As enterprises have embraced DevOps and containerization, cybersecurity is facing a changing landscape. Typically, security platforms focus on guarding network boundaries and verifying human identities that access a network. However, as DevOps-led automation has increased, machine identities are posing a threat to traditional cybersecurity.
Critically, machines in a security context aren’t just computers. They cover everything from servers and mobile devices to cloud environments and algorithms. Every type of machine accesses networks differently and introduces new vulnerabilities in an organization’s security posture.
Here are three steps that cloud security leaders must execute right now to prevent machine identities from turning into a security headache.
Centralize Secrets and Key Management
One of the challenges in managing the growing number of machine identities is the way systems authenticate them. Security platforms can verify human identities via user IDs and login credentials. However, machine identities have digital certificates, keys, and other secrets, and companies that use these mechanisms for DevOps can often have thousands of identities to manage.
Writing for secrets management solution Akeyless, Miryam Brand describes the issue in a traditional DevOps environment. “Business applications and programs are no longer one large block of code,” she notes. “For example, a user might need a password to authenticate and use a particular service, but that service also needs its own authentication process to access necessary database information and/or other microservices.”
As a result, engineers often hard-code machine access credentials into their products without much thought to the security implications of this practice. For instance, a developer might access data from a cloud-based container, merge it with data on another server, and generate output.
Throughout this process, multiple machines in the form of microservices, servers, and cloud systems access the enterprise network. Their certificates and identities are deemed valid by default. As a result, these machines turn into a potential attack vector for malicious actors. Insider attacks originating from machine identities can be hard to stop due to the lack of secondary checks currently in place.
Centralizing secret management via a platform is a handy solution. However, the trick is to use a tool that connects disparate systems via APIs, instead of rerouting encryption key storage to a cloud-based service. This API-based approach allows different DevOps teams the freedom to deploy code while automating secret management as a part of their deployment workflows.
Lockheed Martin’s cyber kill chain model is no longer valid. Identities are central to cybersecurity, not network perimeters. Enterprises must realign their security postures accordingly.
Inventory Existing Secrets and Key Lists
One of the most daunting tasks facing CISOs today is understanding the extent of the machine identities under their systems’ hoods. Mapping out the scope of this sprawl is a key step that everyone must take before approaching the task of classifying these identities for understanding risk exposure levels.
There’s no easy way around this. Enterprises must gain visibility into the IT system by conducting a deep audit of the identities on their networks. They must inventory all keys, public and private, symmetric keys, and certificates. Teams must note the expiration dates, configuration settings, and location.
Security teams must also map the degree of access every machine has within the network. The IDs that have the most access pose the greatest risk. Organizing security certificates is often challenging. A good way to begin is to group certificates based on their expiration date and type. For instance, security teams can group cryptographic keys and arrange them by expiration date.
Enterprises must also review their PAM protocols. As Gartner‘s Homan Farahmand points out, PAM is contextual, something that can elevate the risk organizations face when dealing with machine identities.
“PAM applies to all local and remote human-to-machine and machine-to-machine privileged access scenarios,” he writes. “This makes PAM a critical infrastructure service due to risk aggregation related to storing sensitive credentials/secrets, as well as performing privileged operations in different systems.”
Executives must also communicate the benefits of securing systems from machine identities correctly. Tying the need for new machine ID management protocols to business goals is a good idea. Collaboration between developers and security teams will also expose both teams to each other’s needs.
Automate Key Lifecycle Management
DevOps embraces automation and tool use wholeheartedly. Naturally, leveraging automation to solve cybersecurity and key lifecycle management in a DevOps environment makes sense. Traditionally, machine identity management was relegated to a few spreadsheets or hard coded records. This approach no longer works, and it also increases security risks exponentially.
Solutions that routinely check CI/CD pipelines for quality issues and alert the right people are an enterprise’s best bet. Ron Powell of CircleCI summarizes the benefits of automated tools in this context. “Monitoring tools check for issues and consolidate alerts to provide the correct insights and ensure vulnerabilities are addressed,” he writes. “They also alert the right people in case of issues.”
Powell highlights automated remediations, revoking or granting key access, automating pipeline checks, and enabling manual reviews as a few use cases for automation in DevOps security.
The bottom line is that automation is essential when managing pipeline security. Manual checks cannot hope to keep pace with the rise of machine identities.
A Significant Challenge
The rise of machine identities is creating significant challenges for security teams that work with DevOps. However, enterprises that move quickly stand to gain an advantage over their competitors, by installing security in their products from the ground up.