Who is secure? It's all about machine identity

June 24, 2021

Which is best: digital identity, passwords or MFA?

Sectigo's Alan Grau

What is machine identity?

The massive growth of connected devices and machines in today’s factories and industrial facilities exposes critical security vulnerabilities within machine-to-machine communications. Simply mention the supply chain attacks, the Colonial Pipeline or JBS meat-packing attacks, and industrial IT teams break out in a cold sweat. As a result of the growing community of smart hackers and cyber-criminals, the risk to operations and facilities is rapidly expanding.

That’s where machine identity comes in. Machine identity is the digital credential or "fingerprint" used to establish trust, authenticate with other machines, encrypt communications, and establish identity. From computers to industrial robots, connected cars to mobile devices to servers and network hardware, every machine must have a machine identity that is used to safeguard security. Much more than a digital ID number or a simple identifier such as a serial number or part number, digital identity is comprised of credentials that are used to certify that a machine is authorized to access online resources or a network.

Machine identities are a subset of a broader digital-identity foundation that is required for the billions of daily communications between systems in which no human is involved. This includes IoT and industrial-control devices, sensors communicating with control systems, edge-computing devices, cloud-computing systems and traditional IT systems.   

Why is machine identity critical?  

Applications and data across cloud and multi-cloud environments, distributed workforces, and innovative connected machines intersect in ways that require a robust digital-identity approach. Many of these intersections are characterized by automation…no human involved. It is pure machine-to-machine communication. The security implications are enormous. Machine interactions must be secure and rapid to deliver the reliability and scalability required to achieve enterprise-wide protection on a global scale.

As complex environments expand to include assembly lines, facility sensors and controls, mobile devices, cloud infrastructure, and more, the risks inherent in failing to manage identities have dramatically increased. Improper identity management makes enterprises more vulnerable to cybercriminals, malware, and fraud, and exposes organizations to machine and assembly lines hacks, supply chain attacks, and other risks that can halt business in an instant.

Modern enterprises rely on Public Key Infrastructure (PKI) and digital certificates as the gold standard for machine identity. PKI serves as a foundational component of a strong security architecture for all end-user, device, and application identities. Using digital certificates and their cryptographic key pairs strengthens the verification of machine identities. PKI also enables secure connections between entities that lie beyond the firewalled network architecture.

Which is best: digital identity, passwords or MFA?

In the past, passwords and multi-factor authentication (MFA) were viewed as offering a good measure of security, but as hackers have become more sophisticated; these defenses are no longer as effective as they once were.

In reality, passwords have always represented a weak link in security solutions. Often considered as a secure alternative to passwords, phone, and one-time passwords, MFA solutions are also riddled with documented vulnerabilities. They have been proven susceptible to high-profile attacks that are hardly more difficult than stealing passwords.

In contrast to both passwords and MFA, digital identity using PKI-based digital certificates eliminates the reliance upon shared secrets that can be intercepted or stolen by cybercriminals. Authentication requires that a machine proves possession of a private key, which is typically stored and safeguarded in the machine’s hardware security module (HSM). The transaction is then signed by the private key and verified by the public key. This public/private key pair is generated by one of several robust cryptographic algorithms.

Digital certificates offer far superior data protection and security against hackers than password-based authentication for several reasons:

●      The private key never leaves the client. In contrast to passwords, which are easy to share intentionally or unintentionally via increasingly sophisticated phishing attacks.

●      The private key cannot be stolen in transit because it is never transmitted. Unlike passwords, which can be stolen in transit through the internet, private keys are never transmitted.

●      The private key cannot be stolen from the server repository. Passwords stored in central server repositories can be stolen; private keys are known only to the user's device and are not stored centrally.

●      There is no need for users to remember passwords or to enter usernames. The user’s device simply stores a private key to be presented when needed, providing a more seamless user experience.

In order to protect against the rising threats of ransomware and cyber-attacks, industrial operations, enterprises and businesses of all types need to implement high levels of cyber security—if a machine is connected to other machines, to the network, or to internal or external systems, it needs to be protected by using digital certificates and PKI-based encryption.

A trusted certificate authority (CA) provides digital identity management automation solutions that enable enterprises to be agile, efficient and in full control of all certificates in their environment, including machine identities.

By Alan Grau, vice president of IoT, embedded solutions at Sectigo