Since remote working along with other factors has caused a shift of managing people rather than devices, it is key to understand what an individual identity has access to, how access was granted and, why they have access to it. These factors form the basis of the critical knowledge necessary for ensuring the security of cloud integrated environments is managed and any risks reduced, where possible. In addition to this and following this theme, it should also be mentioned that in a modern IT infrastructure where ‘identity’ is the new security perimeter, the term ‘identity’ is potentially misunderstood. In reality, “identity” should be deemed anything which is used to authenticate, store, extract or receive data. In today’s modern world, this is no longer just a human identity. In normal circumstances identity typically only includes user accounts stored within various directories or Cloud services and that’s it. However, what about Microservices, Robotic Process Automations (RPAs) and APIs? All of which are non-user accounts and are instead ‘machines’ or synthetic entities. Although these are not seen as typical identities, they still share some of the same security vulnerabilities, similar to normal user accounts or traditional “service accounts”. Its important that these entities still need to be managed and governed correctly in order to reduce the overall complexity and risk across a business’s IT environment. In fact, and in reality, since these entities are used to automate processes, they need to be validated more regularly to ensure that no malicious or fraudulent activities have occurred; in addition to reviewing if a process is still required or should be retired if it’s found to be redundant. All of these elements require strong identity governance, if not, the weakest link could be easily used maliciously to make the rest of the security within an environment vulnerable.
What is a Machine Identity?
A machine identity is essentially anything which is used as a credential, this could be something which is used for automation – a ‘Robotic process automation (RPA), or could be anything from a BOT, an Azure function, or an API key.
What are my options to ensure my environment is secure?
- Practise the safe creation of API’s and API keys storage.
- Manage machine identities and their lifecycle as part of an overall identity governance and on-going risk assessment (IGA) practise
- Practise least privileges when granting access to any automated process and ‘Identity’
- Implement security governance around any new solution which uses synthetic identities
Identity. How can Silversands assist?
Silversands is continually reviewing the market to ensure that its customers are aware of approaches for making certain that their security is maintained. As part of this, we are assessing the viability of introducing complementary solutions which are best of breed in this area. Although Identity Governance is traditionally associated with highly regulated businesses, it is now becoming much more prevalent that all businesses adopt good practises in this area. Silversands is assessing solutions to bring into our portfolio and offer to our customers. In the interim, Silversands Consultants can still help to assess the needs of our customers in this area and provide the necessary guidance. If you would like to speak to one of our identity experts please complete and submit the form below: