Machine Identity Management, concerns and challenges

The concept of Identity and Access Management (IAM) is already well known among IT and cybersecurity leaders, who are concerned about the authorization and authentication of human users, but what about machines? Today, much of electronic communication and transactions are between devices, including everything from servers to IoT sensors, not people, so wouldn’t it be advisable to assign identities to each of these machines and, in the same way as is done by IAM solutions, manage and protect them? These machine identities come in the form of cryptographic keys, digital certificates, and other resources.

Faced with the need to adopt the principle of zero trust (“trust nothing, validate everything”) in IT environments increasingly affected by insecurity and uncertainty, machine identities have become essential for establishing trusted relationships between devices and workloads across a variety of ecosystems. “However, decisions about Machine Identity Management (MIM) solution tools generally do not receive enough attention in organisations, according to Garnter.

The good news is that more IT and cybersecurity leaders are recognising the need to have a strategy for managing Machine Identities. According to a survey conducted by Ponemon Institute and published by Keyfactor that compiled data from North America, Europe, Middle East and Africa surveyed among IT professionals including cybersecurity, infrastructure, operations and development, 66% of respondents said they were familiar or very familiar with the MIM concept.

Another point highlighted by the survey is that volume of machine identities is growing rapidly, especially certificates issued internally within organisations. On average, respondents say there are around 267,620 trusted certificates issued within IT organisations – growth of almost 16 per cent on last year’s study. On the other hand, on average, there are only 1,942 public trusted certificates in organisations.

The problem is that the more certificates are issued and the shorter their lifespan, the more difficult it becomes to manage identities. Seventy percent of respondents said the increased use of digital keys and certificates has significantly increased the workload of IT departments, up from 62% reported in 2021. Another 65% are concerned about this increased work and risk of disruptions due to shorter certificate lifetimes, up from 59% in last year’s study.

If not tracked, certificates can expire unexpectedly, causing applications or services to stop working. The majority of respondents (81%) reported in the study having had at least two or more downtime events in the past 24 months, up from 77% in 2021. Time to Recovery (TTR) can be an issue, as 67% of respondents reported that it took three or more hours to return to normal operation.

Adoption of certificate management tools is growing, but spreadsheets are still too common. Forty-four percent of respondents said they use a dedicated certificate lifecycle management (CLM) solution, yet many still rely on a patchwork of spreadsheets (42%), tools provided by SSL/TLS certificate vendors, and home-grown solutions (38%).

According to the study, having complete visibility of certificates and automation of their lifecycles are the top two criteria when choosing a certificate management system, a significant increase from last year’s study.

Concerns and strategic actions

Sixty-one percent of respondents said that theft or misuse of machine identities is a serious or very serious concern for IT organizations, up significantly from 34% of respondents in last year’s study. In addition, half said their organizations are likely or very likely to experience more incidents of machine identity theft or misuse in the next 24 months.

Uncertainty and lack of skilled personnel remain the most common challenges in defining machine identity management strategy (both with 41% of responses), as shown in the figure below.