Machine Identities and Secret Management | Rise of the Machines | Saviynt

The number of machine identities now far surpasses that of human identities, a trend that will only accelerate with the rise of AI agents and the continued transition to cloud-native, interconnected systems. Gartner estimates that machine identities outnumber human identities by a ratio of 45 to 1 ratio. 

Just like human identities, machine identities require authentication to access critical resources, and this is often done through shared secrets such as access keys or open authorization (OAuth) tokens. These credentials could be generated by a member of the DevOps team or a business user who may lack the security training and awareness typical of traditional IT administrators. Once created, these credentials may be accessed by users across various other environments. As organizations grow and diversify their technology stacks, the resulting complexity leads to significant gaps in visibility and governance over the lifecycle of machine identities, leaving many of them unmonitored or dormant. 

Machine identities also present unique security challenges. They frequently require elevated privileges to function, making them prime targets for exploitation. In many cases, secrets are stored statically within applications and are not regularly rotated. Anecdotal evidence shows that in some organizations, as high as 75% of secrets remain static, significantly increasing the risk of exploitation. As organizations have historically focused more on securing human identities, these blind spots in machine identity management represent a growing and under-addressed risk to enterprise security. 

Obstacles to Machine Identity Secrets Management

Managing secrets—such as API keys, certificates, and passwords—is critical to maintaining the security of digital systems. However, this task is complex and, if not handled with precision, can introduce serious vulnerabilities into your security strategy.

A notable incident in late 2023 highlights these challenges. Attackers exploited a vulnerability in Okta’s support system, extracting Cloudflare’s sensitive access keys that were inadvertently stored in support tickets. Although Cloudflare initiated the rotation of over 5,000 secrets, four were missed, which the attackers attempted to exploit. Fortunately, swift responses from both Cloudflare and Okta contained the damage.

This incident underscores the inherent risks in secret management. Even when used legitimately, secrets can become liabilities if not securely stored, properly rotated, and adequately protected. 

Let’s drill down on the specific challenges:

• Widespread Creation of Secrets: In today’s decentralized environments, many individuals can create and share powerful API keys and secrets, often storing them in scripts or configuration files in clear text. This careless distribution across bots and workloads increases the risk of unauthorized access.
• Secret Lifecycle Management: Managing the entire lifecycle of secrets—from creation to retirement—requires meticulous control. Failing to regularly rotate secrets, for instance, leaves them vulnerable to compromise.
• Manual Enforcement of Best Practices: Consistently applying best practices, such as secure vaulting and regular rotation, is challenging. It requires organization-wide awareness, ongoing education, and diligent auditing to ensure these practices are properly implemented and followed.

Improving Secrets Management 

To improve secrets management of machine identities, companies should adopt a set of best practices focused on machine identity hygiene, governance and security. 

• Enhance machine identity hygiene by prioritizing the discovery and removal of dormant machine identities across your cloud, SaaS, and business applications. Establish clear ownership for each machine identity, ensuring every identity has a defined purpose and an accountable owner.
• Strengthen identity security by reducing the use of shared secrets for machine authentication. Where feasible, adopt secretless authentication methods to minimize the risk and follow Zero Trust principles. We’ll cover this in detail in the second blog in the series.
• Implement effective secret management for cases where secrets are still necessary. Utilize secret vaulting and enforce regular secret rotations to reduce exposure and mitigate the risk of static credentials being exploited.

To mitigate the risks associated with secrets, the field of secret management has evolved, offering tools and practices specifically designed to govern the use and storage of these critical assets. These solutions help organizations by centralizing and automating the management of secrets, significantly reducing the chances of accidental exposure and unauthorized access.

At Saviynt, our Privileged Access Management (PAM) solution incorporates these capabilities, providing robust secret/password management to safeguard your organization’s most sensitive credentials.

By implementing a set of best practices around secrets management and machine identity governance, organizations can significantly reduce the risk of exposure, theft, or misuse of machine identities, ensuring stronger overall security for their environments. In our next blog in the series, we’ll discuss “secretless” operations as a way to reduce risk and adopt a more proactive posture.