I learned about the following story via the Identity Jedi, which leads me to my early and self-serving call to action:
If you’re interested in identity, The Identity Jedi Newsletter is a must-read. It’s packed with educational and insightful content. And if you would like to subscribe to the newsletter, please use my referral link: https://www.theidentityjedi.com/subscribe?ref=YoUVK0Uos1&_bhlid=7fecfad9eb7fd8bcdb529e945e11346b5897acdc I’m in the running to get an Identity Jedi mug. Thanks.
Enough self-serving content. Let’s get to what I learned about in the newsletter: namely, this article from CSO Online, “The urgent reality of machine identity security in 2025.”
As you know, I’ve been spending more and more time concentrating on identity issues when a person is not present. This is what the attribute-based access control folks refer to as “non-person entities” (NPEs).
In the article, CyberArk’s Scott Carter makes the following points:
- Today there are many more machine identities than human ones.
- They may have a short shelf life. Unlike humans, who usually access your systems for months or years if not decades, machine identities may be “created and discarded dynamically in minutes.” (Incidentally, I just wrote a LinkedIn article that delves into this in more detail.)
- These identities are being breached. “Half of the surveyed organizations experienced security breaches tied to compromised machine identities within the past year.”
What does this mean?
Well, for CyberArk, it means that it endorses technologies such as automating certificate lifecycle management. And by the strangest coincidence, CyberArk offers a solution…
But for us, it means that we don’t only need automation, but we also need governing processes to ensure that ALL the people and NPEs that are accessing our systems are properly managed, quickly commissioned, and quickly decommissioned.
(Image from Imagen 3. Yes, I’m falling into the habit of reusing images for multiple use cases. It’s easier that way.)
Bredemarket 
1 Comment