Zero Trust: Not Just for Humans, but Also Machines

By now, zero trust has become a well-known cybersecurity approach to defend against identity-based intrusions. As exemplified in the Identity Defined Security Alliance’s (IDSA)  “Path to Zero Trust Starts with Identity” white paper, zero trust is about acknowledging that threat actors will make their way into an organization’s environment and, therefore, defenses must be built with that idea in mind.

Many businesses begin the path toward zero trust after experiencing a breach or failing an audit. With its emphasis on identity management and access control, zero trust is a natural answer to many of the requirements of compliance regulations as well as cybersecurity. Nonetheless, many organizations are still lacking key identity-related security controls. In fact, a recent study by the IDSA reveals credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).

The somber truth is that hackers don’t hack in anymore—they log in using weak, default, stolen or otherwise compromised credentials.

Today’s economic climate exacerbates these cyber risks, and the impact of the COVID-19 epidemic has led to an acceleration in digital transformation and technical change that will further stress-test organizations’ identity and access management (IAM) practices. This creates new challenges in minimizing access-related risks across traditional data centers, cloud and DevOps environments.

Companies that have adopted an identity-centric approach to security are typically focusing on human users—customers, employees, IT administrators, consultants or business partners. However, this flies in the face of reality. Today, identities include not just people but also workloads, microservices and applications.

In fact, non-person identities (also called machine identities) represent the majority of “users” in many organizations. Machine identities are often associated with privileged accounts and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role.

Ultimately, these new types of machines and modern cloud-native application architectures are driving organizations to rethink their IAM strategies, as otherwise they would be exposed to a blind spot that their cyber adversaries can easily exploit. In a recent Gartner report, “Managing Machine Identities, Secrets, Keys, and Certificates,” the author confirms that “an uneasy feeling of not being in control and the lack of accountability are often well-founded.” Gartner mentions the existence of shadow IAM deployments that issue, manage and control keys, secrets and certificates; the occurrence of ghost Secure Shell (SSH) keys across the organization’s different devices and workloads; and the lack of good guidance around the usage of machine identities as a few examples of how companies are struggling to deal with machine identities.

Besides underestimating the relevance of non-person identities in the context of a data breach, many organizations are quickly realizing that the traditional static password concept, which often requires manual and time-consuming configurations, is not suitable in fast-moving multi-cloud and hybrid environments, where access needs are often temporary and changes are constant. So, what does this mean for the future of passwords and how organizations approach controlling access to their sensitive resources?

Zero Trust: Start With the Basics

Gartner recommends going back to the drawing board and developing an enterprisewide identity, secrets and key management strategy that should include the following basic steps:

  • Define a common nomenclature for a machine identity.

  • Distinguish between how machine identities are stored in central and local identity repositories (e.g., Active Directory or a database) and the credentials the machines use.

  • Understand the needs of different business units and regulatory requirements the organization has to fulfill.

  • Assess the different technologies that can assist in managing machine credentials, such as:

    • Hardware security modules (HSM)

    • Key management systems (KMS)

    • Secrets management systems

    • Privileged access management (PAM)

    • Built-in capabilities and tools in the offerings from IaaS/PaaS providers

  • Establish ownership of the machine and credentials.

  • Provide best practices and guidance to stakeholders throughout the organization (e.g., DevOps).

Advancing Your Authentication Model

Once organizations implement those basic steps, they have to relinquish their reliance on a static password model and instead move to a dynamic password approach. These ephemeral, certificate-based access credentials address the major security issues that plague static passwords without impacting usability and agility in highly digitalized IT environments.

When implementing ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, establishing a “zero standing privilege” stance based on zero trust principles that ensures all access to services must be authenticated, authorized and encrypted. For each session (be it for a human or machine), the ephemeral certificate is issued from the Certificate Authority (CA), which serves as the trusted third party and is based on industry standards such as the temporary X.509 certificate. It encodes the user identity for security purposes and has a short lifetime, avoiding the risk of man-in-the-middle attacks.

Ultimately, the CA controls access to the target system based on user roles (including roles assigned to workloads, services and machines), which are created based on rules. The rules for particular roles are generated according to security policies and access requirements. The CA then obtains the rules for each role from the traditional enterprise directory (e.g., Microsoft Active Directory) and uses them to determine proper authentication. This approach alleviates setting up access for each individual user/machine and enables streamlined updates to groups of users/machines.

Conclusion

The integration of identity with security is still a work in progress, with less than half of businesses having fully implemented key identity-related access controls according to the IDSA research study. The key to starting that path is acknowledgment that an identity-centric approach to security based on zero trust principles doesn’t only apply to humans, but also to machines.

Avatar photo

Torsten George

Torsten George is a cyber security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, cyber warfare, incident response, and IT security best practices, as well as other cybersecurity topics in media outlets. He is also the co-author of the "Zero Trust Privilege For Dummies" book.

tosten-george has 2 posts and counting.See all posts by tosten-george