Why the Exponential Growth of Machine Identities Requires Evolution of Privileged Access Management
National Cyber Security Awareness Month - Week 1: If You Connect It, Protect It
October 08, 2020

Andy Smith
Centrify

Over time, applications have evolved from simple lines of code to a universe full of interconnected machines and systems powering continuous integration and continuous delivery. Software-defined data centers where "infrastructure as code" models are being used to deploy virtualized systems hosted on-premises as well as in cloud IaaS service environments have created challenges for DevOps and security teams.

The increased use of containers, microservices architectures and other connected services to develop applications has made it increasingly difficult for security teams to monitor who is accessing sensitive information. With deadlines and agility paramount for developers and operations teams, security teams need to prevent an attacker from infiltrating an organization through this exponential expansion of the attack surface.


Week one of National Cyber Security Awareness Month's theme is, "If You Connect It, Protect It." It is important for DevOps and security teams to work together to secure access to (and between) the containers, microservices architectures and other connected services used to build applications. Connecting services and workloads is also equally as important. Below we discuss the role privileged access management (PAM) plays in putting the security — or the "sec" — in DevSecOps, and why security teams should look beyond traditional PAM methods for the best results for their organizations.

Digital Transformation Changes Everything We Know About PAM

Developers do not want to waste time when deadlines are looming in the background. Because of this, DevOps teams will have a tendency of bypassing PAM - which could cost businesses. Avoiding PAM could lead to an increased risk of a cyberattack, a waste of money spent invested in PAM, and fines from violating industry regulations.

The goal of PAM for application developers is to simplify and centralize credential management (also commonly referred to as application-to-application password management, or AAPM). Unfortunately, traditional PAM methods tend to be complicated to deploy and manage, and require lots of manual care and feeding with the new technologies used to build applications.

However, developers have grown accustomed to putting static passwords and secrets in code as part of the development process. When an application is running, it authenticates using the static embedded password. Stop and think about it for a second, static passwords in code… this is a bad practice. Threat actors can simply use a password sniffer to discover and use the password, posing as a legitimate account and evading security teams. PAM is necessary to protect organizations, but with traditional methods comes some challenges such as not accounting for machine identities.

Furthermore, now there is a significant expansion in the number of identities that need to be created and managed. Human identities are now limited in the DevOps process compared to non-human identities such as other applications, virtual machines, services and workloads in the cloud — causing complexity in the PAM process.

Luckily, just as the way developers have built applications over time has evolved, PAM methods have too.

How to Seamlessly Incorporate AAPM into the DevOps Process

The best way for AAPM and PAM to integrate into the modern DevOps process is to use a combination of more modern methods: ephemeral tokens and delegated machine credentials.

Ephemeral tokens offer temporary, time-based access with automatic expirations. These tokens are created automatically by a password vault, eliminating the need for DevOps teams to utilize static passwords or secrets as part of the development process. Once the accessor — whether human or machine — is authenticated and after a set period of time, the token will disappear. If a threat actor were to compromise a server, there would be no static credential to steal, which would greatly reduce the risk of a full-scale attack or lateral movement.

The next layer to an effective modern PAM solution is something we call Delegated Machine Credentials. If a container, virtual machine or other connected device were to be enrolled into a PAM service, it receives its own temporary credentials so it can authenticate and establish a mutual trust relationship with a password vault. Now any applications or workloads running on the particular machine are able to use its credential as well, leveraging the binded trust granted by the DevOps team. Using a combination of the ephemeral tokens and delegated machine credentials, security becomes automated, and the number of service accounts is significantly reduced, also greatly reducing risk.

Keeping Connected and Secure

We live in a virtualized world, so it is no wonder application development has turned into a sea of connections with both human and non-human identities. Organizations must strive to modernize PAM in order to create a seamless, secure DevSecOps experience.

Andy Smith is Cybersecurity Evangelist at Centrify
Share this

Industry News

February 02, 2023

Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).

February 02, 2023

Snow Software announced a new global partner program designed to enable partners to support customers as they face complex market challenges around managing cost and mitigating risk, while delivering value more efficiently and effectively with Snow.

February 02, 2023

Contrast Security announced the launch of its new partner program, the Security Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

February 01, 2023

Red Hat introduced new security and compliance capabilities for the Red Hat OpenShift enterprise Kubernetes platform.

February 01, 2023

Jetpack.io formally launched with Devbox Cloud, a managed service offering for Devbox.

February 01, 2023

Jellyfish launched Life Cycle Explorer, a new solution that identifies bottlenecks in the life cycle of engineering work to help teams adapt workflow processes and more effectively deliver value to customers.

January 31, 2023

Ably announced the Ably Terraform provider.

January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

January 31, 2023

Qualys announced its new GovCloud platform along with the achievement of FedRAMP Ready status at the High impact level, from the Federal Risk and Authorization Management Program (FedRAMP).

January 30, 2023

F5 announced the general availability of F5 NGINXaaS for Azure, an integrated solution co-developed by F5 and Microsoft that empowers enterprises to deliver secure, high-performance applications in the cloud.

January 30, 2023

Tenable announced Tenable Ventures, a corporate investment program.

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.