Altron Security partners with Venafi to reduce machine identity risks

The concept of managing and securing machine identities is one that major cyber security leaders are finally taking seriously, especially with Gartner naming machine identity management a top security trend for 2023. Once you have gained a comfortable understanding around what machine identities are and how they’re used, it’s time to start formulating a strategy to manage and protect the digital certificates and machine identities on your network.

Why is this so important? Machine identities are the foundation of your entire cyber security landscape, and weak protection of keys and certificates can lead to a whole host of problems that result in devastating financial, operational and reputational damage. Understanding these five machine identity risks will help you better determine if your organisation is vulnerable.

All issued certificates come with an expiration date. Certificates used to enjoy generous validity periods of two years, but recently certificate lifespans have been reduced to 13 months. A certificate not being renewed or reissued before it expires will trigger a certificate-related outage on the system that it supports. That unplanned outage and the associated downtime will continue until a new certificate is issued and installed. Some high-profile examples were outages experienced by Google and Microsoft.

The only solution is to embrace automated certificate management, providing full visibility of the entire network and guaranteed management of the digital certificates.

Most security controls trust digital communications that are authenticated using machine identities. But when the private keys and certificates that serve as machine identities are compromised or forged, cyber criminals can use them to appear legitimate, allowing them to circumvent security controls. Cyber criminals also use stolen machine identities to gain privileged access to critical systems so they can move deeper into your network and stay hidden for extended periods of time.

Some examples of this phenomenon are the use of shadow certificates and rogue certificates. Remaining diligent against these types of data breaches has never been more important. Zscaler recently reported a 260% increase in machine identity attacks.

The longer a security threat, outage, or breach continues unresolved, the greater the potential for serious damage. If one of your Certificate Authorities (CAs) is compromised, for example, is your team prepared to replace all the certificates from that CA quickly?

Other large-scale cyber security events that require a timely response include the discovery of a machine identity using a vulnerable algorithm like SHA-256, the exploit of a cryptographic library bug like Heartbleed, or when a leading browser decides it will no longer trust certificates issued by one of your CAs. When you need to respond to any type of event that affects machine identities, time is everything.

One factor in how quickly you can respond to an issue is whether you and your teams know where all of the digital certificates are located, who is using them, and for what purpose. This may seem like standard data to have on hand, but more than 50% of organisations recognise that they don’t always have all that information. Most of the cyber security events listed are notoriously difficult to diagnose when you don’t have full network visibility of all keys and certificates.

Organisations spend way too much time per year on manual certificate management, physically tracking and handling each individual digital certificate that serves as a machine identity. But are they even tracking everything? Considering that 71% of organisations don’t actually know how many certificates and keys they have, most likely not.

So right off the bat, we know all digital certificates are not being managed with a manual approach, but let’s more closely consider the certificates that are manually accounted for. Organisations can have hundreds, thousands, or even hundreds of thousands of machine identities. It’s not hard to imagine how quickly the resulting overhead of manually tracking that many issue and expiration dates can add up. Not only is this a massive waste of time, but human error is always a major factor at play that can have dire consequences.

Administration of machine identities can also be complicated by administrators who are unfamiliar with certificates or trust stores. If your machine identity operations aren’t running smoothly —as is often the case — the time required can escalate fast, especially when there’s an outage or breach.

Machine identities are increasingly subject to corporate, government and industry policies and regulations, including several standards that focus specifically on cryptographic key and certificate management and security. Because most organisations don’t have a strong machine identity protection programme, it’s not unusual for auditors to discover that an organisation is unable to monitor machine identities, enforce policies, or maintain effective management, all of which create significant security and reliability risks. If you’re tasked with addressing negative compliance findings and you don’t have a machine identity protection programme in place, you face a lengthy, manual project.

From service outages to security breaches, weak machine identities will wreak havoc with your business. When a machine identity is compromised and used in a cyber attack or causes an outage, the negative consequences can be significant. You may suffer from a damaged reputation, loss of revenue, costly remediation, and higher management costs. With Altron Security, you are now able to protect keys and certificates, SSH machine identities, code signing keys and users across your entire enterprise.