The report identified despite 60% of surveyed organisations agreeing machine identities pose a greater security risk than human identities, security measures continue to lag behind.
SailPoint Technologies, a leader in unified identity security for enterprises, has unveiled the 2024 Machine Identity Crisis: The Challenges of Manual Processes and Hidden Risks, a global survey of more than 320 identity and access experts, security professionals and executives.
The report explores the differences between managing machine identities and human identities, highlighting the challenges of securing machine identities such as overprovisioning and changing compliance requirements, and provides a comprehensive view of the identity management challenges faced by today’s IT and security teams.
Findings indicate that 69% of companies surveyed manage more machine identities than human identities, with nearly half deploying 10x as many. These machine identities include applications, databases, bots, IoT devices, SaaS tools and a wide range of other hardware and software solutions.
Of the security professionals surveyed, 72% reported that managing machine identities is more challenging than managing human identities, citing poor internal processes and inadequate identity management tools as the culprit. As a result, 66% of respondents indicated that managing machine identities requires more manual processes than human identities, taxing already scarce IT and security resources.
“Many organisations lack visibility into the full spectrum of identities present within their environments,” said Mark McClain, CEO and Founder of SailPoint. “In fact, our annual Horizons of Identity Security report shows that machine identities are expected to grow faster than any other type of identity over the next 3-5 years. This further validates the complexity of managing an entirely new class of identities for enterprises today.
“To stay ahead, businesses need an automated, cloud-based solution that can track and secure machine identities. This not only frees up IT teams to focus on more strategic tasks but also reduces the risk of unauthorised access to sensitive data, helping to support compliance and protect against evolving threats,” added McClain.
The growing volume of machine identities significantly heightens the risk of audit and compliance challenges. Surprisingly, 75% of surveyed companies have machine identities without a dedicated employee responsible for them. Moreover, insufficient governance increases the potential for data loss or compromised access. Findings show that 60% of organisations believe machine identities pose a greater risk to business than human identities, which is unlikely to change without improvements to discovery capabilities and governance practices.
Further, machine identities can act as a gateway to external resources and services, including cloud and SaaS solutions, partners, suppliers and other third parties. This risk is far from theoretical, with 57% of surveyed organisations reporting that a machine identity has been granted inappropriate access to sensitive data. Equally concerning are the 16% of respondents who cannot say for sure whether such an incident has occurred, highlighting either a lack of knowledge about potential risks or a failure to implement lessons learned to prevent them.
“Machine identities represent an increasingly popular attack vector, and the longer organisations grapple with how to effectively manage them, the greater the risk,” said Matt Mills, President, SailPoint. “Identity management solutions that do not provide real-time information on machine identities are essentially failing, forcing more manual steps, costing more in labour and resources, and resulting in poor processes that retain supposedly dormant identities, ultimately increasing the overall risk to the business. When selecting an identity management platform, organisations must consider every identity, not just those that are human.”
Methodology
IAM, security and compliance professionals at enterprise companies representing all seniority levels were invited to participate in a survey on their company’s machine identity access operational and management practices. The survey was administered electronically, and participants were offered a token compensation for their participation. A total of 322 qualified participants completed the survey. All participants had enterprise IAM and security responsibilities. Participants were from five continents, representing a global perspective.
