New Capability: Machine Identity Security!

Announcements Product News
,
1

Description

Machine Identity Security offers the fastest path in the market to govern service accounts, bots, and other machine identities, with assigned owners and completed reviews through a familiar certification process.

Problem

“We have thousands of privileged service accounts. We often don’t know their purpose or owner. We’re tracking them in a spreadsheet. These accounts need to be reviewed to prevent an incident.” - Anonymous, Identity Security Cloud Administrator

Many organizations have thousands of privileged service accounts, bots, and other machine accounts with minimal governance in place.​

Relying on attributes in Active Directory, siloed databases, and outdated Excel spreadsheets to track account ownership and purpose erodes trust, leading to unreviewed accounts remaining active.​

These neglected accounts are widely recognized security risks that could lead to damaging breaches.

  • 83% of organizations experienced at least one machine account takeover in the past year
  • 72% Identity professionals say machine identities are more difficult to manage than human identities
  • 75% Machine accounts with no designated owner

Solution

Machine Identity Security is quick to set up, flexible to configure, and ensures machine account data are always up-to-date. Its core capabilities are:

Classification: A simple tool that works like role membership matching to tag your machine accounts.

Ownership Assignment: Aggregate your owners from the source and then keep them up-to-date in Account Management.

Machine Identity Assignment: Group your machine accounts into apps or services to keep them organized.

Certification: Review machine account access and revoke it as-needed.

Demo

Who is affected?

Machine Identity Security will be available to Identity Security Cloud (ISC) Business and Business Plus customers as an add on SKU only.

Important Dates

Machine Identity Security will launch October 22, 2024 at Navigate.

1 Like
2

When will we be able to see this as an option to configure this for sources as show in the demo?

3

Hi Alexander,

This is available in production today.

Machine Identity Security will be available to Identity Security Cloud (ISC) Business and Business Plus customers as an add on SKU. You may want to check with your Client Success Manager about your current licensing options.

4

Hello @kirby_fitch,

That sound very useful, how will you manage the leaver process if the machine account owner leaves the organization?
Let me explain, we have the Active Directory source with some AD accounts, a manager, who has its human AD account and 2 AD machine accounts as the owner. As it is configured, the AD human account is disabled and moved to the disabled users OU, how can we identify the machine account and dont disable that AD account and set it as an uncorrelated account?

Kind regards,
Pablo

2 Likes
6

Hi @pablonovoa

There is a big difference between these two:

  • Personal accounts are correlated to an identity.
  • Service accounts, bots, and other machine accounts are owned by an identity.

Lifecycle management configurations that disable accounts when someone leaves will run against those correlated personal accounts. We’ll create separate and distinct lifecycle management configurations that move owned accounts to a manager with a notification.

7

Hello @kirby_fitch,

It’s a great functionality and I am very excited to know more about this. Meanwhile I hava a question, as we alreday know a single identity in ISC can hold only upto 100 human accounts. Is it the same case with machine identities as well? So when we set up machine identity field for a source, will it map all the machine accounts to a business application based on the attribute chosen? I mean what happens if there are more than 100 machine accounts for a Business Application, will it first correlate 100 machine acocunts and rest of the accounts remain under uncorrelated state? It is a generic use case, business applications tends to have hundreds of accounts.

Thanks,
Rohan

8

Hi @RohanBhat10 the 100 account to identity limit only applies for human accounts to human identities. Machine Identity Security supports thousands of machine accounts to a single machine identity.

9

Thanks for the update @kirby_fitch. That’s good to know. One more thing, does Machine Identity Security support provisioning of groups to machine accounts? The access request APIs expect us to pass Identity ID, so the request will be granted to a user and then checks if a requested access is present in the target source or not and then provision accordingly, but for machine identity since there are multiple machine accounts are mapped just curious to know how would provisioning work if at all supported.

Thanks!

1 Like
10

@kirby_fitch Thanks for sharing this. I have a question regarding creating Service account in Active Directory. Is it possible to use this feature to create a new ServiceAccount in the active Directory just like a human account?

11

Even I have the same concern. When I meant if provisioing of group is possible, it is also about trying to create the accout in target. One way to do that is by provisioning the role to a user. What concerns me is, having multiple service account tied to a single machine identity, wanted to know how would ISC allow us to provisioin groups on one of the account or how would we trigger create account for Machine Identity.

@kirby_fitch, if you could give some insights on this it would be very helpful. Thank you!

1 Like
12

Hi Kirby,

With machine identity, I understand how an account can be discovered, connected to a machine identity, and access can be certified. How does machine identity solve for the creation of machine security accounts and the request and provisioning of access to those accounts?

1 Like
13

Hi Rohan,

This isn’t supported yet. We plan to build a request process that’s similar to what you’re accustomed to but specific to machine identities. We’ll share more information about our roadmap in the coming months.

14

Hi Rahul,

This isn’t supported yet. We plan to build a request creation process that enables end users to request new accounts. This item is in progress and we’ll share more information when we’re able.

1 Like
15

Hi Eric,

We’ve got work in progress to support the creation of machine accounts. We’ll share more information when we’re able. We’ll tackle request access processes once creation is supported. Thanks for reviewing the product!

17

Hi Kirby,
Great to see you are improving the functionality around machine identities.
However, many of our machine identities does not have an access, but simply an account. Therefore, they will never appear in a certification campaign, as these are centered around access items.

Will you at sometime look into expanding the certification capabilities to certify accounts as well?

Best, Christian

18

@kirby_fitch do you have more information about the access request process for machine identities? We’re in the middle of a renewal and use the access request APIs for “machine” identities currently treated as human identities. We wouldn’t want to switch over if there is no access request process for them that mirrors our current process.

19

Yes, Christian. There is more to reviewing machine accounts that approving or revoking their access. Some of the questions we know you want to answer are:

  • Is this account owned by the right person?
  • Is it mapped to the correct application?
  • How’s the description?
  • Should it still exist?

We started with approve/revoke access but our ambition is to answer more of these questions in the longer term.

1 Like
20

Hi Mark,

Someone from your SailPoint account team will be reaching out about this one. Thanks!