Machines are eating the world. Or is it software? No wait, it’s AI. In someways, it will likely be none, neither or all. I don’t think any will make us all extinct, yet automation, the use of machines and services (powered by clever software) will certainly be doing more for us as humans than ever before – as employees, customers and citizens.
So where are machines fitting in? Well, ever since we started to break down our monolithic apps and started to tackle complex problems in more bite size chunks, we have seen the rise of semi-autonomous services and functions acting on events generated by humans. I’m talking about APIs, services and other process automation steps that help complete our online banking transactions, extract, move and analyse data, crunch numbers and help us buy airline tickets. These services have some similar characteristics to actual physical machines, in the sense they are unique (or should be), perform repeatable deterministic steps and can be replicated.
Add into that of course actual physical machines such as mobile phones, internet of things devices, production line components (think sensors, programmable logic controllers, field programmable gate arrays) as well are medical equipment and health-tech, military components and industrial control systems and we have a entire new wave of objects that are collecting, processing and generating data.
IAM is not just for Humans
OK, so we have lots of things that are not humans, but related to human activity, doing stuff with data. ‘So what’ as Andy Warholl would say? Well the link back to humans is important as we typically only think of identity and access management from a human point of view, yet the use of non-person entities to complete work on our behalf is huge and rising.
Our provisioning, access management, governance, authorization and authentication systems are very human centric – as they should be. However, those same life cycle capabilities need to also be leveraged against this non-person world. Why?
If we start to think of what an identity really is and what it is capable of, we can start to broaden our scope of inclusion. The above is just one example of where our identity scope could be expanded into other areas for both software and hardware related “machines” – were we need to think about life cycles, authentication and authorization as basic building blocks for how these components handle data.
Workloads would typically be the “software” lens – where we have processes and services handling data, with devices (or hardware) being physical instantiations of objects. Clearly devices also run software, but that software should sit within a unique and traceable piece of hardware.
What Do Machines Need?
The concept I’m amplifying is one I’m starting to see across numerous vendors and within industry – is how to manage the entire life cycle of these generic machines. They need to be created, updated, issued credentials, authenticated and given entitlements.
How can you authenticate an API? How can you manage the permissions assigned to a chatbot operating at the front end of a call centre? How can you can dynamically remove the permissions assigned to an API that is handling PII?
All of the anti-patterns we have worked through in the human-centric IAM world (excessive permissions, shared accounts, single factor authentication, redundant accounts, limited monitoring) will proliferate across this non-human world too.
We have a plethora of tools and capabilities across the entire human-centric world – passwordless, external authorization, next generation identity governance, just in time permissions, zero standing privileges, AI lead analytics, behaviour monitoring and runtime threat analysis. Those same capabilities (or certainly a basic subset) need to be considered for the machine world too.
Machine Life Cycles
They need an identity first of all – something unique, assignable and immutable. They will need credentials – likely a certificate or key of some sort to support possession based authentication. They will need entitlements and a baseline of behaviour monitoring. The authentication and access control life cycles will need governance, access request and access review processes. Bootstrapping, revocation and removal of credentials will be needed. Those credentials will also need to securely stored, be agile enough to respond to external cryptographic changes with strong monitoring usage analysis.
All of that needs to be considered under some odd assumptions. Firstly if there is no human involved, interruptions, challenge response steps, unhappy paths and process failures need to be handled autonomously and with some relatively smart logic. (I remember early in my career 20+ years ago I remotely restarted a Novell Netware 3.x server – thinking I as being smart this could be done when I was 120 miles from the box; said server never returned, as during bootup it was sat on the BIOS screen waiting for a human to press F1 to acknowledge no keyboard was connected…I had to travel 120 miles to solve this..) <— These sort of process failures are common when you assume a human is located within a chain of events. Machines need to handle this themselves…
Where to Start?
I don’t want this to be a scare article. Machines are everywhere yes. They are here to stay. They will grow in volume and responsibility. They will also become an attack vector for malicious activity. Why bother trying to attack a user with FIDO2 authentication when I can just piggy-back off an API that has a hard coded credential that is never monitored that is carrying the user’s PII?
First off understand your landscape – inventory, understand, document and then look at the risk. Work across different stakeholders to understand this landscape. This will involve engineering, devops, identity, cloud teams – there will be lots of areas where services are carrying out sensitive tasks that will need to be managed and monitored.
Not all machines are the same. Each areas will require a different subset of IAM services. API management will be different to OT device management.
This is still a relatively new area, with emerging vendors tackling various parts of the machine life cycle. See the likes of Corsha, Hopr, Venafi, AppviewX, Transmit Security, Xage amongst others who are delivering some non-competing and innovative approaches to credential and data management in a non-human landscape.