“The impact of poor machine identity management can be devastating”
Kevin Bocek discussed security with us, including the impact of a successful software supply chain attack, what security best practices we should all follow, and the difference between human and machine identity. Kevin shares his knowledge from over 16 years of experience in IT security.
JAXenter: Let’s talk security. What can we learn from the recent SolarWinds attack in order to improve our cybersecurity? Do you think implementing a software bill of materials is the answer?
Kevin Bocek: As we saw with SolarWinds, the impact of a successful software supply chain attack can be devastating. There is very little that customers of a compromised vendor can do to protect themselves against these attacks. Awareness of these risks is critical, and it’s critical that software development companies take action. Some may think a software bill of materials – identifying the source of software – could solve the problem. While it’s useful, the exploding use of open source means it’s impossible to keep an up to the second inventory of sources and if you can trust software.
Instead, every business must come to the understanding that they are a software developer. They build, release, and operate software. In doing so every business has a responsibility to both ensure the software they use and the software they build and release. Whether you are a bank, retailer, or logistics provider, you are a software developer and need to protect software developed just like all the ISVs you rely on.
Prescriptive regulations for the software industry simply will not work — the federal government cannot move quickly enough to effectively regulate how software is built. The only way the government can help protect individuals and companies from becoming victims of insecure software build processes is by incentivizing the software industry to build better. In addition, there needs to be strict financial repercussions for any company that fails to do so. As it stands, the new executive order from the Biden administration, including a software bill of materials, will only slow down software companies and give attackers the opportunity to innovate faster.
JAXenter: Can you name some of the security risks that come with using machine solutions?
Kevin Bocek: One security risk we are seeing is poor management of machine identities like TLS certificates. Oftentimes, IT has no idea which machine identities are being used in the organization or where they are deployed. Machine identities like TLS certificates establish which cloud is your business or which web services your customers can trust. As a result of developers building and using more machine identities without help from security teams, certificates can expire unexpectedly and take down a critical service. Beyond these operational issues, attackers that are able to compromise TLS certificates can eavesdrop on encrypted traffic or masquerade as a legitimate website or device.
We’re also seeing more software supply chain attacks that target the development process and code signing processes. Attackers inject modified code either into a company’s software update process or into their software development environment, as happened in the SolarWinds and Codecov attacks. This is particularly dangerous because it enables attackers to distribute back doors and other malware broadly.
JAXenter: What are some security best practices we should use?
Kevin Bocek: The opportunity we have is for developers to build in security. It’s not that security teams need to bring requirements or policies, but instead engineers need to bring security into their software development pipelines and assure the security of their products, even if for internal use. A great example of this is the open source blueprint for securing software pipelines that’s built by engineers for engineers.
One specific way to reduce risk is machine identity management, one of Gartner’s top 8 security needs for 2021. It’s estimated that unprotected machine identities account for $15 billion to $21 billion in economic losses in the United States. To get to the root of the issue, all software organizations should reevaluate how they secure machine identities. It is absolutely critical that organizations “shift left” and bake in machine identity management and protection into their software development processes. This goes beyond improving security efforts focused on reducing vulnerabilities in the code as the entire build process needs to be secured with machine identities. Each of these identities needs to be managed including visibility of all signing certificates in use, intelligence about how they are being used and automation to manage their full lifecycle. Without this, malicious actors will continue to successfully target the software development process and compromise machine identities.
JAXenter: A Gartner report about machine identity management lists the technology as “high priority” and is on its way to mainstream adoption. What should professionals be working on right now to ensure adoption?
Kevin Bocek: With the explosion of machines, machine identity management should absolutely be a top priority. It’s one of Gartner’s top 8 most important cybersecurity trends – critical to everything from zero trust to cloud native. This is a developer-led world with no perimeter, and every machine must have an identity that is authenticated and authorized. Enterprise-wide machine identity management is the only way that organizations can control the chaos of machine identity growth. As a first step, professionals should understand how their organization uses machine identities. Here are five ways machine identities can be used to start: securing web transactions with HTTPS; securing privileged access; securing fast IT and DevOps; securing communication on consumer devices and software code authentication.
JAXenter: What is the difference between human and machine identities?
Kevin Bocek: There are two actors on every network: humans and machines. We usually think about human identities when thinking about identity management, where humans use usernames and passwords to identify themselves. Machines also need to identify and authenticate themselves when they connect to each other, but they don’t employ usernames and passwords, rather keys and certificates.
Every year companies spend billions of dollars protecting user identities, but very little protecting machine identities. It’s a lucrative business for cyber criminals to steal or forge machine identities as machine identities allow them to gain broad access into network resources. Ultimately, if you don’t know where your machine identities are installed and exactly who’s using them, you may never be sure they’re not being misused by cyber criminals.
JAXenter: Why are machine identities often overlooked?
Kevin Bocek: Machine identities are often overlooked because they are not prioritized in the same manner as human identities. Most organizations focus their attention and resources on protecting the usernames and passwords that control human identities. As a result, machine identities are one of the most poorly understood and weakly-protected components of the network infrastructure. The impact of poor machine identity management can be devastating as we’ve seen with the Equifax breach and Spotify and Microsoft outages. Organizations need to remember that protecting machine identities is just as important to your identity and access management program as protecting human identities.
JAXenter: How has the recent push for remote work affected machine solutions?
Kevin Bocek: Remote work and the acceleration of digital transformation has led to an explosion of machines and increased the dangers of mismanaged machine identities. Security teams, who were already stretched thin before the pandemic, were faced with an avalanche of additional digital certificates that are critical to keeping critical services up and running. Now that companies are reassessing their return to office plans or adopting a hybrid model, they should reevaluate where their machine identities are installed and how they secure them to keep their systems and people secure.