Black Hat 2022 reveals why machine identities are the most vulnerable

Were you unable to attend Transform 2022? Check out all the summits in our on-demand library now! Look here.


Enterprises struggle to secure machine identities because hybrid cloud configurations are too complex to manage, leading to security holes that cyber attackers exploit. The differences between public cloud vendors’ approaches to defining machine-based identities using their native identity access management (IAM) applications add to the confusion. Additionally, due to differences in how IAM and machine identity management are handled across cloud platforms, enforcing zero-trust principles, which enable least-privileged access in a hybrid cloud environment, can be challenging.

Managing certificate lifecycles on hybrid machine identity cloud deployment models is a technical challenge many enterprise IT teams do not have the resources to take on. According to research, 61% of organizations cannot track certificates and keys across their digital assets. Given how quickly workload-based machine identities can be created, including containers, transactional workflows, and virtual machines (VMs), it’s understandable that only about 40% of machine identities are tracked. IAM is becoming more challenging every day as the average employee has over 30 digital identities on average, with a typical enterprise having over 45 times more machine identities than human ones.

Machine identities are high risk in hybrid clouds

Two sessions at the Black Hat 2022 cybersecurity conference explained why machine identities are a high-risk attack surface, made more vulnerable in hybrid cloud configurations. The first session, entitled IAM The One Who Knocks, presented by Igal Gofman, Head of Research at Ermetic and Noam Dahan, Head of Research at Ermetic. The second was titled I AM whoever I Say I Am: Infiltrating Identity Providers Using a 0Click Exploit, presented by Steven Seeley, a security researcher at the 360 ​​Vulnerability Research Institute. Both presentations gave recommendations on what businesses can do to reduce the risk of breaches.

In the presentation, IAM The One Who Knocks, researchers IGofman and Dahan illustrated how different the dominant cloud platforms’ approaches to IAM are. Protecting machine identities with built-in IAM support from every public cloud platform just doesn’t work, as gaps in hybrid cloud configurations leave machines vulnerable. Their presentation provided insight into what makes Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform’s (GCP) approaches to IAM different.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to provide guidance on how metaverse technology will transform the way all industries communicate and do business on October 4th in San Francisco, CA.

Register here

“IAM systems in all three cloud providers we discussed are complex,” Dahan said during the session. “We find that organizations will make mistakes. One of the most important things you can do is stick to one AWS account or GCP project per workload.”

AWS, Microsoft Azure, and GCP provide enough functionality to help an organization get started, but lack the scale to fully address the more challenging, complex areas of IAM in hybrid cloud configurations.

Each public cloud platform has its own unique approach to IAM, which exposes machine identities to attack when combined with hybrid cloud configurations.

Cloud providers claim their machine identities are secure, but in hybrid cloud configurations, that breaks down quickly. Gofman and Dahan pointed out that companies are responsible for machine identity breaches because each platform provider defines the scope of services using the shared responsibility model.

AWS and other cloud providers offer important IAM support.  Their IAM solutions are specific to their platforms and do not scale across third-party, public cloud providers, allowing businesses to close hybrid cloud gaps or risk a breach.
AWS and other cloud providers offer important IAM support. Their IAM solutions are specific to their platforms and do not scale across third-party, public cloud providers, allowing businesses to close hybrid cloud gaps or risk a breach.

Steps to secure machine identities

Black Hat’s sessions on IAM detail insights and recommendations on how to better protect machine identities, including:

Understand that AWS, Microsoft Azure, and Google Cloud Platform’s IAM systems do not protect privileged access credentials, machine identity, endpoint, or threat surface in a hybrid cloud configuration. As the shared responsibility model depicted above illustrates, AWS, Azure, and GCP secure only the core areas of their respective platforms, including only infrastructure and hosted services. CISOs and CIOs rely on the shared responsibility model to create enterprise-wide security strategies that will make least-privileged access achievable across hybrid cloud configurations. The ultimate goal is to enable a zero-trust security framework for the entire enterprise.

Hybrid cloud architectures that include AWS, Microsoft Azure, and Google Cloud Platforms don’t need an entirely new identity infrastructure. Creating new and often duplicate machine identities increases the cost, risk, overhead and burden of requiring additional licenses. On the other hand, companies with standardized identity infrastructure must stay with it. In addition to having the taxonomy entrenched in their organization, changing it will most likely introduce errors, leave identities vulnerable and be expensive to fix.

Enterprises must consider IAM platforms that can scale across hybrid cloud configurations to reduce the risk of breaches. The latest generation of IAM systems provide tools to manage machine lifecycles in sync with certificate management. IAM architectures also support custom scripts to protect workflow-based identities, including containers, VMs, IoT, mobile devices, and more.

Leading vendors working to secure IAM for machine identities include Akeyless, Amazon Web Services (AWS), AppViewX, CrowdStrike, Ivanti, HashiCorp, Keyfactor, Microsoft, Venafi and more.

VentureBeat’s mission will be a digital town square for technical decision makers to gain knowledge about transformative business technology and transactions. Learn more about membership.

Leave a Reply

Your email address will not be published.