The overlooked identities – machines and workloads matter too
Identity security isn't just about protecting human identities anymore
· TechRadarNews By Matt Barker published 20 September 2024
Most people understand “digital identity” as all the online information linked to humans, such as usernames and passwords, that allow us to access services and apps. Today – with our lives increasingly playing out online – this identity is crucial for almost every action we take, from online security to seamless transactions.
However, a critical aspect of digital identity that’s often overlooked within organizations is the identity of machines. Machines, from IoT devices to servers, and even the workloads that run on them – like containers, microservices, or bash scripts – all require identities. These identities can be hacked and exploited just like human ones, revealing critical information and posing significant risks if not managed consistently across environments.
Matt Barker
Global Head of Workload Identity Architecture at Venafi, a CyberArk company.
Maintaining identity consistency
As multi-cloud environments and cloud-native architectures have become standard, the number of machine and workload identities is soaring. In 2023, workload identities alone outnumbered human identities 10 to 1, and this gap is expected to widen, set to reach 100 to 1 soon. Understanding and managing these identities is vital for maintaining organizational security in the digital age – but how do businesses ensure consistency across their identities?
With the rise in cloud adoption, workloads are increasing exponentially, turning identity into a business-wide issue. Everything operating within your business, from a simple script to a complex workload, requires the same security considerations as a human identity. It's not enough for workloads to just have an identity; they need one that is consistent, secure, short-lived, and thoroughly vetted. Much like people who often face challenges managing multiple logins, locations, and passwords – leading to frustration, risk, and productivity slowdowns – workloads can encounter similar issues. Maintaining consistent identities for these workloads is essential to safeguarding them against threats.
Building the workload identity pyramid
Consider workload identities as a pyramid. First, at the foundation we have workload identities and managing their entire lifecycle. Moving up, the next level is authentication, ensuring each entity is correctly identified and verified. The next level is authorization, which dictates what resources or actions the entity is permitted to access. At the top of the pyramid is governance, overseeing and managing the rules of authentication and authorization. Only when each level of the pyramid is reached can we begin to consider the next step, then move towards the final goal of standardization.
As development platforms like Kubernetes become ubiquitous, it's essential to establish an open-source standard for consistently and securely identifying software systems – as all workloads need verifiable IDs. When all vendors adopt the same standard, tools and systems from different sources can better integrate and communicate, which will improve compatibility and extend the reach of solutions. By establishing governance standards, organizations can better protect themselves from increasing risks. This ensures that security and IT teams can identify, manage, and govern workloads, regardless of where they are running. One example of an open-source standard is SPIFFE, the Secure Production Identity Framework For Everyone. SPIFFE is in the same foundation as Kubernetes – the Cloud Native Computing Foundation (CNCF) along with many of the other projects it’s likely to interoperate with. Although it's built for and designed with Kubernetes in mind, it can also be applied to traditional, proprietary on-premises solutions which makes it powerful for Platform Engineers and Infosec teams alike.
Securing digital workloads
Identity security isn't just about protecting human identities anymore. The perimeter is dead, and services are now running everywhere – from on prem to the cloud and beyond. Just as employees must verify their identities to keep your business secure, machines and workloads interacting with one another need to do the same. This helps IT teams manage and secure workloads across various cloud environments more effectively.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors