By Ev Kontsevoy, CEO of Teleport, finalist of the Security Innovation of the Year (Enterprise) category at The Cloud Awards 2022-2023
Today’s businesses find themselves in the center of a perfect storm. Over the last few years, software companies have moved steadily toward microservices architectures, taking advantage of the scale of cloud computing. At the same time, the majority of businesses have shifted to hybrid or even fully remote working models as a result of the Covid-19 pandemic.
The Evolving Security Landscape
In the past, an organization’s sensitive information and infrastructure could be protected within a single environment. Even in the cloud, the legacy perimeter-based approach to security remained popular. But today, businesses rely on ever-growing technology stacks consisting of many layers that rely on secure access, mixed with third-party services to handle critical technology functions, and employees scattered throughout the world use personal devices and unprotected connections to access company assets. These organizations frequently rely on passwords, private keys, API keys, or browser cookies — in other words, different forms of secrets — to protect their infrastructure. Yet these secrets are vulnerable to human error: can be easily shared or stolen, putting valuable company information at constant risk. Humans remain the weakest link in infrastructure security, and reliance on secrets is the reason why that’s the case.
Ongoing Risks of Secrets
While secrets are the leading cause of data breaches, the devices we use most frequently have already made important strides in improving their security posture. Leading technology companies including PayPal, Validity Sensors, Lenovo, and others, joined together to create the FIDO Alliance, which aims to accelerate adoption of passwordless access. Many of the world’s most popular smartphones have already moved to biometric authentication, while leading services secure their accounts with two-factor authentication.
Yet despite the progress in consumer technologies, our critical infrastructure has lagged dangerously behind. The SolarWinds hack was used to infiltrate vital American corporations and agencies, while the Colonial Pipeline attack demonstrated the vulnerability of some of our most essential services. Attackers gain access to a system with a user’s compromised password or machine token, then pivot from there to access other secrets like Oauth 2.0 tokens or API keys. Until our critical infrastructure catches up to the devices in everyone’s purse or pocket, we run the risk of catastrophic consequences.
Secrets can also present risks when employees move on from an organization. Passwords, private keys and other forms of credentials are not reliably changed or updated when an employee leaves or is let go. The State of Infrastructure Access Report found that a majority (60%) of respondents are concerned about employees leaving the organization with secrets and knowledge about how to access infrastructure. Disgruntled employees could even choose to sell those secrets onward to bad actors, multiplying the risk to the company.
Balancing Speed with Security
Why have secrets proved to be so persistent, even when we know they’re not secure? Partly, the still deployed legacy technologies that simply do not support any other form of authentication are to blame. But the answer also lies in human nature and in the need for organizations to move and scale quickly. Engineering teams are incentivized to build products as fast as they can, while startups are rewarded with larger funding rounds if they’re able to grow rapidly. If a new security tool threatens to slow down an engineering team or interrupt their workflow, they’re likely to push back or find a workaround.
For DevOps, security engineering and other security leaders, the challenge of moving away from secrets is to find a passwordless access solution that doesn’t sacrifice speed in the name of security. This challenge will only become more difficult as cloud architectures expand and grow in complexity. Security teams must choose access management solutions that will be able to scale together with the organization, without increasing the burden on engineers themselves.
Biometric access solutions offer a promising alternative to secrets, making it possible for employees to authenticate with a single glance or swipe of their fingertip. However, privacy concerns represent a barrier to long-term adoption. The security industry must overcome misconceptions about biometric solutions in order to calm fears about tracking and surveillance. Biometric information never leaves an employee’s device and cannot be accessed via software. By educating our workforce on the benefits of biometric access, we can correct these misconceptions and move towards a more secure future.
Finding the Futureproof Security Solution
Identity-based access allows us to go beyond human users to include machines as well. Trusted platform modules (TPMs) are integrated on devices like computers and smartphones, giving each of these machines an encrypted identity that can’t be lost or stolen. When a machine needs to access a sensitive asset, the TPM proves the machine’s identity. The combination of biometrics and TPMs creates a unified identity for human users and their machines, an identity that is dramatically more secure against hacking than existing secret-based approaches.
In order to establish an infrastructure access solution that will be able to scale together with new technologies and infrastructure form factors, we need to eliminate all forms of secrets. Instead of using secrets that are made up by an individual and can then be shared or stolen, we must instead focus on Real Identity for humans and machines — who you are , i.e. biometrics, and TPM and HSM chips for hardware. An employee’s biometric identity mixed with the physical identity of their laptop cannot be easily stolen, and they cannot be physically lost. Many devices include TPM modules and facial recognition or fingerprint scanning technologies as standard features, and USB-pluggable modules like Yubikey Bio allow any device to acquire a Real Identity and become biometric-enabled.
Passwords, private keys, browser cookies, and other secrets represent the single-most pressing threat to organizations and their sensitive assets. We know what the solutions are to address this problem, and we know the potential consequences of not making the necessary changes. In 2023, companies must move on from outdated security measures and embrace the future of access.