Attack of the Clones â€“ can you trust your machines?
How can you have security when you don’t know friend from foe?
There is a common scenario beloved by many sci-fi films and programmes; a spaceship crew lands on some new planet that, unbeknownst to them, is crawling with shape-shifting aliens. One of the crew members goes out to look around this foreign world and when she gets back, she re-boards the ship. But then there is another message from outside the ship. It’s that same crew member, asking to be let in again. Our heroes realise that either there’s an alien impostor outside the spaceship doors or – worse – they just let it on board.
It’s an old idea but it keeps being revived because it’s genuinely scary. How can you have security when you don’t know friend from foe? How can you tell the difference? These questions aren’t just theoretical either. Every day businesses around the world make choices about which devices and software programmes they trust. Just like people, machines have identities to allow themselves to be identified and seen as trusted. The number of machines in use is exploding due to growth in trends like the IoT and DevOps. At best estimates, the amount of machine identities in use is due to increase by around 20% year-on-year.
Hackers are increasingly aware of this and have begun to harness power of machine identity, abusing it to attack enterprises. By taking on the appearance of a trusted device or software provider, bad guys can waltz past defences without raising any alarms. So the question is: how can you know which of your machines are really secure and which are alien clones, using a stolen identity to infiltrate and destroy?
Understanding machine identity
Every network involves two types of actors – humans and machines. Humans use usernames and passwords to identify themselves and machines use keys and certificates in much the same way. These keys and certificates allow our machines – everything from software applications and algorithms to servers and laptops – to communicate securely. Without them, machines are unable to function, just as if we forget our passwords, we are unable to access the network.
Hackers know this and have started to target machine identity as a way to attack enterprises. By stealing the keys and certificates that underpin machine identity, hackers can essentially shape-shift into an entity that appears trustworthy, sneaking past defences without raising any alarm bells. So, just like our intrepid space adventurers, enterprises need to be able to determine who they’re letting in and whether they are who they really say they are.
The fact is that unlike human identities, the world of machine identity is relatively unchartered. Every year the number of machines in our environment grows, yet we are still trying to manage this explosion using spreadsheets – it’s no wonder hackers are waking up to the huge gaping space hole in enterprise security.
A three step guide
There are many things organisations can do to improve their security defences when it comes to machine identity and a decent percentage involve establishing and enforcing a series of best practices. Unfortunately too many companies ignore these rules and research has found that 1 in 25 companies has zero policies in place whatsoever! As a starting place, there are a few key steps that every organisation should ensure they have in place:
- Time for a refresh – Machine identities need to be renewed often. The longer one is in place, the more damage that can be done if it’s compromised. Renewing certificates every year allows companies to balance good security and operational convenience, but such frequency is only mandated by 35% of organisations, with the majority of certificates being left in place far longer.
- Use it then lose it – We don’t give new employees an old username and password to use and it should be the same with machine identities – each identity should be new and unique, yet less than a quarter of companies (23%) have policies in place to prevent developers from re-using old keys.
- Too complex to crack – Just as users are banned from having their password be ‘password’ or ‘123456’, companies must ensure that their keys are too long and complex to be easily cracked. According to the latest NIST guidelines, this means having a minimum length of 2048-bits, but more than a third of companies (34%) haven’t bothered to implement and enforce this rule.
Managing all of these best practices is critical to maintaining a decent level of protection and reducing the scope for hackers to infiltrate their way in the guise of a trusted device. Yet it does result in a significant administrative burden. Fortunately, since many of these processes are repetitive, an automated solution is the ideal fix. By having an automated system issue, manage and replace machine identities as needed, firms can remove this responsibility from security teams and developers, allowing them to focus resources elsewhere.
Taking back control
Identity is at the heart of security. Just as the ship can’t be kept secure unless the Captain knows whether the person outside the airlock is a friend or foe, its enterprises cannot be safe unless they are confident in their machine identities. Shutting down all incoming network traffic isn’t an option so they need to become more adept at understanding who can be trusted and who is trying to bypass their defences in disguise. Given the rapid growth in the number of machines in use, unless businesses get to grips with their machine identities now, they’re sure to let an alien inside before too long.