Zero trust is the gold standard for most cybersecurity practices. But achieving that gold standard – and achieving it consistently – is easier said than done. Gartner predicts that 60% of organizations will adopt zero trust architecture by 2025, but more than half will fail to realize the benefits.
There’s a full solution wheel necessary to establish zero trust architecture in an organization. In a world of rapidly increasing machine-to-machine communications, many enterprises are missing a critical part of that wheel: Machine identity management.
Machine identity management is critical to zero trust architecture because it’s the only way for organizations to secure APIs confidently. With threat actors becoming more sophisticated than ever, security leaders must innovate bigger and bolder ways to tackle the greatest challenge to API security: Verifying with 100% certainty that each machine is – and is being utilized by – an authorized user.
Static, Long-Lived Certificates, Keys, and Secrets are No Longer Enough
Gartner predicts that APIs will be the most common attack vector by the end of 2022, and it’s easy to see why. Keys, certificates, and secrets are no longer enough to ensure that APIs are properly protected. That’s because:
- API secrets are difficult to track: With hundreds of thousands more machine identities in use, security teams must watch over an unwieldy and growing number of credentials. According to Ponemon, 53% of organizations do not know exactly how many keys and certificates they have for that exact reason.
- Their leaks can snowball fast: Due to how digitally connected we are from app to app, information spread (both good and bad) expands exponentially. Even validating private keys, through processes such as mTLS, is never a 100% guarantee that the machines holding them are authorized users.
As a result, poor secrets hygiene and management is leading to devastatingly leaky APIs — an issue that can affect organizations of all digital maturities and sizes. In August of 2022, cybersecurity researchers discovered that over 3,200 apps leaked Twitter API keys, leaving users wide open to threat actor takeovers.
The Rise of Machine Identity Management
Cisco predicts that over 29 billion devices will be connected to the internet by 2023. Internet traffic is increasingly machine-to-machine, with little to no human intervention. Automation has made machine-to-machine communications smooth and speedy. But when everything happens fast, that means mistakes (or even worse, leaks) also happen fast.
The strongest cybersecurity programs will strive for the best but plan for the worst. Organizations must increasingly turn to machine identity management to plan for when – not if – those leaks will happen.
What is Machine Identity Management?
Machine identity management (MIM) is the process of governing, certifying, and orchestrating identities of machines. Traditionally, it refers to the management of certificates and keys that grant these devices access to an organization’s sensitive resources and services, including APIs.
MIM is an essential pillar of public key infrastructure (PKI), which governs authorized identities and the digital certificates that grant them access. A robust MIM program includes a system of practices, policies, and processes that ensure the secure digital exchange of information.
Strategies for Improved Machine Identity Management
With Marsh McLennan Cyber Risk Analytics Center reporting that API leaks have the potential to cost organizations worldwide up to $75 billion a year, enhancing machine identity management must be a top priority for modern organizations. Machine identity management practices will not be able to keep up if they don’t adapt to the speed with which machines work.
Check your API Scorecard
With so many products and methods of machine identity management emerging, it can be tough to know where to start. Organizations can utilize resources like an API scorecard to get a crash course on the most tried and true resources on cybersecurity best practices, including:
Scorecards help strengthen API security programs by:
- Pinpointing gaps in your cybersecurity that might impact your API security health.
- Identifying strategies that fit your business best based on your APIs endpoints, services, and authorized parties.
- Highlighting ways to manage your machine identities based on your organization’s size, scope, and work.
Establish Automated Machine Identity Management Systems
Investing in secrets management might seem more budget-friendly than investing in machine identity management– especially if your organization is already using secrets to validate identity. The fact is, relying on secrets management alone is riskier and can be more costly in the long run. Secrets management only ensures your own hygiene, leaving the hygiene of third parties up to chance and blind faith.
When other apps don’t have secrets hygiene that’s up to par, it can be devastating. In 2022, URLScan accidentally leaked a treasure trove of sensitive information, including API keys and secrets, to the open web. The app, which is integrated into several security solutions via its API, inadvertently exposed mountains of external data for threat actors to take advantage of.
There’s only one way to ensure that zero trust is practiced and implemented in every interaction with your APIs: By automating your machine identity management practices. Automating identity validation adds another layer of security that prevents threat actors from creating and intercepting sessions on your servers.
For organizations that purely rely on secrets and keys, a leak might result in a mad dash to quickly rotate all secrets to prevent a breach. Meanwhile, automated machine identity management provides an extra layer of defense against breaches – regardless of stolen or exposed secrets.
Adopt MFA for Machines
Machine identity management can be intimidating for those that must build it from the ground up. It’s easy for organizations to get overwhelmed by the sheer amount of touch points they have to manage. According to Ponemon, the average IT organization has over 267,000 unique machine identities – that number is only projected to grow year by year.
Wrangling all of these identities by human force alone is unrealistic. What is realistic is implementing a multi-factor authentication process with machine interactions. MFA adds the solid layer of security that organizations need to ensure that each machine identity is an authorized user.
When it comes to zero trust, MFA for machines helps create a story for your non-person entities (NPEs). Why are these “stories” so important? Because they help validate the identity of who (er – what) is trying to make API calls when and where – without relying on flawed and easily compromisable secrets, keys, or certificates.
To establish these stories, organizations should seek out MFA tools that:
- Track API calls across their entire business
- Work with their existing tech stack
- Account for third-party interactions
- Leverage automation for speed, efficiency, and accuracy
Staying True to Zero Trust
There’s only one thing that creates the best line of defense against evolving threats: Practicing zero trust throughout your entire enterprise – including your APIs. To shore up their zero trust architecture, organizations must have consistent stories for their non-person entities (or machines). Without that clear story, threat actors can easily jump in and rewrite their own false narratives about NPE identities.
A robust machine identity management program aligns your organization with this core tenet of zero trust: Continuous verification. It safeguards your business against both internal and external securities, building a layer of defense for when – not if – compromises arise.
Wondering where to start in your journey toward implementing zero trust practices? Check out our guide on NIST 800-207 for the must-knows of creating a robust cyber defense program.
