New Capability: Machine Identity Security!

Description

Machine Identity Security offers the fastest path in the market to govern service accounts, bots, and other machine identities, with assigned owners and completed reviews through a familiar certification process.

Problem

“We have thousands of privileged service accounts. We often don’t know their purpose or owner. We’re tracking them in a spreadsheet. These accounts need to be reviewed to prevent an incident.” - Anonymous, Identity Security Cloud Administrator

Many organizations have thousands of privileged service accounts, bots, and other machine accounts with minimal governance in place.​

Relying on attributes in Active Directory, siloed databases, and outdated Excel spreadsheets to track account ownership and purpose erodes trust, leading to unreviewed accounts remaining active.​

These neglected accounts are widely recognized security risks that could lead to damaging breaches.

  • 83% of organizations experienced at least one machine account takeover in the past year
  • 72% Identity professionals say machine identities are more difficult to manage than human identities
  • 75% Machine accounts with no designated owner

Solution

Machine Identity Security is quick to set up, flexible to configure, and ensures machine account data are always up-to-date. Its core capabilities are:

Classification: A simple tool that works like role membership matching to tag your machine accounts.

Ownership Assignment: Aggregate your owners from the source and then keep them up-to-date in Account Management.

Machine Identity Assignment: Group your machine accounts into apps or services to keep them organized.

Certification: Review machine account access and revoke it as-needed.

Demo

Who is affected?

Machine Identity Security will be available to Identity Security Cloud (ISC) Business and Business Plus customers as an add on SKU only.

Important Dates

Machine Identity Security will launch October 22, 2024 at Navigate.

1 Like

When will we be able to see this as an option to configure this for sources as show in the demo?

Hi Alexander,

This is available in production today.

Machine Identity Security will be available to Identity Security Cloud (ISC) Business and Business Plus customers as an add on SKU. You may want to check with your Client Success Manager about your current licensing options.

Hello @kirby_fitch,

That sound very useful, how will you manage the leaver process if the machine account owner leaves the organization?
Let me explain, we have the Active Directory source with some AD accounts, a manager, who has its human AD account and 2 AD machine accounts as the owner. As it is configured, the AD human account is disabled and moved to the disabled users OU, how can we identify the machine account and dont disable that AD account and set it as an uncorrelated account?

Kind regards,
Pablo

1 Like

Management of service accounts now available in ISC:

  • Possible to use a same source for human and service accounts with detection based on attribute criteria
  • Owner and “machine identity” assignment (auto with attribute rules or manual)
  • API read/update endpoints available
  • Certification by the account owner with fallback to the source owner

Demo available in the article (23 minutes)

1 Like

Hi @pablonovoa

There is a big difference between these two:

  • Personal accounts are correlated to an identity.
  • Service accounts, bots, and other machine accounts are owned by an identity.

Lifecycle management configurations that disable accounts when someone leaves will run against those correlated personal accounts. We’ll create separate and distinct lifecycle management configurations that move owned accounts to a manager with a notification.