Machine identities have become an integral part of today’s digital world. As more and more companies are adopting distributed, dynamic cloud-native services, machine identities play a critical role in ensuring secure communication between “things”.
Machine identities consist of workload identities, which refer to software workloads such as containers, VMs, applications, services and microservices; and device identities representing desktop, mobile, IoT/OT and other types of devices.
As organizations continue to expand their cloud environments, the number of machine identities grows exponentially. In fact, according to Microsoft’s 2023 State of Cloud Permissions Risks Report, machine identities already outnumber human identities 10x, and this ratio is expected to increase in the coming years.
The growth of machine identities presents significant challenges for cloud security teams. First and foremost, there is a big difference between protecting people and machines. For humans, we already have established and well-structured
approaches, processes and workflows, which are all based on the practice of employing usernames and passwords to authenticate users, and providing them with access permissions.
Machines, on the other hand, can’t use usernames and passwords. Instead, we typically use encryption keys and certificates. Each machine identity requires a digital certificate that must be periodically updated and renewed. The problem begins when the number of machine identities starts growing out of control.
Cloud computing services allow organizations to quickly and easily deploy new applications and workloads. Each of these cloud-based workloads requires its own machine identity.
At the same time, the growing adoption of containerization and microservices architectures
allows organizations to break down applications into smaller, more modular components, each of which typically has its own machine (workload) identity. Many of these entities have a lifespan of only a few days or hours. Furthermore, the
implementation of DevOps practices leads to more frequent changes to applications and workloads that can be difficult to keep track of in a dynamic cloud environment.
In addition to workload identities, device identities are also growing in numbers as IoT devices continue to proliferate in homes, businesses, and industrial environments.
The limited visibility and control over the propagation of machine identities may have critical consequences. According to Microsoft’s report, 80% of workload identities are inactive.
Moreover, on average, workload identities use only 5% of their granted permissions. These inactive identities and unused permissions can potentially open up attack vectors for malicious actors. Attackers can exploit misconfigured workload identities to gain unauthorized access to resources. For example, if a workload identity is assigned too many permissions, an attacker could compromise the identity and use it to access sensitive data or perform malicious actions.
In addition, once an attacker has compromised a workload identity, they can use it to move laterally within the network and gain access to other resources. This is possible because workload identities are often granted access to multiple resources, including other workloads, data stores, and applications. Attackers can also create
a large number of workload identities and then use them to launch DDoS attacks by simultaneously sending requests to a target resource and causing it to become unavailable.
Such risks can be mitigated by having centralized visibility and control over machine identities throughout their lifecycle across the entire cloud environments. But with so many identities, resources, and complex dependencies between them, managing access policies and controls using traditional approaches becomes a tedious, error-prone task, resulting in multiple misconfigurations that can be exploited by attackers.
One of the main reasons behind the growing number of misconfigured machine identities and permissions is that companies are under pressure to release code quickly. Coupled with the ease of setting up resources in the cloud, developers often deploy code multiple times per day.
To support the rapid pace of code deployments, more and more responsibilities are “shifting left” from IT teams to cloud developers, including security-related tasks.
However, cloud developers may not be adequately aware of the security risks associated with machine identities, or they lack the necessary expertise to configure them securely.
Thus, under the pressure to release code faster, developers may be tempted to take shortcuts, which can lead to manual errors and misconfigurations. These may include, for example, hardcoding secrets or keys in code or configuration files, granting too many permissions to machine identities, failing to revoke credentials when they are no longer needed, failing to segment machine identities into different networks, and more.
Identifying and resolving these vulnerabilities is a challenging task due to the lack of adequate tools.
While public cloud providers offer their own IAM tools and services for managing machine identities, these solutions are not a silver bullet.
Public cloud providers are responsible for securing the infrastructure that their customers use to host their workloads. However, customers are still responsible for securing their own workloads, including the machine identities that they use.
This means that customers must implement their own least privilege policies, ensure that machine identities are only granted with the permissions that they need to perform their tasks, and regularly review and update permissions.
In addition, as cloud provider IAM solutions are specific to their platforms, companies cannot effectively use them to manage machine identities from third-party cloud services and on-premises systems.
For example, AWS Access Analyzer creates IAM permissions templates based on CloudTrail activity. Hence, it only covers AWS-managed machine identities such as IAM roles and EC2 instances. It does not cover third-party machine identities including service accounts and SSH keys.
In addition, while Access Analyzer can identify some machine identity related access risks, such as excessive permissions and misconfigurations, it cannot identify all risks, most notably compromised machine identities and malicious use of machine identities.
Microsoft’s report concludes that in order to prevent permission exploitation, organizations should be able to “track workload identities’ predictable behavior patterns and right-size their permissions to avoid unauthorized access to cloud resources.” In other words, to effectively protect the cloud environment, the least privilege principle, which has become a best practice for cloud access security, should be applied on human and machine identities alike.
Rightsizing cloud access permissions is a complex task though. In a complex, highly dynamic cloud
environment, ensuring that machine identities are issued only to authorized machines, that all certificates are renewed on time, and that any unused certificates are revoked, requires comprehensive visibility into a range of factors.
In addition to keeping track of machine identities, customers must also continuously analyze workload behavior, cloud resources and the data associated with them. This way, machine identity-related risks can be identified and mitigated based on context, enabling customers to evaluate and prioritize risks in a much more accurate manner. and automatically apply policies that match the real level of threat.
In light of the sheer number of machine identities, and the ephemeral nature of many of them, keeping track and ensuring that they are properly managed and secured is a growing challenge.
To effectively mitigate this risk, organizations need a comprehensive machine identity management strategy that includes automation, strong access controls, regular audits, and a deep understanding of their specific cloud environment. It’s also essential to stay up-to-date with evolving cloud security best practices and compliance requirements.
Solvo’s adaptive cloud security platform was designed specifically for this purpose. It continuously analyzes human and machine identities for security misconfigurations, automatically identifying risks based on contextual analysis of cloud resources, applications and data.
In addition, Solvo automatically creates customized, least-privileged access policies that are constantly adapted to the level of risk associated with machine identities. Once a misconfiguration is detected, Solvo automatically offers fast and accurate remediation options that are based on industry best practices and regulatory requirements.
With these capabilities, Solvo enables customers to easily define and enforce machine identity policies at scale, and proactively mitigate associated risks based on real-time, contextual understanding of their cloud security posture.
Comprehensive visibility into your cloud infrastructure inventory
automatically updated least privileged access policies based on the level of risk associated with entities, resources, applications and data in the cloud
Proactively monitor, identify, prioritize and remediate the most critical risks to your cloud infrastructure
Minimize cloud security alert fatigue and false positives
Reduce your cloud attack surface to innovate and
grow your business in a
Create stronger alignment and improved collaboration between security, Devlopers
and engineering teams
Simplify compliance and reporting