In the long march to implementing zero trust architectures (ZTA), Federal agencies have focused on managing user identity and made tremendous progress in implementing identity authenticators into their systems.
But there is another category of agency member – residing in and outside of perimeters – that also needs to be identified: the machines.
Ross Foard, an identity, credential, and access management (ICAM) Subject Matter Expert with the Continuous Diagnostics and Mitigation (CDM) Program at the Cybersecurity and Infrastructure Security Agency (CISA), spoke at a virtual summit organized by the Advanced Technology Academic Research Center (ATARC) on July 26 about why a ZTA requires machine-identity management.
“The government has focused for a long time on human identities, and we’ve done a pretty good job of making sure that we know who the human identities are, identity proofing, issuing strong authenticators. But that’s being overcome by the number of machine identities that are emerging,” Foard said.
“And when I say machine identities, I mean both machines that are operating on your environment on behalf of users, and devices themselves. We need to be able to rely on those machine-identity similarly to the way you rely on human identity,” he said.
Identity, Foard explained, is the new network perimeter, and agencies need to validate every machine’s identity regardless of location. Limiting verification to user identities could present a false notion of security, he said.
And due to all of the different operating processes with Federal agencies, there is no one-size-fits-all for machine identity, Foard said. Rather, “there are several different ways to identify and manage machine identities,” he explained.
For example, agencies could monitor and manage cryptographic keys and digital certificates, which are used to establish machine identity.
Additionally, agencies should not appoint one individual or tool to help manage machine identity within their network. It’s going to take multiple tools and multiple people that will result in effective and secure machine-identity management, Foard explained.
“You’re going to need people from your identity and access management group, but you also need developers – they’re the ones that often utilize these devices – so they need to be involved early on in the process,” Foard said. “My recommendation is that agencies form a machine-identity working group to bring together these different constituents and their different tokens of knowledge.”