Why the Exponential Growth of Machine Identities Requires Evolution of Privileged Access Management
National Cyber Security Awareness Month - Week 1: If You Connect It, Protect It
October 08, 2020

Andy Smith
Centrify

Over time, applications have evolved from simple lines of code to a universe full of interconnected machines and systems powering continuous integration and continuous delivery. Software-defined data centers where "infrastructure as code" models are being used to deploy virtualized systems hosted on-premises as well as in cloud IaaS service environments have created challenges for DevOps and security teams.

The increased use of containers, microservices architectures and other connected services to develop applications has made it increasingly difficult for security teams to monitor who is accessing sensitive information. With deadlines and agility paramount for developers and operations teams, security teams need to prevent an attacker from infiltrating an organization through this exponential expansion of the attack surface.


Week one of National Cyber Security Awareness Month's theme is, "If You Connect It, Protect It." It is important for DevOps and security teams to work together to secure access to (and between) the containers, microservices architectures and other connected services used to build applications. Connecting services and workloads is also equally as important. Below we discuss the role privileged access management (PAM) plays in putting the security — or the "sec" — in DevSecOps, and why security teams should look beyond traditional PAM methods for the best results for their organizations.

Digital Transformation Changes Everything We Know About PAM

Developers do not want to waste time when deadlines are looming in the background. Because of this, DevOps teams will have a tendency of bypassing PAM - which could cost businesses. Avoiding PAM could lead to an increased risk of a cyberattack, a waste of money spent invested in PAM, and fines from violating industry regulations.

The goal of PAM for application developers is to simplify and centralize credential management (also commonly referred to as application-to-application password management, or AAPM). Unfortunately, traditional PAM methods tend to be complicated to deploy and manage, and require lots of manual care and feeding with the new technologies used to build applications.

However, developers have grown accustomed to putting static passwords and secrets in code as part of the development process. When an application is running, it authenticates using the static embedded password. Stop and think about it for a second, static passwords in code… this is a bad practice. Threat actors can simply use a password sniffer to discover and use the password, posing as a legitimate account and evading security teams. PAM is necessary to protect organizations, but with traditional methods comes some challenges such as not accounting for machine identities.

Furthermore, now there is a significant expansion in the number of identities that need to be created and managed. Human identities are now limited in the DevOps process compared to non-human identities such as other applications, virtual machines, services and workloads in the cloud — causing complexity in the PAM process.

Luckily, just as the way developers have built applications over time has evolved, PAM methods have too.

How to Seamlessly Incorporate AAPM into the DevOps Process

The best way for AAPM and PAM to integrate into the modern DevOps process is to use a combination of more modern methods: ephemeral tokens and delegated machine credentials.

Ephemeral tokens offer temporary, time-based access with automatic expirations. These tokens are created automatically by a password vault, eliminating the need for DevOps teams to utilize static passwords or secrets as part of the development process. Once the accessor — whether human or machine — is authenticated and after a set period of time, the token will disappear. If a threat actor were to compromise a server, there would be no static credential to steal, which would greatly reduce the risk of a full-scale attack or lateral movement.

The next layer to an effective modern PAM solution is something we call Delegated Machine Credentials. If a container, virtual machine or other connected device were to be enrolled into a PAM service, it receives its own temporary credentials so it can authenticate and establish a mutual trust relationship with a password vault. Now any applications or workloads running on the particular machine are able to use its credential as well, leveraging the binded trust granted by the DevOps team. Using a combination of the ephemeral tokens and delegated machine credentials, security becomes automated, and the number of service accounts is significantly reduced, also greatly reducing risk.

Keeping Connected and Secure

We live in a virtualized world, so it is no wonder application development has turned into a sea of connections with both human and non-human identities. Organizations must strive to modernize PAM in order to create a seamless, secure DevSecOps experience.

Andy Smith is Cybersecurity Evangelist at Centrify
Share this

Industry News

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.

November 18, 2024

Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.

Read the full news on APMdigest

November 18, 2024

Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.

November 18, 2024

Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.