Aembit Earns Prestigious Runner-Up Spot at RSA Innovation Sandbox Contest! Watch the Announcement

RSAC™ Innovation Sandbox FINALIST 2024 banner
Aembit wins the 2024 RSA Conference Innovation Sandbox contest! Read the news
RSAC™ Innovation Sandbox FINALIST 2024 banner
Aembit is an RSA Conference Innovation Sandbox finalist! Read the news
Blog

There is No MFA for Machines: Do This Instead

Policy-based access control and posture-based conditional access are far better options to bolster secure workload-to-workload communication.
human and robot hands at computer

MFA, aka multifactor authentication – you know the drill. Enter password. Key in code from your authenticator app. Check your email and click on the link. 

While these steps can be frustrating, we know that they keep us and our company safer. But what if you simply cannot do those steps? It’s a real situation, if you’re a machine (aka an application, program or script running in the cloud or data center)  trying to access an API, SaaS service, or database.

MFA has gained popularity as an effective way to enhance security for human users. However, when it comes to securing machines and automated systems, MFA falls short in many ways. In this post, we’ll explore why this mode of authentication won’t work for machines. We’ll also propose alternative strategies, including policy-based access control and conditional access based on workload security posture, to safeguard our digital assets.

The Limitations of Multifactor Authentication for Machines

Multifactor authentication is a robust security measure for human users because it relies on something the user knows (a password), something the user has (a mobile device, smart card, or token), and something the user is (biometric data). These factors provide an additional layer of protection beyond a simple password. However, applying this approach to machines presents several challenges:

Machines Lack Cognitive Abilities

Machines, unlike humans, lack the cognitive abilities to understand and interact with the MFA process as humans do. They cannot enter a one-time passcode or use a biometric feature to authenticate themselves. Expecting machines to complete these steps is unrealistic. (And, if they can complete these steps the way a person does, we’ve got bigger problems in life.)

Complexity and Scalability

Managing MFA for a large number of machines can be complex and burdensome. Each machine would need unique credentials and a way to interact with the authentication process, which could be challenging to implement and maintain at scale.

Vulnerabilities in MFA Implementation

Even if it were possible to implement MFA for machines, it would introduce additional points of vulnerability. Just as with human MFA, there is always the risk of compromised tokens, intercepted one-time passcodes, or stolen biometric data.

In short, MFA for machines is somewhere between hard and very hard, with the operations complexity to match. Despite this, we know that the accelerating proliferation of machines needs a more secure approach than just another poorly managed secret.

A Better Approach: Secure Machine-to-Machine Communication

Instead of relying on MFA for machines, a more plausible approach is to focus on managing access from workload-to-workload, combined with basic hygiene for your environment. Let’s cover the more modern elements of securing workload access, followed by some of the basics. 

1) Validate and Attest to the Identity of Your Workloads Before Every Connection Request

To ensure that a workload can connect to a sensitive database, a SaaS service, or an API, that workload should be able to provide evidence that it is who it says it is. As opposed to relying on Layer 3 technologies like mTLS to solely assess the network-related disposition of the asset, move up the stack to validate the identity of the workload itself – often referred to as attestation. This is particularly useful as your environment expands to include highly dynamic and cloud-native applications that move and scale automatically.

Attestation can be developed through an open-source capability like SPIFFE, or through a commercial Workload IAM platform that can manage identity, attestation, and access policy.

2) Institute Policy-Based Access Controls

Define strict, policy-based access policies that dictate which workloads or machines can communicate with each other and under what conditions. These policies can be based on factors such as workload identity, purpose, and location.

Policy-based access is often implemented alongside a move to short-lived access tokens, which in itself provides a higher level of security by ensuring limited time to access a resource before the token needs to be refreshed. This can significantly reduce dwell time if someone gains unauthorized access.

Finally, this enables your security team to quickly and easily switch allow/deny access on policies to enforce guardrails, react to security incidents, or run tabletop exercises.

3) Eliminate Hard-Coded Secrets

Secrets, which are the de-facto approach for workload-to-workload access, have a couple big problems. First, they imply that if you have the secret you are permitted to have access. That can be pretty far from the truth. Also, given that they are often hard-coded into applications or stored in environment variables, this sprawl increases the risk of a key being stolen. After it’s stolen, see issue No. 1. You get the idea.

Moving to identity- and policy-based access controls (Nos. 1 and 2 above) puts you in a strong position to move away from long-lived and hard-coded keys. 

4) Embrace Conditional Access Based on Workload Security Posture

Implement conditional access controls that evaluate the security posture of workloads running on machines. This approach ensures that only workloads that meet predefined security criteria can access specific resources or communicate with other machines. For example, workloads with up-to-date security patches and robust security configurations may be granted broader access.

5) Deploy Network Micro-Segmentation

Segment your network to isolate machines based on their roles and access requirements. This limits the attack surface and reduces the risk of unauthorized access. Only allow essential communication pathways between trusted machines.

While this is a powerful tool to protect your applications, micro-segmentation can be complex to implement and even harder to maintain. As you move to highly dynamic cloud-native environments, it can become difficult to accurately maintain the least number of paths that should be open to an application. On the other hand, long-lived legacy environments often lack the appropriate logical or physical separation needed because the environment was developed well before micro-segmentation became a regular practice.

Furthermore, today’s environment workloads may also be connecting to SaaS services or third-party APIs. Microsegmentation doesn’t really apply here, given that you cannot control someone else’s network.  


Machine Security Basics

And now for a few of the basics (that we know you do, but we couldn’t in good conscience write this article and ignore them):

1) Monitor and Detect Anomalies

Implement robust monitoring and anomaly detection systems to identify suspicious behavior or unauthorized access attempts. A bonus: If you have implemented policy-based access control described above, you likely have (or can create) a centralized, homogeneous log source to track access attempts efficiently, versus combing through the logs of each individual application. This log source will give you a more efficient way to run identity-based threat detection and response against workloads.

2) Regularly Update and Manage Patches

Keep all machines and software up to date with the latest security fixes. Vulnerabilities can be exploited by attackers if systems are not properly maintained. Run an endpoint agent on machines and/or a cloud security product to regularly scan for security gaps or misconfigurations.

3) Implement Encryption

Encrypt data in transit and at rest to protect it from interception and unauthorized access. Modern encryption algorithms and protocols can provide a high level of security for machine-to-machine communication.

Conclusion

While MFA is a valuable tool for securing human access to systems and data, it is not a practical solution for securing machines. Machines require a different set of security measures that focus on the integrity and confidentiality of the communication between them, including policy-based access control and conditional access based on workload security posture. By implementing these robust authentication, encryption, monitoring, and access control strategies, we can better protect our digital infrastructure from machine-level threats in an increasingly interconnected world.

You might also like

Modern software development accelerates progress but introduces security risks that must be managed to protect organizational integrity and reputation.
As the demand for API access continues to grow, so does the urgency of adopting more secure authentication methods.
A string of recent compromises involving non-human identity credentials are putting organizations on high alert. Here's what you can do about it.