Identity management implications and how organisations can properly manage their identity

Identity management implications and how organisations can properly manage their identity

Venafi, inventor and a leading provider of machine identity management, has announced the findings of a global study of 1,000 CIOs, which shows that Digital Transformation is driving an average of 42% annual growth in the number of machine identities. Because CIOs often have limited visibility into the number of machine identities on their networks and these critical security assets are not prioritised in IAM and security budgets, CIOs should expect to see a sharp increase in machine identity related outages and security breaches. 

Machine identities enable secure connection and authentication for every part of IT infrastructure, from physical, virtual servers and IoT devices to software applications, APIs and containers. Any time two machines need to authenticate each other a machine identity is required. One hundred percent of CIOs say that Digital Transformation is driving a dramatic increase in the number of machine identities their organisations require. Without an automated machine identity management program, organisations suffer from outages caused by expired machine identities and breaches caused by machine identity misuse or compromise.

According to Venafi’s sponsored CIO study, the average organisation used nearly a quarter of a million (250,000) machine identities at the end of 2021. This is a startling number when you consider that machine identity management experts at Venafi typically find that organisations initially underestimate machine identity populations by 50% or more because they have extremely limited visibility into the machine identities their organisation requires.

At current rates of growth, these same organisations can expect their machine identity inventory to more than double to at least 500,000 by 2024. Moreover, three-quarters of surveyed CIOs said that they expect Digital Transformation initiatives to increase the number of machine identities in their organisations by 26% — with more than one-quarter (27%) citing a percentage of higher than 50%.

Key survey findings include:

  • 83% of organisations suffered a machine identity related outage during the last 12 months; over a quarter (26%) say critical systems were impacted.
  • 57% of organisations experienced at least one data breach or security incident related to compromised machine identities (including TLS, SSH keys and code signing keys and certificates) during the same time period.

“The realities of Digital Transformation mean that every business is now a software company,” said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi. “This means IAM priorities need to shift to protect the machine identities required for Digital Transformation initiatives because these initiatives are the engines of innovation and growth. The unfortunate reality is that most organisations are not prepared to manage all the machine identities they need. This rapidly growing gap has opened a new attack surface – from software build pipelines to Kubernetes clusters – that is very attractive to attackers.”

The rise in the number of machines on enterprise networks is exposing outdated machine identity management practices. Nearly two-thirds (64%) of CIOs say that rather than using a comprehensive machine identity management solution, their organisations combine multiple solutions and processes, including point solutions from certificate authorities (CAs) and public cloud providers, homegrown solutions and manual processes. This approach does not provide an enterprise-wide view of all machine identities or provide the mechanisms needed to enforce configuration or policy requirements.

“Machine identity management is in the early stages of adoption,” Bocek continued. “It’s very similar to what happened with customer and workforce identity a few years ago, but its orders of magnitude larger in scale and change is happening much faster. The challenges connected with human identity management pale in contrast to the challenges of managing machine identities. This research underscores the urgent need for every organisation to evaluate their machine identity management program in order to protect their Digital Transformation initiatives.”

We asked industry experts about the implications we are seeing when it comes to identity management and how they think organisations can properly manage their identity.

Greg Smith, Solutions Architect at Radiant Logic

Events like Identity Management Day – held on April 12 every year – are doing their job in highlighting the importance of securing and managing digital identities. In the past, Identity and Access Management (IAM) has been sort of an afterthought – organisations hadn’t recognised how having a handle on identity management can cause a genuine security risk to the business. However, according to recent research, security professionals named an identity management solution as the number one priority to address their current security gaps. Evidently, IAM is becoming recognised as an important process to have within a business.

This has been particularly apparent in the past year with governments implementing more initiatives to ensure organisations are following the best cybersecurity practices, including identity management. The recent White House Zero Trust strategy was a prime example, stressing the significance of consolidating identity systems so that protections and monitoring can be applied.

We have seen, however, that all too often organisations store identity data across different applications which all use a variety of protocols and therefore cannot communicate with each other. What’s more, the number of identities relating to a business is expanding and as the IT estate grows, the more unwieldy it becomes. This is called identity sprawl which inevitably hampers the ability of organisations to manage, audit and control digital identities.

New security frameworks such as Zero Trust rely on accurate and accessible information about the people, objects and devices that interact with its network. And it’s the quality, the granularity and the availability of that information that determines the security or vulnerability of the organisation. Managing this identity data is essential in order to understand the security risks to the business.

So, what is needed going forward for 2022? Having a unified and logical identity system, such as an identity data fabric, is crucial. An identity data fabric provides a connective layer that sits between consumers of identity (applications, services, as well as other identity solutions that provide access management and governance) and all the silos of identity data. Applications now have one reusable service that they can connect to for unified and normalised identity data, on-premise or in the cloud, using the format and protocol of their choice. As a result, applications can effectively delegate the complex identity integration work to the fabric and focus on the core capabilities they were designed for. 

A single version of identity truth – one place to go to get everything that’s needed, in exactly the right format every time – is something that organisations should consider when moving forward with their identity management plans. The ease of which this solution can be applied to a business will mean organisations will have a better security posture because their identity data is in one place. A flexible and manageable resource will ensure that organisations are finally able to gain control over their identity data and turn it into something that works for the business.

Ricardo Diniz, VP & General Manager, UK&I and Southern Europe, WSO2

Events like Identity Management Day – the international education effort jointly led by the Identity Defined Security Alliance and National Cybersecurity Alliance – bring to our attention the growing importance of protecting consumers’ identities and information.

Whether consumers go online to pay a bill, set up a doctor’s appointment, or shop at a favourite retailer’s site, they want to know that the organisation knows who they are, protects their privacy and lets them control how their personal data is shared.

Organisations now view their ability to create trusted digital experiences as a significant opportunity to build customer loyalty and gain a competitive advantage.

Here in the UK, customer identity and access management (CIAM) is playing a central role in maintaining trusted relationships with consumers online. In fact, 78% of the 200 UK and Ireland respondents who took part in a recent WSO2 and Vanson Bourne research study said they are already using an Identity and Access Management platform (IAM) with 67% utilising a customer identity and access management platform (CIAM).

At the same time, it is becoming clear that security and the APIs and applications driving consumer experiences are now intrinsically linked, creating the need for CIAM to work in concert with API management and security solutions.

We are seeing more software developers assuming responsibility for incorporating security into the applications driving consumers’ digital experiences. This is driving the demand for cloud-based, highly automated solutions that allow developers to quickly and easily add CIAM functionality without having to become security software experts. Our research reinforces this demand, with more than half of respondents (51%) saying that they expect their organisations’ preferred deployment choice for future CIAM platforms to be SaaS/Identity-as-a-Service (IDaaS).

Joseph Carson, Chief Security Scientist & Advisory CISO, Delinea

When it comes to cyber threats, all roads continue to lead to identity. Digital Transformation, the move to cloud and requirements for remote work have only made it easier for cybercriminals as organisations struggle to secure an expanded threatscape and get a handle on identity sprawl. Companies of all sizes need to focus on centralising identities while also reinforcing best practices and training to ensure employees are doing everything possible to secure their credentials. Remember: it only takes one compromised identity to negatively impact the company’s financial performance, customer loyalty and brand reputation, potentially costing millions of dollars.

Browse our latest issue

Intelligent CISO

View Magazine Archive