The full impact of the Modernizing Government Technology Act remains to be seen. But no matter how far the scope extends, government modernization efforts will result in the creation of thousands of new machines. The White House’s American Technology Council hints at the intended scale of this modernization in a draft Report to the President on IT Modernization. The report “envisions a modern Federal IT architecture where agencies are able to maximize secure use of cloud computing, modernize Government-hosted applications, and securely maintain legacy systems.”
Whether the new machines that result from this initiative are systems, applications or cloud instances, they will all share the need to communicate with other machines. Because these machines are used to control nearly every aspect of our critical infrastructure, the need to create, install, rapidly assess and ensure the integrity of communications between machines is critical and must be able to scale instantly.
However, most older agency infrastructure simply does not have the technology or automation needed to accurately monitor and protect the barrage of machines identities organizations now support. As mandated by OMB M-15-13 (HTTPS-Only standard) communications across federal government must be encrypted. But encryption alone cannot guarantee the safety of machine-to-machine communications or connections.
To prevent misuse, encrypted communications rely on digital certificates and cryptographic keys to verify the identities of the machines engaged, in much the same way that federal employees identify themselves with CAC and PIV cards. But, just as identification cards can be forged or stolen, the same can happen to keys and certificates.
If cyber criminals or nation state hackers gain access to an agency’s keys and certificates, they can create encrypted tunnels allowing them to exfiltrate data under the radar; a likely scenario explaining how large amounts of data were compromised in the U.S. Office of Personnel Management (OPM) breach.
But despite the potential impact of misused keys and certificates, these powerful security controls are still too often left unprotected in many agencies, resulting in vulnerable machine identities. As a result, the compromise, misuse, and fraud of machine identities have become prime attack vectors for cyber criminals and nation-state hackers.
As these attackers look for ways to evade network monitoring, behavioral analytics and tighter privileged account security controls, they are finding hijacking machine identities to be incredibly effective and lucrative. This sets the stage for a dramatic escalation of machine identity attacks in 2018.
To complicate matters further, these new machine identities represent a moving target. Cloud adoption is spawning a tidal wave of virtual devices. This paradigm shift stretches the definition of machine to include a wide range of software that emulates physical machines. In the cloud, agency IT staff are no longer the limiting factor in the creation of machines; machines automatically create, configure and destroy machines in response to agency demand.
As agencies modernize their infrastructures with cloud computing, they will face an average virtual machine lifespan of just 23 days, in comparison to the expected three to five year life span of a physical device. This inherent dynamism in cloud environments complicates the task of uniquely identifying, authorizing and securing communication between physical and virtual machines. The rapid deployment, change and revocation of their identities exponentially increases the challenge of keeping communication to the cloud and between cloud servers secure and private.
To protect the increasingly transient nature of cloud computing, Federal agencies will need machine identity protection solutions that are as dynamic as the trends that drive it. Does your agency have what it takes to protect machine identities that will result from government modernization initiatives?
To learn more about Venafi’s cybersecurity solutions, see their Trust Protection Platform, which recently achieved Common Criteria Certification.