On any network, there are two actors: people and machines. People rely on usernames and passwords to identify themselves to machines so they can access networks and data. Machines also need to identify themselves to one another. Unlike people, however, machines don’t employ usernames and passwords. Instead, they use keys and certificates that serve as machine identities so they can connect and communicate securely.
Human identities have helped cybercriminals break into otherwise secure networks for years, which is one reason why organizations currently spend more than $10 billion a year to protect them. Increasingly, however, cybercriminals are finding machine identities to be even more effective attack vectors for infiltrating networks. For example, threat actors frequently hide attacks in encrypted traffic. They also are able to compromise or forge a machine identity that can fool other machines into handing over sensitive data.
Because most organizations have yet to earmark a meaningful portion of their security budgets to focus on machine identity protection, cybercriminals are taking advantage of the fact that in many organizations, machine identities are poorly protected.
To make matters worse, the attack surface connected with machine identities is expanding much faster than human identities. The number of machines being deployed on enterprise networks is growing exponentially because the types of machines that need identities is expanding beyond traditional physical devices and servers to include:
- Virtual servers and devices
- Mobile devices
- IoT devices
- Cloud instances
- Software applications and services, including APIs and algorithms
- Containers that run apps and services
Each of these machines requires an identity that must be managed throughout its lifecycle. As the number of machines continues to proliferate and the volume of identities in use continues to climb, protecting their identities from issuance to revocation is becoming more challenging. Moreover, the potential consequences brought about by ineffectively secured machine identities is proving to be extremely damaging to businesses, their customers and partners.