Digital transformation drives rise of machine identities
Digital transformation is driving an average of 42% annual growth in the number of machine identities, according to a new global study from Venafi.
As CIOs often have limited visibility into the number of machine identities on their networks and these critical security assets are not prioritised in IAM and security budgets, CIOs should expect to see a sharp increase in machine identity related outages and security breaches, Venafi states.
Machine identities enable secure connection and authentication for every part of IT infrastructure, from physical, virtual servers and IoT devices to software applications, APIs and containers. Any time two machines need to authenticate each other a machine identity is required.
All of the CIOs that took part in the Venafi study say that digital transformation is driving a dramatic increase in the number of machine identities their organisations require. Without an automated machine identity management program, organisations suffer from outages caused by expired machine identities and breaches caused by machine identity misuse or compromise.
According to Venafi's sponsored CIO study, the average organisation used nearly a quarter of a million (250,000) machine identities at the end of 2021.
This is a high number considering that machine identity management experts at Venafi typically find that organisations initially underestimate machine identity populations by 50% or more, due to the fact that they have limited visibility into the machine identities their organisation requires, the researchers state.
At current rates of growth, these same organisations can expect their machine identity inventory to more than double to at least 500,000 by 2024, Venafi states.
Moreover, three-quarters of surveyed CIOs said that they expect digital transformation initiatives to increase the number of machine identities in their organisations by 26% - with more than one-quarter (27%) citing a percentage of higher than 50%.
Key survey findings also include that 83% of organisations suffered a machine identity related outage during the last 12 months, over a quarter (26%) say critical systems were impacted, and 57% of organisations experienced at least one data breach or security incident related to compromised machine identities (including TLS, SSH keys and code signing keys and certificates) during the same time period.
Venafi vice president of security strategy and threat intelligence Kevin Bocek says, "The realities of digital transformation mean that every business is now a software company.
"This means IAM priorities need to shift to protect the machine identities required for digital transformation initiatives because these initiatives are the engines of innovation and growth.
"The unfortunate reality is that most organisations are not prepared to manage all the machines identities they need. This rapidly growing gap has opened a new attack surface – from software build pipelines to Kubernetes clusters - that is very attractive to attackers.
The rise in the number of machines on enterprise networks is exposing outdated machine identity management practices, the researchers state.
Nearly two-thirds (64%) of CIOs say that rather than using a comprehensive machine identity management solution, their organisations combine multiple solutions and processes, including point solutions from certificate authorities (CAs) and public cloud providers, homegrown solutions and manual processes.
This approach does not provide enterprise-wide view of all machine identities or provide the mechanisms needed to enforce configuration or policy requirements.
Bocek concludes, "Machine identity management is in the early stages of adoption. It's very similar to what happened with customer and workforce identity a few years ago, but it's orders of magnitude larger in scale and change is happening much faster.
"The challenges connected with human identity management pale in contrast to the challenges of managing machine identities. This research underscores the urgent need for every organisation to evaluate their machine identity management program in order to protect their digital transformation initiatives.