Service Accounts Now More Numerous than Human Accounts

More on the IoT “Revolution” we have going on. Your IoT devices and other service accounts probably account for the bulk of the entries in your Active Directory or LDAP. When was the last time any of them had their credentials updated? What do those accounts access? When did you last audit them to be sure that those accounts aren’t accessing things they shouldn’t?

Some have proposed ephemeral certificates as a solution to this problem. However, there are mathematical limits to the number of certificates any given certificate authority (CA) can generate. Its a big number, but its still a hard limit. If we start burning through them using ephemeral certificates, I can see some companies hitting this limit and wondering what went wrong. Let me give you an example. Lets assume a large company of 350,000 employees with 22 work days per month. That equates to 92,400,000 certificates a year just to log in each morning. Add another log in after lunch and we are now at 184,800,000 and we haven’t done anything but log into our workstations or laptops. Add cell phones, tablets, servers, containers, applications, video conferencing, network equipment, and IoT devices like light bulbs, thermostats, coffee makers, refrigerators, copiers, printers, water sensors, etc. If you run an automated production line, each sensor will now need a certificate for relatively short periods of time.

And don’t forget the things that internal CAs are used for now, like intranet SSL certificates, code signing, and internal phone apps. You see where this is going. Even if the hard limit is a really big number, you could easily use that up in a fairly short period of time with a sufficiently large user base and/or number of devices.

This also brings in to question the idea of managing Certificate Revocation Lists (CRLs). CRLs will become critical in denying access yet this is one of the most under-utilized functions of the PKI suite. Most CAs are managed manually. The teams managing them spin up new certificates from Certificate Signing Requests (CSRs) generally via a ticket. AI will also become important in evaluating the flood of requests. Should this be granted or denied? Does your light bulb really need read access to that file folder?

Leave a Reply

Your email address will not be published. Required fields are marked *