A study comparing security controls for human and machine identities reveals a worrying trend. While almost all organizations have a policy that governs password length for human identities, only half have a written policy on length and randomness of keys for machine identities - this, despite the rapid spread of machines that need to authenticate themselves to each other so they can communicate securely.
When authenticating themselves to machines, people rely on usernames and passwords to gain access to data and services. Similarly, machines need to authenticate themselves to each other to communicate in a secure manner. Virtual machines (VMs), applications, algorithms, APIs and containers, and even IoT devices, rely on cryptographic keys and digital certificates, which serve as machine identities that lets them know it’s safe to share data.
A survey by Venafi, a firm specialized in securing cryptographic keys and digital certificates, found that 85% of organizations have a policy that governs password length for human identities. The survey of 1,500 IT security professionals from the U.S., the U.K., France, Germany and Australia showed that only 54% have a written policy on length and randomness for keys for machine identities.
Venfai found organizations will spend upwards of $10 billion this year solely to protect human identities. Machine identity protection spending remains “relatively flat,” the researchers said (no exact number provided), despite an exponential increase in the number of machines that need identities, including virtual machines, applications, algorithms, APIs and containers.
“Because cybercriminals understand the power of machine identities and their lack of protection, they target them for exploitation,” the survey takers said.
Additional findings include:
- 49% of organizations audit the length and randomness of their keys, while 70% do so for passwords.
- Only 55% have a written policy stating how often certificates and private keys should be changed, while 79% have an equivalent policy for passwords.
- Only 42% of organizations automatically enforce the rotation of TLS certificates, while 79% automatically enforce the rotation of passwords.
- Only 53% audit how often certificates and private keys should be changed, compared with 73% for passwords.
Researchers say that, while attacks using machine identities are relatively new, they’re very effective. Furthermore, the gap between the security controls applied to human identities and those applied to machine identities is exposing organizations to immense risks, especially for digital businesses that rely heavily on machines for mission critical, day-to-day operations.