Identity access has always been a hot topic in the field of cybersecurity, with the importance of good password practices and multi-factor authentication frequently advocated by experts. Other forms of authentication, such as biometrics, have been increasingly discussed over recent years, as has the need to bring in restrictions to user privileges to protect organizations.
However, as the use of machines within organizations surges, ranging from IoT devices to software-defined applications, is there a lack of emphasis on identity access for these tools? That is certainly the view of Jeff Hudson, CEO of Venafi, who recently spoke to Infosecurity about the growing importance of securing machine identities in light of the SolarWinds attack at the end of last year.
How has machine identity security developed over the years, and to what extent has its importance become more recognized?
Digital transformation has led to an explosion of machines which can be any connected device, application, cloud-native software microservice, virtual machine or algorithm. In order for these machines to be able to communicate with each other securely they need to authenticate themselves to each other. In the same way humans are authenticated for online activities using usernames and passwords, every machine also needs an identity to communicate securely. Machines don’t rely on user names and passwords; instead they use cryptographic keys and digital certificates as well as other authentication tokens.
The security industry has focused the majority of identity and access management on user authentication, but the lack of proper machine identity management is actually a much bigger problem. Weak machine identity management has played a key role in many of the biggest breaches over the years including Target, Equifax, Stuxnet, Heartbleed and SolarWinds. It can lead to outages. Just this summer, an expired digital certificate within the state of California’s COVID-19 reporting system led to a backlog of 300,000 lab test results. The bad guys know this and are taking advantage of it. Our research found that machine identity related cyber-attacks grew by more than 400% between 2018 and 2019.
What are the most common security issues you see associated with machine identities?
We’re seeing more software supply chain attacks that target the development and code signing processes. Attackers inject modified code either into a company’s software update process or into their software development environment, as happened in the SolarWinds attack. This is particularly dangerous because it enables attackers to distribute back doors and other malware broadly.
Another big problem is poor management of TLS certificates. Often, IT has no idea which certificates are being used in the organization, or where they are deployed. This means that certificates can expire unexpectedly, taking down a critical service. Beyond these operational issues, attackers that are able to compromise TLS certificates can eavesdrop on encrypted traffic or masquerade as a legitimate website or device.
“The dangers of mismanaged machine identities vastly increased when companies shifted to remote working”
Has the need for strong machine identity security increased as a result of the shift to remote working since COVID-19?
The dangers of mismanaged machine identities vastly increased when companies shifted to remote working. The pandemic spurred organizations to quickly ramp up digital transformation efforts to keep employees working and businesses running. Security teams, who were already stretched thin before the pandemic, are now faced with an avalanche of additional digital certificates which are critical to keep critical services stay up and running.
To what extent did machine identity play a part in the recent SolarWinds hack and what lessons can be learned from this for the future?
Without more details on exactly how the SolarWinds attack occurred, it is difficult to know the precise roles played by compromised machine identities. We do know that threat actors got into the SolarWinds software build process and injected malicious code into a software library signed by a compromised X.509 certificate. We also know that part of the threat actors’ strategy was to forge SAML tokens and sign them with legitimate certificates to impersonate trusted, authorized users. Compromised machine identities were clearly an essential part of the kill chain.
The impact of a successful software supply chain attack can be devastating. There is very little customers of a compromised vendor can do to protect themselves against these attacks. Awareness of these risks is critical, but software development companies must also take action.
What advice do you have for organizations about how they should manage machine identities in the current threat landscape?
Every software organization needs to evaluate how they secure machine identities. It is absolutely critical that organizations shift left and bake in machine identity management and protection into their software development processes. This goes beyond improving security efforts focused on reducing vulnerabilities in the code. The entire build process needs to be secured with machine identities. Each of these identities needs to be managed; this includes visibility of all signing certificates in use, intelligence about how they are being used and automation to manage their full lifecycle. Without this, malicious actors will continue to successfully target the software development process.