The Internet of Things (IoT) refers to an ecosystem of atypical networked computing devices, physical objects, or “things” that increasingly permeate both homes and businesses. These “things” range far and wide in scope, from smart TVs to vacuum cleaners to smart locks.
IoT gave birth to the concept of the “smart home,” with many IoT devices embedded into households. For example, some lightbulbs, alarm clocks, doorbells, washing machines, refrigerators, and cleaning devices can now connect with the internet and talk with other computers, operate in an automated fashion, and be managed through computer interfaces.
Today’s businesses also leverage a number of IoT devices. The most common are smart locks, keycard readers, temperature and climate sensors, and devices to assist with inventory control and supply chain management, to name a few.
The Internet of Things increases the attack surface for both individuals and organizations, introducing a number of unique privacy and security concerns. From a computer security perspective, IoT devices should be considered machine identities, and need to be managed accordingly.
Machine identities are software-based network “users” that are a subset of the broader category of “identities” which include humans, including both your employees and customers.
Examples of machine identities include Application Programming Interfaces (APIs) and Robotic Process Automation (RPAs or “bots”). They do the background jobs such as connecting services across the cloud ecosystem or managing repetitive administrative tasks.
These silicon-based “users” interact with sensitive company and personally identifiable information (PII) just as typical human users do.
In order to manage machine identities, you must first discover and inventory the. Then you need to assign a unique identifier to each machine identity so that you can provision access and enforce policies as part of your lifecycle management process. Putting governance around the identity and being able to track it becomes a critical step in securing your data.
Machine identities fundamentally behave as privileged users. The type of tasks they do may seem mundane, but their privileged access can represent a security threat to your company. Organizations must elevate privilege on a just-in-time basis and deactivate the privilege when the machine identity is not active. They need to review what access these identities have and what resources they access to ensure they have the least privilege necessary. Organizations should also create a catalog of the types of access that machine identities have in terms of risk levels so they can be mapped to specific security controls (i.e. SOX, HIPAA, PCI, etc). You need visibility into whether access is revoked or otherwise changed to ensure compliance with internal policies.
Associating a responsible party or ownership helps protect organizational data. Machine identities, once set, often stay in place longer than employees. Organizations must align users to individual machine identities or families/groups of machine identities so they have a human user tied back to the activities. Organizations also need to create succession policies in case the responsible party leaves the company or moves to another role. The responsible party fulfills attestation needs while succession management ensures that someone is always able to be in that role.
In the same way organizations develop intelligence around human users, they need to monitor for new risks from machine identities. Security and privacy regulations and standards are constantly changing and evolving. A common thread among these compliance mandates is the need to continuously monitor for new risks. The velocity and volume of the cloud mean that new risks can surface rapidly. While periodic access reviews are still needed, it is also true that point-in-time compliance no longer equates to security. Peer and usage data can help surface new threats by alerting you to outliers. For example, assume you set a rule that your APIs make calls to the application every fifteen minutes. Taking an “identity-centric” approach requires you to create time-bound account elevation requests that are automatically approved every time the API makes the call. If you suddenly get a notification of the API requesting access every ten minutes, the request is an outlier that signals a potential new risk. Organizations need a way to engage in continuous control monitoring to protect themselves from compliance violations.
While applicable to both APIs and RPAs, rogue machine identification is the easiest to understand when thinking about bots. Many times, DevOps users re-use code from one RPA to another. However, if the new bot engages with a more sensitive data type, such as PII, then the old code may leave you open to risk. By taking an “identity-centric” approach, you can monitor what information the machine identities interact with so that you can better control whether they need that access or need the access in the way provisioned.
If you detect a new risk, such as a rogue bot, especially one that doesn’t have the proper stewardship – controls must be in place to disable it or deactivate it through the use of a next-generation IGA solution.
Saviynt’s solution secures machine identities through our cloud-based IGA platform.
Saviynt’s cloud-native platform uses Big Data technologies like ElasticSearch and Hadoop architecturally. We designed our IGA platform to provide tremendous amounts of scale to meet the demand of the number of objects. Organizations need a cloud solution that allows them to manage their machine identities in an efficient way.
We designed our platform as an elastic, extensible data model because we found that there is variation in the degree of complexity across machine identity types.. We wanted to offer our customers something that didn’t require code-level customization so that they could create definitions of new objects. Combined with our scalability, Saviynt’s platform provides organizations with the solution to their machine identity risk problems.
Rich Analytics, Peer Insights, and Usage
Saviynt’s analytics allow you to track controls and risk. With peer-to-peer analysis, we can compare whether one machine identity, such as a bot or API, looks like the other machine identities in that same category. If our analytics detect an outlier, they alert your IT administrator to the risky access so that they can review the access and extend governance.
We built a Universal Controls Framework that comes with 200 out-of-the-box policies to help meet compliance mandates, including separation of duties. The Universal Controls Framework aligns with major regulatory compliance standards such as PCI DSS and HIPAA. Customers leverage these controls to create access policies and extend governance over their machine identities.
Our platform streamlines the onboarding process, offering the ability to manage machine identity access using our fine-grained entitlements. Our platform also enables organizations to create temporary or time-based privilege elevation to limit the scope and time for the machine identity’s access.
As with all other identity types, customers need to periodically review their inventory for anomalous access, such as whether the RPAs have executed. In some cases, an RPA may not have executed or an API may not have made a call in quite some time. If the machine identity is no longer needed, you may need to determine whether it should continue to exist in your IT environment. With Saviynt’s platform, you gain visibility into these machine identities and can review whether they should be temporarily deactivated, disabled, or even removed from the inventory. The future of IT is no longer a “landscape” but a “cloudscape” that will continue to drive a need for better identity and access governance over machine identities.