Identity is not just for humans

Pieter Kasselman

September 19th, 20230 6

In a world where science fiction is becoming reality, we are increasingly reliant on technology to improve our daily lives—whether it’s for assistance in our work, obtaining healthcare, deepening our social interactions, or enhancing our entertainment experiences.

To reap these benefits, we entrust workloads (e.g. applications or services) and devices with our most sensitive data. These machines often end up with access to vast amounts of sensitive information and resources that exceeds the scope of access any individual human may have. Although they often operate on behalf of a human, this is not a given and frequently operate without direct human intervention (e.g. a batch job). Given the access to information and resources, including control over physical infrastructure, a compromised device or workload identity can be every bit as damaging as a compromised human identity. To truly secure our environments, we have to look beyond human identities and ensure that workload and device identities are securely managed and operating with least privilege so that, if they are compromised, the impact is limited.

Human identity != machine identity

Although it is possible to use the same technology to manage both user and machine identities, it is also important to think about the main ways in which they differ.

  • Different “Join-Move-Leave” processes: In enterprises, human identities originate in HR systems, while machine identities originate in DevOps/SecOps pipelines (workload identities) or procurement and asset management systems (device identities).
  • Scale and velocity: There are many more machine identities than human identities and the velocity with which they are created and removed differs compared to human identities. Every time a workload is modified or spun up in response to capacity demands, a new identity is created. When the workload is no longer needed, the identity may need to be retired.
  • Identity attributes: The attributes we track for machine identities are different and need to be tied back to the supply chain, including dynamically changing the software bill of materials (SBOM), developers, manufacturers, hardware and runtime environments.
  • Behaviour and lifespan: Machines behave differently from humans. They have unique resource usage patterns such as batch modes or intermittent operations that must be taken into account by identity monitoring and protection systems. In addition, the lifespan of machine identities can vary greatly. Device identities may persist for decades, while workloads may be short-lived when compared to user identities.
  • Latency and resiliency: High-throughput, high-availability systems require machine identity at the edge that allows for lifecycle management and authorization decisions to be made as close to the compute node as possible, to minimise the risk of disruption and meet latency requirements.

These differences between human and machine identities require an evolution beyond our current approaches to human identities. In addition, the challenges with managing machine identities and deploying least privilege (Zero Trust) policies is about to get harder with the convergence of five trends that will drive the need for machine identity management.

Let’s take a look at each of these:

  • Explosive growth: Forecasts vary, but regardless of how you count, the rate with which devices and workloads are deployed to solve problems with the aid of technology continues to grow unabatedly. Analysts project device growth in the low double digits year on year, while growth rates for the adoption of technologies to deploy workloads like Kubernetes is at least double that. The growth in the number of machine identities is bound only by our imagination.
  • Multi-cloud/multi-hybrid: According to a recent Gartner survey, more than 80% of respondents said they are pursuing multi-cloud strategies. This requires their workloads to be deployed and operated across multiple clouds, while devices have to be able to connect to and interact with multiple clouds. Although every cloud has their own identity management capabilities, these are not yet connected across clouds. This has led to the creation of fragmented workload and device identity management systems which require additional overhead to reconcile identities across platforms.
  • Heterogeneous identity landscape: Workloads and devices come in many different forms with different approaches to managing identities. In some cases, practices and tools used for managing human identities can be re-used. But, given that the join-move-leave lifecycle for machine identities are different from human identities, this can lead to partial solutions that need to be integrated with dedicated tools from potentially multiple providers or homegrown solutions. This diversity can lead to a fragmented approach to managing machine identities, increasing the risk of security gaps.
  • Security: It is not uncommon for workloads and devices to have broader access than they require. Once a machine is authorized to access another machine, there are often few additional controls limiting what they can do. By adopting a least privilege or Zero Trust approach, it is not enough to simply grant one machine access to another. Finer-grained authorization may be applied, including on whose behalf the machine is acting, the time of day, and the specific function being invoked. Combining machine identity with other attributes is critical in implementing fine-grained authorization to ensure least privilege access policies are enforced.
  • Expertise elsewhere: There is a widespread skills shortage in the field of cybersecurity. According to the (ISC)² Cybersecurity Workforce Study, the global cybersecurity workforce gap was nearly 3.4 million in 2022. This shortage means that many organizations lack the expertise needed to effectively manage machine identities or deploy least privilege access security policies (Zero Trust policies) using a heterogeneous toolset, in a rapidly-growing, multi-cloud environment.

As these five trends converge, it raises the question of how we can ensure that organizations will continue to deploy workloads and devices to assist us in our daily lives and still securely manage these identities, while taking into account the ways in which machine identities differ from human identities.

A problem made for standards

Although there is no silver bullet, this is the kind of problem that identity standards excel at solving by creating interoperability layers between heterogeneous environments, codifying the wisdom of the crowd to alleviate pressures on rare skills, and creating ecosystems of interoperable implementations from multiple providers that meet a common security bar.

Fortunately there are already several standards efforts, spread across multiple standards bodies, that we can build on. Some of these have been designed for human identities, but can be extended for machine identities, while others have emerged to address the specific nature of machine identities.

The path forward

In the next article in this series, we will explore the different building blocks for a machine identity standards framework. We’ll look at how they connect with one another to create a trust fabric that scales to meet the rapid growth in machine identities, spans multiple clouds, and allows us to connect different tools and solutions to create secure, least privilege environments, despite the massive skill shortage our industry faces.

Pieter Kasselman

Read next

0 comments

Discussion is closed.

Feedback usabilla icon