Table of Contents

The Machine Identity Crisis:
How It’s Spun out of Control and What Can Be Done 

The exponential proliferation of machines has outpaced collective efforts to properly secure them — from workloads in containers, bare metal and virtual machines to applications and devices. As we’ve raced ahead with cloud computing, infrastructure as code (IaC), internet of things (IoT), automation and edge computing, we’ve created a world where machines outnumber humans 50-to-1. 

Industry reports show 68% of those machines have access to sensitive data — a fact that punctuates the urgency to secure them. In nearly all cases, however, machine identities are verified with single factor authentication, using ‘secret zero,’ a master token or key that, if exposed, enables the attacker to impersonate the compromised workload and access all associated secrets. And yet we continue to see evidence of machine secrets negligently exposed in source code or dev ops scripts inside code repositories, like GitHub. It’s a risky but common shortcut amid the complexity of machine identity management. 

These factors make machines an attractive target for attackers. There’s no shortage of real-world examples, but one that captured the most headlines was the Uber breach in 2022. Once inside, the hacker found scripts containing hard-coded admin credentials to log into the company’s privileged access management platform. This gave them full admin access to all of Uber’s sensitive services, including OneLogin, Amazon Web Services, Duo and G Suite. The incident shook consumer confidence and called attention to a critical weakness of machine identity management that must be fixed.

In this article, we’ll examine how we got here, why machine identity management is so important and the astounding complexity of issues that make it so difficult. But first, we’ll cover the basics.


Why do we need machine identities? 

To prevent security breaches or an escalation like we saw with Uber, machine identities are essential. Unique identities are needed to establish trust, secure machine-to-machine communication, enforce access controls and protect the integrity of workloads and data within your company’s network or infrastructure. 

Digital identities are assigned to each workload as a set of credentials or, more broadly, machine secrets, such as digital certificates, access tokens or cryptographic keys. These are used to authenticate the identity of the machine and authorize access to resources or other machines. 

Why is machine identity management out of control?

For starters, machine identity management is in its infancy, and most companies are playing a game of catch up. Gartner first introduced machine identity management in a 2020 market report. Our very own Chief Identity Officer David Mahdi, a former Gartner VP analyst, co-authored the paper. David explains, “Gartner created the market by introducing machine identity management in the Gartner Hype Cycle. After that we started dedicating more time and research to the topic.” 

“Fast forward three years, more organizations are realizing that machine identity management is critical to securing their environments. These non-human entities are the true workhorses of our digital world. Machines need security, and the foundational layer is identity,” says David. “It’s the next frontier for identity and access management, which is today a $16B market heavily focused on humans. We absolutely need to expand IAM to secure machines. It’s now critical. Based on conversations I’ve had with hundreds of CISOs and IT leaders, most are overwhelmed by the complexity of machine identity management.”

The diversity of machines adds complexity 

Machines haven’t just exploded in number; they’re also more diverse. In the age of cloud computing, infrastructure as code (IaC) and microservices, virtual machines and containers form the backbone of many cloud and IT infrastructures. These machines host critical applications and databases — more machines and workloads. The lifespan of a workload is shorter than ever, which means the full lifecycle unfolds in a condensed time frame, sometimes seconds or minutes, not months or years. It’s like trying to keep track of butterflies and control their interactions.

And because we have hybrid clouds and multiple clouds, machines are accessing many identity providers, not just one. An application might be using AWS for one type of service and Google Cloud Platform (GCP) for another. Managing these instances involves provisioning, configuration and access controls to ensure secure operation in the cloud.

At the same time, we have a vast array of interconnected IoT devices, ranging from smart buildings and factory automations to supply chain management, self-driving vehicles, logistics and fleet management. Organizations must be able to authenticate and authorize all machines and their communications across multiple network ecosystems.

Duplicate identities are difficult to manage

Management is further complicated by the fact that machine identities are sometimes duplicated. With auto scaling, for example, you can dynamically increase or decrease the number of machines on demand. As traffic fluctuates, new machines are spun up or terminated automatically. These instances may share the same identity to ensure consistent behavior and simplify configuration management. You might have 100 machines with the same identity. If there is a security breach, how do you know which machine was compromised? 

Machine identity management simplified

To minimize complexity and risk, organizations need a machine identity management solution that can secure and manage the full lifecycle of machine identities. In our next blog post on machine identities, we’ll cover the identity lifecycle, the risks you need to address at each stage and what can be done to minimize the attack surface. 


At a high level, it’s plain to see, organizations can’t manage machine identities manually. The only way to move forward at machine speed is with a consolidated solution that automates the processes throughout the identity lifecycle. At the same time, security teams and developers need complete visibility of all machine identities in their environment. 

The more machines and machine secrets there are, the bigger the attack surface. And the numbers of machines are only going to increase in the age of generative AI. So the question is how can you reduce risk in every way possible? Find out in our next two blogs, where we’ll cover the risks at each stage of the machine identity lifecycle and how to prevent these vulnerabilities with recommendations for mitigating risk across the machine identity lifecycle.

Authors

  • Shmulik Regev, CTO

    Shmulik Regev started coding when the public internet was still in its infancy and has been leading cybersecurity teams for nearly two decades. He’d rather not talk about himself and keeps conversations focused on his three children, marathon running and his side gig as a radio DJ. But there’s a reason he’s our CTO, and it starts with his long track record as an innovator. Shmulik was a co-founder and head of security innovation at Trusteer, another successful venture led by Mickey and Rakesh, who sold to IBM in 2013. Afterwards, Shmulik became the CISO at Cato Networks, before reuniting with Mickey and Rakesh at Transmit. Over the course of his career, Shmulik has accumulated 10 patents in cybersecurity. We are fortunate to have his creative mind, leadership and genuine humility.

    View all posts
  • Brooks Flanders, Marketing Content Manager

    In 2004, the same year the U.S. launched the National Cyber Alert System, Brooks launched her career with one the largest cybersecurity companies in the world. With a voracious curiosity and a determination to shed light on a shadowy underworld, she's been researching and writing about enterprise security ever since. Her interest in helping companies mitigate deceptive threats and solve complex security challenges still runs deep.

    View all posts