Why it’s time Australian enterprises made a better job of managing machine identities

Ever logged onto a web site to be met with a pop-up box announcing that the connection is not secure and, consequently, your information may be at risk?

It’s disconcerting and off-putting and while there’s usually an option to continue, many of us choose not to, for fear we’ll fall victim to some form of cyber-skulduggery.

Tracking the trouble

Why does it happen? Failure to renew a digital certificate will do it. A form of identification system for computer systems, digital certificates are issued by third party organisations or certification authorities.

Valid for up to two years, certificates contain information about both issuer and recipient. They’re what safeguards the flow of information between secure and trusted machines and what makes it possible to prevent electronic communication with devices whose integrity hasn’t been verified.

Expired certificates can result in server access being blocked. That’s an inconvenient occurrence if the server in question is hosting internal systems and it can be damaging, economically and reputationally, if external systems are adversely affected.

A number of high profile organisations have found this out, to their cost, in recent times, including professional networking site LinkedIn. Its UK users found themselves locked out of the site in late 2017 after the company accidentally allowed security certificates to lapse.

Many larger organisations have dozens or even hundreds of certificates and keeping track of them can be a challenge for ICT staff.

A growing issue in the mobile computing era

Managing and securing machine identities is a largely overlooked piece of the security jigsaw. While businesses globally spend around $US7 billion a year on identity and access management, the bulk of this sum is devoted to protecting user names and passwords. Typically, only a fraction is put towards securing machine identities. That’s despite the fact that poorly secured machine identities can be the catalyst for an array of incidents, including outages and data breaches.

It’s a large and growing problem – according to 2018 Forrester research commissioned by Venafi, 80 per cent of organisations struggle to protect their machine identities. Ninety-six per cent of enterprises think it’s important, alright, but most of them track less than half of those in use in their enterprises.

The ongoing adoption of new technologies – think Artificial Intelligence, DevOps, Internet of Things (IoT) devices and the like – isn’t helping. In fact, the reverse. It’s caused an exponential increase in the number of certificates, without the emergence of an effective protocol to monitor and manage them.

Here are some issues to consider if you’re looking to tighten up the way your enterprise manages machine identities.

Where are they?

You can’t manage what you can’t measure. Documenting the location of every machine identity within the enterprise is the first step towards a more rigorous regime. Creating an exhaustive inventory and developing a procedure for the addition of new identities as they come online makes it easier to identity and respond to security incidents as they arise.

Central control

In the Bring Your Own Device era, it’s not a given that your organisation will own every device in use across the enterprise. Nor is it necessarily the case that machine identities will be requested and issued centrally. It’s quite likely they won’t be. Centralising the process of obtaining new machine identities makes it possible for security staff to track down problematic or soon-to-expire identities and remediate them swiftly. Automating the tracking process can make this task immeasurably easier and save on low-value administration work.

The fact that machine identities aren’t ‘plug and play’ technology yet is another compelling argument for assigning their management to a single business unit. Every machine can require customised configuration and it’s not too difficult to get it wrong, with the resulting introduction of vulnerability – to both the device in question and the enterprise as a whole.

Staying abreast of security developments

Machine identities are secured by encryption, namely the use of complex cyphers – and the more complex the better. But no technology is tamper-proof and protocols such as SSH and TLS are still throwing up new vulnerabilities. The most notable example of this in recent times was Heartbleed – a security bug in OpenSSL cryptography, first publicised in 2014, which affected around 500,000 secure web servers globally. Keeping abreast of vulnerabilities and taking prompt remedial action when necessary will reduce the likelihood of compromise by carelessness.

Front foot forward

Protecting machine identities is one of the many non-glamorous elements of the cyber-security detail but one which Australian organisations overlook at their peril. Having a stringent regulatory regime around their introduction and management will reduce the likelihood of your enterprise suffering the negative repercussions that come standard with high tech security breaches in the digital era.