{"id":951,"date":"2025-02-05T17:11:01","date_gmt":"2025-02-06T01:11:01","guid":{"rendered":"https:\/\/unmitigatedrisk.com\/?p=951"},"modified":"2025-02-05T17:11:01","modified_gmt":"2025-02-06T01:11:01","slug":"the-identity-paradox-if-its-an-identity-why-is-it-in-a-secret-manager","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=951","title":{"rendered":"The Identity Paradox: If It\u2019s an Identity, Why Is It in a Secret Manager?"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Enterprises love to talk about identity-first security\u2014until it comes to machines. Human users have IAM systems, SSO, MFA, and governance. But workloads? Their so-called identities are often just API keys and certificates stuffed into a secret manager.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And that\u2019s the paradox. <strong>If we really believe workloads have identities, why do we manage them like passwords instead of enforcing real authentication, authorization, and lifecycle management?<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Real Problem: Secret Managers Aren\u2019t Enough<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Secret managers do what they\u2019re designed for\u2014secure storage, rotation, and access control. But that\u2019s not identity. <strong>A vault doesn\u2019t verify anything\u2014it just hands out secrets to whoever asks.<\/strong> That\u2019s like calling a password manager an MFA solution.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And the real problem? <strong>Modern workloads are starting to do identity correctly\u2014legacy ones aren\u2019t. Meanwhile, machines, specifically TLS certificates, are getting more and more like workloads every day.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Machines Are Becoming More Like Workloads, But Legacy Workloads Are Still Stuck in Machine-Era Thinking<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Attackers usually don\u2019t need to compromise the machine\u2014they don\u2019t even try. Instead, they target the <strong>workload<\/strong>, because that\u2019s what\u2019s:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exposed to the outside world\u2014APIs, services, and user-facing applications.<\/li>\n\n\n\n<li>Running business logic\u2014the real target.<\/li>\n\n\n\n<li>Holding credentials needed for further compromise.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Modern workloads are <strong>starting<\/strong> to move past legacy machine identity models.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>They use <strong>short-lived credentials<\/strong> tied to runtime environments.<\/li>\n\n\n\n<li>They <strong>authenticate dynamically<\/strong>, not based on pre-registered certificates.<\/li>\n\n\n\n<li>Their identity is <strong>policy-driven and contextual<\/strong>, not static.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Meanwhile, <strong>legacy workloads are still trying to manage identity like machines<\/strong>, relying on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Long-lived secrets.<\/li>\n\n\n\n<li>Pre-assigned credentials.<\/li>\n\n\n\n<li>Vault-based access control instead of dynamic attestation.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">And at the same time, <strong>machines themselves are evolving to act more like workloads.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificate lifetimes used to be <strong>measured in years<\/strong>\u2014now they\u2019re weeks, days, or even hours.<\/li>\n\n\n\n<li>Infrastructure itself is ephemeral\u2014cloud VMs come and go like workloads.<\/li>\n\n\n\n<li>The entire model of <strong>pre-registering machines is looking more and more outdated.<\/strong><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If this sounds familiar, it should. <strong>We\u2019ve seen this mistake before.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Your Machine Identity Model is Just \/etc\/passwd in the Cloud\u2014Backed by a Database Your Vendor Called a Secret Manager<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This is like taking <strong>every system\u2019s \/etc\/passwd file<\/strong>, stuffing it into a database, and distributing copies to every machine.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And that\u2019s exactly what many secret managers are doing today:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>That\u2019s not an identity system. That\u2019s a password manager\u2014just with all the same problems.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Storing <strong>long-lived credentials<\/strong> that should never exist in the first place.<\/li>\n\n\n\n<li>Managing <strong>pre-issued secrets instead of issuing identity dynamically.<\/strong><\/li>\n\n\n\n<li>Giving access based on <strong>who has the key, not what the workload actually is.<\/strong><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Secret managers still have their place. But if your workload identity strategy <strong>depends entirely on a vault<\/strong>, you\u2019re just doing machine-era identity for cloud workloads\u2014or a bunch of manual preregistration and processes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Modern workloads aren\u2019t doing this anymore. <strong>They request identity dynamically when they start, and it disappears when they stop.<\/strong> Machines are starting to do the same.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Four Big Problems with Workload Identity Today<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. No Real Authentication \u2013 Possession \u2260 Identity<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Most workload &#8220;identities&#8221; boil down to possessing an API key or certificate, which is like saying:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cIf you have the password, you must be the right user.\u201d<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s not authentication. Workload identity should be based on what the workload is, not just what it holds. This is where attestation comes in\u2014like MFA for workloads. Without proof that a workload is valid, a secret is just a reusable token waiting to be stolen.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. No Dynamic Identification \u2013 Workloads Aren\u2019t Pre-Registered<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike humans, workloads don\u2019t have pre-verified identities. They don\u2019t exist until they do. That means:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Credentials can\u2019t be issued ahead of time\u2014because the workload isn\u2019t there yet.<\/li>\n\n\n\n<li>Static identifiers (like pre-registered certs) don\u2019t work well for ephemeral, auto-scaling workloads.<\/li>\n\n\n\n<li>The only way to know if a workload should exist is to verify it in real-time.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ve moved from static servers to workloads that scale and move dynamically. Machine identity needs to follow.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. Shorter Credential Lifetimes Aren\u2019t the Problem\u2014They\u2019re Exposing the Real One<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Shorter credential lifetimes are making security better, not worse. The more often something happens, the better you get at doing it right. But they\u2019re also highlighting the weaknesses in legacy identity management models:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Workloads that relied on static, pre-provisioned credentials are now failing because they weren\u2019t designed for rotation.<\/li>\n\n\n\n<li>Teams that never had to deal with automated credential issuance are now struggling because they either essentially or literally did it manually.<\/li>\n\n\n\n<li>The more often a system has to handle identity dynamically, the more obvious its weak points become.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Short-lived credentials aren\u2019t breaking security\u2014they\u2019re exposing the fact that we were never doing it right to begin with.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4. Workloads Are Ephemeral, but Secrets Stick Around<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A workload can vanish in seconds, but its credentials often outlive it. If a container is compromised, its secret can be exfiltrated and reused indefinitely unless extra steps are taken.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cThree people can keep a secret\u2014if two are dead.\u201d<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">The same applies here. A workload might be long gone, but if its secrets are still floating around in a vault, they\u2019re just waiting to be misused. And even if the key is stored securely, nothing stops an attacker who compromises an application taking its secret and using it elsewhere in the network or often outside of it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What This Fixes<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By breaking these problems out separately, we make it clear:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attackers go after workload credentials, not the machine itself\u2014because workloads are exposed, hold secrets, and run business logic.<\/li>\n\n\n\n<li>Machines need authentication, but workloads need dynamic, verifiable identities.<\/li>\n\n\n\n<li>Pre-registration is failing because workloads are dynamic and short-lived.<\/li>\n\n\n\n<li>Short-lived certs aren\u2019t the issue\u2014they\u2019re exposing that static credential models were never scalable.<\/li>\n\n\n\n<li>Secrets should disappear with the workload, not persist beyond its lifecycle.<\/li>\n\n\n\n<li>The divide between machine and workload identity is closing\u2014legacy models just haven\u2019t caught up.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>This Shift Is Already Happening<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Workload identity is becoming dynamic, attested, and ephemeral. Some teams are solving this with emerging approaches like <strong>SPIFFE<\/strong> for workloads and <strong>ACME<\/strong> for machines. The key is recognizing that <strong>identity isn\u2019t a stored artifact\u2014it\u2019s a real-time state.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Machines used to be static, predictable entities. You\u2019d assign an identity and expect it to stick around for years. But today, cloud infrastructure is ephemeral\u2014VMs come and go, certificates rotate in hours, and pre-registering machines is looking more and more like an outdated relic of on-prem identity thinking.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Modern workloads are starting to do identity correctly\u2014legacy ones aren\u2019t. Machines, specifically TLS certificates, are getting more and more like workloads every day.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Attackers usually care less about your machine&#8217;s identity. They care about the API keys and credentials inside your running applications.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If an identity is just a credential in a vault, it\u2019s not identity at all\u2014it\u2019s just a <strong>password with a fancier name.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Enterprises love to talk about identity-first security\u2014until it comes to machines. Human users have IAM systems, SSO, MFA, and governance. But workloads? Their so-called identities are often just API keys and certificates stuffed into a secret manager. And that\u2019s the paradox. If we really believe workloads have identities, why do we manage them like passwords [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-951","post","type-post","status-publish","format-standard","hentry","category-security","category-thoughts"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/951","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=951"}],"version-history":[{"count":0,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/951\/revisions"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=951"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}