Why the Exponential Growth of Machine Identities Requires Evolution of Privileged Access Management
National Cyber Security Awareness Month - Week 1: If You Connect It, Protect It
October 08, 2020

Andy Smith
Centrify

Over time, applications have evolved from simple lines of code to a universe full of interconnected machines and systems powering continuous integration and continuous delivery. Software-defined data centers where "infrastructure as code" models are being used to deploy virtualized systems hosted on-premises as well as in cloud IaaS service environments have created challenges for DevOps and security teams.

The increased use of containers, microservices architectures and other connected services to develop applications has made it increasingly difficult for security teams to monitor who is accessing sensitive information. With deadlines and agility paramount for developers and operations teams, security teams need to prevent an attacker from infiltrating an organization through this exponential expansion of the attack surface.


Week one of National Cyber Security Awareness Month's theme is, "If You Connect It, Protect It." It is important for DevOps and security teams to work together to secure access to (and between) the containers, microservices architectures and other connected services used to build applications. Connecting services and workloads is also equally as important. Below we discuss the role privileged access management (PAM) plays in putting the security — or the "sec" — in DevSecOps, and why security teams should look beyond traditional PAM methods for the best results for their organizations.

Digital Transformation Changes Everything We Know About PAM

Developers do not want to waste time when deadlines are looming in the background. Because of this, DevOps teams will have a tendency of bypassing PAM - which could cost businesses. Avoiding PAM could lead to an increased risk of a cyberattack, a waste of money spent invested in PAM, and fines from violating industry regulations.

The goal of PAM for application developers is to simplify and centralize credential management (also commonly referred to as application-to-application password management, or AAPM). Unfortunately, traditional PAM methods tend to be complicated to deploy and manage, and require lots of manual care and feeding with the new technologies used to build applications.

However, developers have grown accustomed to putting static passwords and secrets in code as part of the development process. When an application is running, it authenticates using the static embedded password. Stop and think about it for a second, static passwords in code… this is a bad practice. Threat actors can simply use a password sniffer to discover and use the password, posing as a legitimate account and evading security teams. PAM is necessary to protect organizations, but with traditional methods comes some challenges such as not accounting for machine identities.

Furthermore, now there is a significant expansion in the number of identities that need to be created and managed. Human identities are now limited in the DevOps process compared to non-human identities such as other applications, virtual machines, services and workloads in the cloud — causing complexity in the PAM process.

Luckily, just as the way developers have built applications over time has evolved, PAM methods have too.

How to Seamlessly Incorporate AAPM into the DevOps Process

The best way for AAPM and PAM to integrate into the modern DevOps process is to use a combination of more modern methods: ephemeral tokens and delegated machine credentials.

Ephemeral tokens offer temporary, time-based access with automatic expirations. These tokens are created automatically by a password vault, eliminating the need for DevOps teams to utilize static passwords or secrets as part of the development process. Once the accessor — whether human or machine — is authenticated and after a set period of time, the token will disappear. If a threat actor were to compromise a server, there would be no static credential to steal, which would greatly reduce the risk of a full-scale attack or lateral movement.

The next layer to an effective modern PAM solution is something we call Delegated Machine Credentials. If a container, virtual machine or other connected device were to be enrolled into a PAM service, it receives its own temporary credentials so it can authenticate and establish a mutual trust relationship with a password vault. Now any applications or workloads running on the particular machine are able to use its credential as well, leveraging the binded trust granted by the DevOps team. Using a combination of the ephemeral tokens and delegated machine credentials, security becomes automated, and the number of service accounts is significantly reduced, also greatly reducing risk.

Keeping Connected and Secure

We live in a virtualized world, so it is no wonder application development has turned into a sea of connections with both human and non-human identities. Organizations must strive to modernize PAM in order to create a seamless, secure DevSecOps experience.

Andy Smith is Cybersecurity Evangelist at Centrify
Share this

Industry News

May 06, 2025

Google is rolling out an updated Gemini 2.5 Pro model with significantly enhanced coding capabilities.

May 06, 2025

BrowserStack announced the acquisition of Requestly, the open-source HTTP interception and API mocking tool that eliminates critical bottlenecks in modern web development.

May 06, 2025

Jitterbit announced the evolution of its unified AI-infused low-code Harmony platform to deliver accountable, layered AI technology — including enterprise-ready AI agents — across its entire product portfolio.

May 05, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, and Synadia announced that the NATS project will continue to thrive in the cloud native open source ecosystem of the CNCF with Synadia’s continued support and involvement.

May 05, 2025

RapDev announced the launch of Arlo, an AI Agent for ServiceNow designed to transform how enterprises manage operational workflows, risk, and service delivery.

May 01, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Quantum Firewall Software R82 — the latest version of Check Point’s core network security software delivering advanced threat prevention and scalable policy management — has received Common Criteria EAL4+ certification, further reinforcing its position as a trusted security foundation for critical infrastructure, government, and defense organizations worldwide.

May 01, 2025

Postman announced full support for the Model Context Protocol (MCP), helping users build better AI Agents, faster.

May 01, 2025

Opsera announced new Advanced Security Dashboard capabilities available as an extension of Opsera's Unified Insights for GitHub Copilot.

May 01, 2025

Lineaje launched new capabilities including Lineaje agentic AI-powered self-healing agents that autonomously secure open-source software, source code and containers, Gold Open Source Packages and Gold Open Source Images that enable organizations to source trusted, pre-fixed open-source software, and a software crawling and analysis engine, SCA360, that discovers and contextualizes risks at all software development stages.

April 30, 2025

Lenses.io announced the release of Lenses 6.0, enabling organizations to modernize applications and systems with real-time data as AI adoption accelerates.

April 30, 2025

Sonata Software has achieved Amazon Web Services (AWS) DevOps Competency status.

April 29, 2025

vFunction® announced significant platform advancements that reduce complexity across the architectural spectrum and target the growing disconnect between development speed and architectural integrity.

April 29, 2025

Sonatype® introduced major enhancements to Repository Firewall that expand proactive malware protection across the enterprise — from developer workstations to the network edge.

April 29, 2025

Aqua Security introduced Secure AI, full lifecycle security from code to cloud to prompt.