Over and out: why expired machine identities represent a growing business risk

A 'way out' sign.
Kevin Bocek is the VP of security strategy and threat intelligence at Venafi.

Kevin Bocek, VP of security strategy and threat intelligence, Venafi, explains how cloud complexity and multicloud is increasing the number of outages.

Spotify users recently experienced an event that is becoming all-too familiar to digital consumers. They were left unable to listen to their favourite podcasts for hours after an TLS certificate at the streaming giant expired. Although certificates, or ‘machine identities’, like these are intended to provide a backbone of trust across the online world, they are also increasingly challenging for organisations to manage. Digital transformation is driving an unprecedented expansion of machine identity volumes across the globe. That’s bad news for the security teams tasked with managing them. When even one expires, it can lead to chaos.

Spotify is certainly not the first big-name brand impacted in this way. And it definitely won’t be the last. The message is clear: brands need a more efficient, automated way to manage these identities if they want to optimise cybersecurity and service uptime.

An expensive challenge

While human identity is authenticated and secured via usernames and passwords, machine identities use keys and certificates to validate the legitimacy of information flowing between authorised machines. They can be used to secure privileged access, DevOps assets and web transactions, authenticate software code, and enable secure, remote access to enterprise networks.  But what happens when those identities expire? A certificate-related outage of the sort that recently affected Spotify, creates downtime and security risks until it is resolved.

That could end up having a major financial and reputational impact. Exactly how much is open to debate, as accurate data is difficult to come by. A Gartner study from years ago puts the figure at $5,600 per minute of IT downtime. A more recent study from ITIC claimed that just one hour of server downtime totals $300,000+ for 91% percent of SMEs and large enterprises. Over two-fifths (44%) of respondents said an hour costs over $1m. That’s not to mention the impact of poor customer experience, reduced worker productivity, diminished brand value, supply chain disruption and other factors highlighted in this research.

Getting worse

The bad news is that machine identity management is becoming more challenging for security teams as their organisations embark on a proliferation of digital initiatives. Research reveals that two-thirds (65%) of businesses increased technology spend during the pandemic. They invested in IoT systems to streamline business processes, laptops and mobile devices for hybrid workers, and new internal and customer-facing apps and websites to improve user experiences. In the cloud, containers, APIs and more help to drive DevOps and greater business agility. But all of these new assets need machine identities to help secure them.

Research reveals that the average business used nearly 250,000 machine identities at the end of 2021. Yet it’s predicted that they’ll double this inventory to at least 500,000 by 2024. With so many certificates to issue and manage, it’s no surprise that some slip through the cracks.

The challenge is made that much harder by separate trends occurring in the marketplace. Leading browsers are demanding that organisations change their machine identities every year, which will accelerate the frequency with which they must rotate certificates. What’s more, Let’s Encrypt, now the world’s leading certificate authority (CA), and many of its peers, are now only issuing machine identities for 90 days. They’re doing this to limit any potential damage from key compromise and mis-issuance. But forcing more frequent renewals makes missed expiration dates more likely. This doesn’t just increase the risk of outages, it can create additional security risks, by exposing websites to man-in-the-middle and phishing attacks.

It’s time to automate

This is a situation that can no longer be managed manually. Even organisations with modest digital transformation plans will soon find the number of keys and certificates they need to keep track of spiralling out of control. The answer is to invest in a control plane which enables automated management of machine identities throughout their lifespan.

There are several ways that intelligent automation of this kind can benefit organisations and their security administrators. First, they can be set to intuitively discover all corporate certs across cloud, virtual and physical assets, and then catalogue them in a centralised repository. That will provide continuous visibility. Next, control tools can be deployed to automatically verify security compliance: ensuring all certificates have the right owners, attributes, and configurations no matter which CA issued them. Finally, and most important for mitigating the risk of expiration, tools can help teams continuously monitor all of their certs, alert them when one is about to expire and even automatically renew.

Being able to install, configure and validate certificates proactively before they expire, and in seconds, not only reduces security risk and the threat of financial and reputational damage that stems from outages. It also frees up security staff to work on high value strategic tasks. In a world where security talent is in increasingly short supply, that’s yet another reason to automate away the challenges of machine identity management.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *