By Michael Byrnes, director – solutions engineering, iMEA, BeyondTrust
Early adoption of new technologies is something of a regional tradition, especially among the Arab Gulf states. Lately, 5G — and its propensity to support a slew of exciting new use cases for the Internet of Things (IoT) and Machine-to-Machine (M2M) — has become a hot topic. GSMA Intelligence predicts that the GCC will lead growth in 5G across the Middle East and North Africa (MENA) region in the coming years. By 2025, its nations will be home to 20 million of MENA’s 50 million connections, with 16% of all mobile connections in the Gulf being 5G, ahead of the global average of 15%.
Major telecoms providers such as Zain, Etisalat, STC and du already have IoT and M2M platform offerings, and IoT revenue is set to more than double in the Middle East and Africa (MEA) by 2023, according to one estimate from GlobalData— another strong indicator that an M2M revolution will soon be upon us.
As the Gulf’s economic visions continue to gather steam, vast smart city projects like Saudi Arabia’s The Line and NEOM will rely heavily upon IoT and M2M communications. But what of the security of these projects? One report found that the UAE alone is hit by 304 attacks on IoT infrastructure daily. To ensure the region’s smart city dreams do not become nightmares, we must address the security of the apps, bots, servers, desktops, websites, containers, service accounts, and other IoT elements that could potentially be the source of our undoing.
All these machine elements must identify themselves to others, and while we spend a lot of time talking about human identity management, we must never forget that our machines can also be weak links. Whether we use hardware-specific data to authenticate machines and processes, digital certificates, reserved IP addresses, or plain old usernames and passwords, we must pay attention to the pros and cons that can arise from each.
In general, however, five management “musts” should be part of any machine-identity security strategy.
If bad actors gain access to user credentials with high-level permissions, then this presents a significant problem. So it is with machines. Vulnerability management systems (VMS) may be becoming more popular, but we still see large numbers of attacks each year that stem from known, preventable vulnerabilities yielding access to prime credentials. A VMS gives information on known exploits for each vulnerability it finds. Addressing and patching the obvious holes on machines is a fundamental starting point, and yet often, these holes lie gaping, waiting for an exploit kit to do its worst. The resultant costs can be considerable.
We cannot, in our pursuit of M2M security, forget the user entirely. Endpoint privilege management tools adjust user privileges at runtime for applications and processes. They apply policies to the process, taking the user out of the equation, and so we are again dealing with machine identity. Such tools apply the policy of least privilege (PoLP) approach to each application or process and can leverage multi-factor authentication without constraining the user experience.
When they cannot directly compromise a privileged account or a key machine, attackers will move on to standard accounts and shared privileged accounts, like those of default superusers and support teams. Low-level users often use these credentials to make life more convenient for an under-resourced IT team. But the accounts they use could, if compromised, provide access to a key machine or critical system. Privileged password management (PPM) can ensure that privileged accounts for users and machines are independently policed. API calls to the PPM platform replace Embedded credentialsm. And the PPM solution also automates password changes, in some cases after every session, there by stymying brute-force attacks.
Here, we are not talking exclusively about remote working. We are addressing the business partners and other third-party organizations, such as external IT support companies, that authenticate to the corporate environment daily. Tools need to be leveraged to remove their access to privileged accounts, and secure remote access solutions can also remove their direct connectivity to the network.
The region has seen a lot of technology sprawl as COVID-19 forced people to migrate to the cloud. When perfecting the M2M security model, it is important to keep it simple. This principle should be adhered to during design, maintenance, management, and update phase ands in the heat of incident response.
Endpoint privilege management, privileged password management, and secure remote access are all core solutions areas in privileged access management (PAM), a branch of cybersecurity that will become increasingly important to the region as governments and enterprises continue with their digitization ambitions.
Safety from malicious outside forces requires that we examine all aspects of our environment. Automation is gathering steam everywhere, and each day machines take on more responsibility for business operations. Whether physical or virtual, those machines need to be assigned identities, but we must ensure that their credentials cannot be hijacked for nefarious purposes. By adopting a multi-layered strategy like the five-point plan described here, regional organizations ensure that identities are not stored locally, and that they can use their machines with confidence to build the solutions of the future.
