What is the best way to protect digital machine identity? Our guide outlines how to ensure protection and warns about the risks of unprotected identity.
Digital identities have to be protected – especially with regard to the corona pandemic: Many companies have succeeded in relocating their work to the digital world. IT security in general and the protection of machine identities in particular are gaining new relevance.
How to protect digital machine identity
What is a machine identity?
Numerous cyberattacks aim to spy on the identity of a user to be able to take over it. Administration identities are much more sought-after, because such identities are endowed with extensive rights. And machines also have identities that are equipped with privileges in the authorization system.
Machine or digital identities are – similar to us humans – characterized by various properties and characteristics that make them distinguishable from one another. Cryptographic keys, but also digital certificates, are prominent examples of digital identities. This shows that machine identities nowadays play a decisive role in competition, but also in the security of companies; hence why it is crucial to protect digital machine identity.
Digital identities form the basis for establishing trust between different machines on the World Wide Web and current shows how highly relevant the topic is for today’s business world.
The X.509 certificates should also be mentioned in this context: These digital files can be used for SSL encryption. X.509 certificates fulfill two essential functions: On the one hand, they encrypt information that is exchanged via websites, as you know it from common SSL / TLS certificates. On the other hand, they are also used for authentication and the verification of identities of hosts or websites. This means that X.509 certificates are an essential part of digital identities.
The use of machine identities
Digital identities are particularly important in the areas of Industry 4.0 and Industrial Internet of Things (IIoT): In order to be able to work automatically, the machines communicate directly with one another – they not only have to “know” one another, they have to trust one another. You distribute tasks independently and have the necessary rights. To ensure this, every system needs a digital identity, and you should ensure you protect digital machine identity.
We find machines, plants, products or transport systems of this type in almost all production facilities and in many other companies. In the respective environment, however, they not only communicate with one another, but also with back office systems such as MES, PLM and ERP systems or warehousing solutions. This shows how close information technology (IT) and operational technology (OT) are now – they can hardly be viewed as separate fields. Just like big data programs, ERP solutions have access to the data generated by the machines themselves, by measuring systems or conveyors.
5G promises more reliability and speed compared to previous generations of mobile communications. This means that machines and systems will have even more options in the future. The IIoT will expand increasingly to the mobile sector and expand to regions that have hitherto been poorly connected. That sounds good, but it also increases the attack surface.
At the moment, digital identities can be found almost everywhere – in smaller companies as well as in large corporations and everywhere in between. But the machine identities are not well protected. In the past year, there was massive theft of numerous certificates that were used to create fake shops, among other things. Update services were misused to distribute malware or to distribute ransomware or to gain SSH access. All of this is reality – already today, when we are not yet completely surrounded by the IIoT. With 5G and the advancement of IIoT and Industry 4.0, the protection of digital identities will gain massively in importance.
Manage digital identities securely
In view of these facts, it is difficult to avoid wondering how digital identities can be protected efficiently. There are different approaches:
Identity and Access Management (IAM) brings important questions into focus: Who does what in the network and when? Pure authentication is not enough for this approach, the goal is unequivocal identification. It is therefore a matter of letting only the identified user act himself – and not an unauthorized third party who pretends to be a user. Or in our case: only the identified machine, no unauthorized third party identity. The IAM approach shows an identity provider as the linchpin. The human user controls this identity provider using a device. The requesting device then receives an access token. The individual has been given access via directory access. An access manager ensures that appropriate guidelines are observed,
From this it becomes clear that, thanks to IAM, devices only start functioning when the corresponding users are clearly identified. It is only when it is put into operation by a person who can be clearly identified that the device becomes a digital identity. In the name of this identified person, the device can then assert different access rights to APIs or web connections – depending on the authorizations the user himself has. However, these authorizations are not role-based, but rather identity-based.
An alternative to this approach is the Public Key Infrastructure (PKI): The establishment of the necessary chain of trust starts with a device-related identity verification. In this case, the digital identity should be created as a certificate in X.509 format – exactly what a PKI does. The trustworthiness of the digital certificate is guaranteed by the Certificate Authority (CA), i.e. the certification authority. Such an X.509 certificate is validated by the public key of the certificate holder. If this existing PKI concept is expanded, it can bring more IIoT security: The Registration Authority (RA) of the PKI is relocated to the networked production environment.
A “local registration point” is created which not only validates the identity of the device, which is requested by the certificate, but also creates a trustworthy certificate request to apply for the device certificate from the CA. In this way, components can be assigned digital identities during the manufacturing process.
What must be taken into account when protecting digital identities?
In order to be able to protect digital identities, it is worthwhile to first get an overview of the machine identities that are being used. Encryption is a tried and tested means of protecting identities. SSL certificates for web and S / MIME certificates for email security are indispensable components of the protection concept for digital identities. Please note: If an unauthorized third party is in possession of your e-mail access data, they can use your identity to send e-mails on your behalf. If, on the other hand, you digitally sign your e-mails with your identity, it would be clear beyond any doubt that you – and only you – could have sent the e-mail.
Especially for your employees who work in the home office due to the corona pandemic, it is worth taking an inventory of all those devices that are connected to the network. But it is also worth taking a critical look at the network directly in the company, because: You can only secure what you know. Categorize the devices that you have identified as personal or company owned. This enables you to apply security guidelines for BYOD devices. As a result, you can monitor their behavior and network traffic.
Always check devices before they are allowed on the network. The question of whether the devices are patched with the latest security updates is particularly interesting. If there is even a single non-compliant or even compromised device in your network, this can be exactly the entry point for cyber criminals.
Enforce access controls and segmentation guidelines – especially when working from home, but of course also beyond. Acquire practices that have proven themselves:
- Access with the least possible privileges
- Automatic notifications of policy compliance issues
- Control of network activities of home office devices to detect deviations from the norm
Establishing digital identities directly on the production line would be welcome. Further recommendations for protecting machine identities are:
- Actively monitor machine identities to ensure continued transparency.
- For each machine identity, determine whether it complies with the security guidelines (so: updates, authorizations, etc.).
- Automation is the best way to react to the speed and scope of possible changes in digital identities.
- Understand the protection of digital identities as an ongoing and scalable process that can respond to rapid changes in machine identity.
Digital identities are a central component of IT security
The development of digitization due to the corona pandemic, the further development of Industry 4.0, but also the IIoT show that machine identities are becoming more relevant. We all deal with digital identities – as a matter of course, in both private and business environments. But their protection is still very expandable. If developments in the areas of IIoT and Industry 4.0 continue at a similarly rapid pace, which can be assumed, the authentication and identification of machines may soon be more important than those of the user. For network security, data protection and general IT security, however, one thing is certain: The efficient securing of digital identities is already essential today.