity and access management , although has extended its solutions to machines as well. It must be embraced by organizations to apply the solution beyond humans too.
Governing the accesses of those who have access to these machines is a start. The ones who have access to machines can easily violate it. There must be downloadable compliance reports on who has access to what. These accesses must be watched vigilantly.
Enforcement of policies must be made stringent for machines as well. The machines in use, their authentication, and authorization must be carried out efficiently.
Use machines to understand machines. A lot of the provisioning work requires human power, and it can take days to carry out. If you want your security measures to be more proactive rather than reactive, leverage cognitive technologies. They can read through a sea of data, detect anomalies, and even recognize possibilities of a data breach before they occur.
Automating security with machines for the protection of machine identities is the way to go. As they say in The Matrix movie, “never send a human to do a machine’s job”.