Black Hat 2022 Reveals Why Machine Identities Are Most Vulnerable

Couldn’t attend Transform 2022? Check out all the top sessions in our on-demand library now! Look here.


Enterprises struggle to secure machine identities because hybrid cloud configurations are too complex to manage, leading to vulnerabilities that exploit cyber attackers. The confusion is compounded by the differences between public cloud providers’ approaches to defining machine-based identities using their native Identity Access Management (IAM) applications. In addition, due to differences in how IAM and machine identity management are handled across different cloud platforms, it can be challenging to enforce zero-trust principles, enabling least privileged access in a hybrid cloud environment.

Managing certificate lifecycles on hybrid cloud deployment models for machine identities is a technical challenge that many enterprise IT teams lack the resources for. According to research, 61% of organizations cannot track certificates and keys about their digital assets. Given how quickly workload-based machine identities can be created, including containers, transaction workflows, and virtual machines (VMs), it’s understandable that only about 40% of machine identities are tracked. IAM is getting more challenging every day as the average worker on average over 30 digital identitieswith a typical company with more than 45 times more machine identities than human ones.

Machine identities are a major risk in hybrid clouds

Two sessions at the Black Hat 2022 cybersecurity conference explained why machine identities are a risky attack surface, made more vulnerable in hybrid cloud configurations. The first session, titled I am the one who knocks, presented by Igal Gofman, head of research at Ermetic and Noam Dahan, research leader at Ermetic. The second was titled I AM whoever I say I am: infiltrating identity providers using a 0Click exploit, presented by Steven Seeley, a security researcher at the 360 ​​Vulnerability Research Institute. Both presentations gave recommendations on what companies can do to reduce the risk of a breach.

In the presentation, I’m the one who knocks researchers IGofman and Dahan illustrated how different the approaches of the dominant cloud platforms to IAM are. Protecting machine identities with native IAM support from any public cloud platform just doesn’t work, because gaps in hybrid cloud configurations make machines vulnerable. Their presentation provided insight into what makes Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform’s (GCP) approaches to IAM different.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to offer advice on how metaverse technology will change the way all industries communicate and do business October 4 in San Francisco, CA.

Register here

“IAM systems in all three cloud providers we discussed are complex,” Dahan said during the session. “We notice that organizations will make mistakes. One of the most important things you can do is stick to one AWS account or GCP project per workload.”

AWS, Microsoft Azure and GCP provide enough functionality to get an organization up and running, but lack the scale to fully address the more challenging, complex areas of IAM in hybrid cloud configurations.

Each public cloud platform has its unique approach to IAM, which exposes machine identities to attacks when combined with hybrid cloud configurations.
Each public cloud platform has its unique approach to IAM, which exposes machine identities to attacks when combined with hybrid cloud configurations.

Cloud providers claim that their machine identities are secure, but in hybrid cloud configurations that break quickly. Gofman and Dahan pointed out that enterprises are responsible for compromised machine identities, as each platform provider defines its service offering using the shared responsibility model.

AWS and other cloud providers provide essential IAM support.  Their IAM solutions are platform specific and cannot scale between third-party, public cloud providers, forcing companies to close hybrid cloud gaps or risk a breach.
AWS and other cloud providers provide essential IAM support. Their IAM solutions are platform specific and cannot scale between third-party, public cloud providers, forcing companies to close hybrid cloud gaps or risk a breach.

Steps to Secure Machine Identities

Black Hat’s sessions on IAM provide detailed insights and recommendations on how to better protect machine identities, including:

Understand that AWS, Microsoft Azure, and Google Cloud Platforms IAM systems do not protect privileged access credentials, machine identity, endpoint, or threat surface in a hybrid cloud configuration. As the shared responsibility model pictured above illustrates, AWS, Azure, and GCP only protect the core areas of their respective platforms, including infrastructure and hosting services only. CISOs and CIOs rely on the shared responsibility model to create enterprise-wide security strategies that enable the least privileged access in hybrid cloud configurations. The ultimate goal is to enable a zero-trust security framework company-wide.

Hybrid cloud architectures with AWS, Microsoft Azure, and Google Cloud Platforms don’t require an entirely new identity infrastructure. Creating new and often duplicate machine identities increases the cost, risk, overhead and burden of requiring additional licenses. On the other hand, companies with a standardized identity infrastructure must stick to it. In addition to having the taxonomy entrenched throughout their organization, changing it will most likely cause errors, make identities vulnerable, and be expensive to fix.

Businesses should consider IAM platforms that can scale across hybrid cloud configurations to reduce the risk of a breach. The latest generation of IAM systems provides machine lifecycle management tools synchronized with certificate management. IAM architectures also support custom scripts for protecting workflow-based identities, including containers, VMs, IoT, mobile devices, and more.

Leading vendors working to secure IAM for machine identities include Akeyless, Amazon Web Services (AWS), AppViewX, CrowdStrike, Ivanti, HashiCorp, Keyfactor, Microsoft, Venafi, and more.

The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Learn more about membership.