The Future of Machine Identity

The biggest challenge today in the digital security sphere is securing machine identities -the digital entities such as APIs, software applications, and IoT devices—that are constantly being targeted due to the changing nature of cyber threats.

CyberArk’s Kurt Sand, General Manager of CyberArk’s Machine Identity Security business, discusses CyberArk’s journey into new frontiers of identity security for human and machine users. With its recent acquisition of Venafi, CyberArk is doubling down on securing machine identities, equipping organizations to reduce vulnerabilities at scale and protect their most valuable digital assets.

Here in this conversation, Sand spoke about emerging threats, role for AI, and CyberArk’s strategy in framing the identity security of tomorrow.

Could you start by giving a brief overview of CyberArk and its mission?

At CyberArk, our mission is to secure every identity—both human and machine—with appropriate privilege controls. We view identities as a broad spectrum, ranging from workforce identities and administrators to developers and machine identities. CyberArk’s goal is to enable businesses to operate securely and efficiently, especially as we’re seeing over 90% of organizations report identity-related incidents, making this mission essential to building resilience.

CyberArk recently acquired Venafi, a leader in machine identity security. The strategy behind this acquisition?

Our mission is to secure all identities, including machine identities. We were already serving the machine identity space through secrets management, which involves handling API keys, account passwords, and tokens. However, a significant number of machine identities rely on certificates, an area in which Venafi specializes. This acquisition enables us to offer comprehensive machine identity security, covering both secrets and certificate-based identities. Now, we can help customers manage both certificate management and PKI alongside our existing identity solutions.

What are the main differences between human and machine identities from a security standpoint?

The primary difference lies in authentication. With human identities, we use known methods like facial recognition, fingerprints, or even ID verification. Machines, however, vary widely and require a diverse range of authentication methods. Additionally, they operate at a much larger scale—there are roughly 45 machine identities for every human identity. This scale and variation make it essential to manage machine identities differently from human identities.

Why has there been a shift toward focusing on machine identities in modern security strategies?

Unfortunately, we need to stay ahead of attackers, who are increasingly targeting machine identities as well as human ones. By securing machine identities, we can help reduce the overall risk profile for organizations. With machine identity attacks on the rise, our mission is to stay proactive in protecting both human and machine identities.

Machine identities are the new perimeter in cybersecurity. As organizations increasingly rely on automation and interconnected systems, securing these digital identities is no longer optional—it’s essential.

Could you share some common challenges organizations face when implementing privileged access management (PAM)?

CyberArk has evolved beyond PAM into a broader platform that includes identity access management, secrets management, certificate management, and PKI. However, a key challenge we see with machine identities is hard-coded secrets, where a developer may store a secret in plain text within code or files. This can expose sensitive information if these repositories are breached. Another challenge is “vault sprawl,” especially in the cloud. With hundreds of applications, each needing multiple vaults, it’s challenging to maintain consistent policies and hygiene across them.

Can you provide an example of a recent attack targeting machine identities?

A notable incident involved Uber, where a hard-coded secret in a script allowed attackers to access a cloud vault containing sensitive passwords. This breach highlights the risks of poorly managed secrets and the need for secure, encrypted storage of machine credentials.

API key breaches are becoming increasingly common. How can companies mitigate these risks?

First, it’s essential to store API keys in an encrypted vault. Additionally, implementing strong authentication and least-privilege access controls can limit the potential impact if a key is compromised. This approach helps reduce access to critical resources, even if a breach does occur.

CyberArk recently conducted research on rapid cloud adoption in India. What were the key findings?

We found that the trends in India are closely aligned with global findings. Specifically, 93% of Indian organizations reported experiencing two or more identity-related breaches, and they identified machine identities as the primary driver of identity growth. Interestingly, 53% of Indian companies still consider privileged users as human only, which shows that many organizations still overlook machine identities as potential access points.

How are AI and generative AI being leveraged in machine identity and PAM at CyberArk?

We’re utilizing AI in two main areas. First, we’re exploring “Co-pilots” to help users deploy our products more efficiently and configure policies accurately. Internally, we’re also using co-pilots to accelerate issue resolution in customer support. Second, in threat detection, we’re applying AI to identify suspicious activity, such as unusual interactions with secrets, which can indicate a potential attack.

Looking ahead, what are your predictions for the future of identity security in the context of AI and IoT?

The growth of software development, fuelled by AI tools, will continue to drive the creation of new applications and machine identities. Our research shows that 50% of Indian organizations expect machine identities to triple in the next year alone. With IoT also expanding rapidly, and cloud adoption driving microservices-based architecture, the landscape will only become more complex, requiring advanced identity security solutions to protect all these interconnected identities.

Kurt Sand

General Manager, CyberArk Machine Identity Security Business

aanchalg@cybermedia.co.in