Skip to content
 

Best practices for managing machine identities

  

Computer accounts, service accounts, microservices, containers, and the Internet of Things rely on machine identities to communicate with each other, share sensitive data and authenticate to other critical IT services.

Machine identities (also known as non-human identities) are rapidly increasing, largely due to new technologies, including virtual machines (VM) and containerization, that create more machine workloads.

In the typical enterprise, there are 10 machine identities for every human identity. In small- and medium-sized businesses, there are 50, according to Microsoft’s State of Multicloud Security Risk Report.This growth poses a significant challenge as machine identities represent a substantial and often unmanaged portion of your identity attack surface. Their proliferation has drawn the attention of bad actors who have found creative ways to compromise them, requiring focused effort to prevent, detect, and respond to machine identity-related threats.

In this blog, you’ll learn how machine identities authenticate to gain privileged access and how their credentials—certificates, SSH keys, and tokens—are managed and secured. You’ll understand machine identity best practices so you can reduce the risk of cyberattacks.

What are machine identities, and how do they work?

Machine identities is a term used to represent a computer system's identity (meaning, in the broadest terms, any workstation, server, application, service, workload, appliance, OT or IoT device) and the credentials that system uses to authenticate to other systems.

Machine identities come in two main flavors: one—workloads, which include virtual Windows, Linux, and Unix machines, applications, and containers, and two—devices, which include user workstations, mobile devices, and operational technology. Human identities, which we're more familiar with, span internal and external users, including employees, vendors, and consultants.

Sometimes, machine identities represent a service account.

Machine Identities vs Human Identities

Service accounts are typically created as local accounts, identity provider accounts, CSPs service principles, database accounts, or in other services to facilitate non-human access to the target system. Credentials for service accounts are often shared across multiple client machines or workloads accessing the same target to reduce administrative burden. They must remain in sync across all clients and the target.

Machine identities can also represent workstations and servers that register with a common identity management system such as Active Directory, EntraID, or a cloud service provider. They share a trust relationship that enables seamless authentication.

Computers joined to Active Directory have an account that enables Kerberos-based authentication for seamless access to other services that support Integrated Windows Authentication (IWA), GSSAPI (Generic Security Services API) and SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism).

For example, cloud-centric server Privileged Access Management (PAM) solutions create OAuth confidential client identities for computers during registration. Also, AWS, Azure, and GCP provide VMs with a managed identity for verification and provide authentication to other services that trust the cloud service provider.

What types of credentials are associated with machine identities?

Machine identities use credentials including secrets, passwords, API keys, tokens, SSH key pairs, and certificates. Certificates are sometimes shared across multiple machines for load-balanced applications such as web server farms. Some systems issue a PKI certificate to each machine uniquely to support mTLS and other functions provided by services such as OpenSSL.

Why are machine identities so difficult to manage and secure?

Identity security practices and solutions designed for human users don’t address the problem of machine identities, leaving them vulnerable to compromise. This occurs for several reasons:

Lack of validation: Identity security practices have incorporated controls to validate human identities, for example, enforcing multi-factor authentication (MFA) upon log in or privileged elevation. However, as machine identities don’t require a human user, they can’t rely on MFA.

Lack of visibility: Most organizations struggle to identify all their machine identities across the infrastructure since they can often be manually created and hidden within code. Once you find machine identities, it can be hard to find other copies of the credential, determine who is responsible or owns the identity, and what that credential has access to. Compounding this is the move to cloud-native architectures, which introduce ephemeral or short-lived workloads, making discovery and tracking more challenging.

Lack of governance: Traditional Identity and Access Management (IAM) and Identity Governance and Administration (IGA) solutions provide the necessary lifecycle controls for human accounts but typically don’t cater to machine identities. Often, machine identities are created by hand, usually by developers or integrators rather than identity management professionals, resulting in no consistent join (onboarding) or leave (clean up) process. Without a well-managed process, it can be difficult to establish accountability for machine identities, making periodic access reviews and entitlement adjustments challenging.

Lack of security best practices: Just as with humans, it’s far too easy to choose weak credentials such as a password, shared API key, or token. Often, credentials are shared across multiple non-human clients, systems, or applications and shared between individuals. This makes it challenging to rotate credentials or determine the source of identity-based threats.

Here’s a real-world example of an identity-related attack that leveraged machine identities: In 2023, Palo Alto Networks discovered that several high-profile open-source projects, including those from Google, Microsoft, AWS, and Red Hat, had leaked GitHub authentication tokens through GitHub Actions artifacts. These tokens granted attackers access to private repositories, allowing them to steal source code or inject malicious code.

What is the best way to manage and secure machine identities?

There is no quick solution to safeguarding machine identities since there are many types and their volume continues to grow every day. The important thing is to get started now and build a system that will allow you to reduce risk.

Identity management expert and advisor Ian Glazer shared recommendations for managing machine identities on the 401 Access Denied podcast. His suggestion is to start with a map to help you catalog and name identities and understand their provenance. “Without that,” he says, “affecting controls is an impossibility. When you have an incident, without [a map] you don't know where to start.”

Once a map is in place, Ian says the next step is “more automation around the building block tasks—certificate rotation, token, secret rotation, token rotation, token policy management.” From that point you can move to “ensuring an identified workload and only that identified workload can act appropriately within the context of the application and the caller.”

Identity security solutions make each of these recommendations faster and easier to implement.

Solutions for machine identity discovery and monitoring

Use an identity security discovery service to find accounts within identity providers such as Active Directory and local accounts in Windows and Linux systems. An enterprise Privileged Access Management (PAM) vault like Delinea Secret Server has machine identities discovery built in.

Additionally, Identity Threat Detection and Response (ITDR) tools like Delinea’s Identity Threat Protection can determine what machine identities accounts are used for and where they are logging into other services. They can also track identity usage and determine if misconfigurations have granted excessive privileges or if any threat actors misuse them.

Solutions for machine identity lifecycle governance

Discovery will find existing machine identities, but ongoing, it's best to set up a self-service workflow for machine identity creation, making sure to capture any dependencies as well as a human owner for each machine identity. Solutions for service account governance, such as Delinea’s Account Lifecycle Manager, make this possible.

You can periodically review and adjust entitlements and automate credential rotation with Identity Lifecycle Management solutions like FastPath.

Additionally, in support of least privilege principles, you can use cloud entitlement management solutions like Delinea’s Privileged Control for Cloud Entitlements to monitor privilege usage and minimize identity rights.

Solutions for machine identity credential management and authentication

Since machine identities exist primarily to enable authentication between systems, you should ensure each machine, service, or application has a highly secure credential for strong authentication.

The simplest form of authentication uses a secret that should be securely vaulted and rotated periodically to avoid standing credentials. A secret can be shared between all the clients of a service to enable them to access that service.

To reduce risk of credential compromise, clients shouldn’t store a copy of the secret or any credentials locally or in code. Instead, they should retrieve the secret from the vault and inject it in real-time when needed for authentication. Solutions like Delinea DevOps Secrets Vault have capabilities for ephemeral secrets built in, to keep pace with machine identities used in the cloud and DevOps workflows.

Adopting a federation-based authentication model can eliminate the shared secret-style authenticator and separate the identity from the authentication credential. Some applications are designed to support federation models such as Kerberos via GSSAPI used within an Active Directory environment, or the application may support PKI or OAuth, all of which provide a much stronger authentication method for machine identities. DevOps Secrets Vault, for example, can generate PKI or SSH certificates or reach out to cloud service providers like AWS to fetch a token such as OAuth.

Managing Machine Identities Best PracticesManaging machine identities and human identities in a single platform

To have a true understanding of your identity security posture, you need comprehensive, ongoing oversight of your identity attack surface, you shouldn’t need to deploy and manage disjointed solutions for securing human and machine identities.

You’ll spend all your time trying to combine data and patch reports together. Rather, an integrated identity security platform provides one place to see both human and machine identities, create consistent policies, and speed reporting and risk assessment. Any identity security platform you consider should be easy to use and provide fast time to value.

How to get started managing machine identities

To get started right away, you can uncover unmanaged machine identities in your environment with free Discovery:

Service Account Discovery Tool

With this free tool, you’ll be able to uncover machine identity issues, such as:

  • Aged service accounts and passwords that are no longer needed
  • Expired service account passwords that require changing
  • Service accounts and passwords without expiration requirements
  • Services that share privileged credentials, violating least privilege policies

Your information is completely private. Delinea has no access to your system credentials or report results. You’ll get a detailed custom report so you can prioritize the next steps. With this information, you can start to build a machine identity governance plan that lowers your risk and keeps you compliant.

2024 State of Identity Security in the Age of AI

How are organizations leveraging AI in their identity security strategies?

Find out what 1,800 IT and security decision-makers across 21 countries said.