What is a Machine Identity?
A machine identity represents devices, servers, containers, or workloads that authenticate to systems. Learn the types and how to manage them.
What is a Machine Identity?
Definition
A machine identity is the digital identity used by a device, server, container, virtual machine, or workload to authenticate to other systems. Unlike a human identity (which represents a person), a machine identity represents a non-human entity that needs to prove who it is when communicating, accessing data, or executing actions.
Machine identities are a major subset of Non-Human Identities (NHIs) and underpin TLS, mTLS, SSH, code signing, container-to-container auth, and most service-to-service authentication.
In simple terms:
A machine identity is what a server/container/device uses to say "I am this system" — and prove it cryptographically.
Why It Matters
- Volume — modern environments have millions of machine identities (every container, every cert, every key).
- Trust foundation — TLS / mTLS / SSH all rely on machine identities.
- Outage risk — expired or invalid machine identities cause major outages.
- Attack surface — stolen / forged certs / keys enable impersonation, MITM, lateral movement.
- Automation explosion — CI/CD, microservices, edge devices all need machine identities.
Types of Machine Identity
1. TLS Certificates
Used for server (and client) authentication over TLS.
2. mTLS Certificates
Both client and server present certs — common in service mesh, zero-trust networks.
3. SSH Keys
Used for SSH server authentication; also user-as-machine (e.g., CI key).
4. Code-Signing Certificates
Sign binaries / scripts / containers to prove origin and integrity.
5. SSL/TLS Client Certificates
Client identity for service-to-service.
6. Cloud Workload Identities
- AWS IAM roles for EC2 / EKS / Lambda.
- GCP service accounts attached to compute / GKE.
- Azure managed identities.
7. SPIFFE / SPIRE Identities
Standard for workload identity; X.509 certs / JWTs.
8. Federated Workload Identities
Workload Identity Federation — workload presents OIDC token; cloud issues short-lived credential.
9. Kerberos Service Principals
HTTP/web01.contoso.com style; used in AD environments.
10. API Keys / Secrets
Symmetric secret-based auth; not preferred but common.
11. Hardware Identities
TPM-backed keys; HSM keys; secure enclave identities.
Lifecycle of a Machine Identity
1. Provisioning
- Generate key pair.
- Issue cert (CA-signed).
- Distribute to workload.
2. Use
- Workload presents identity for authentication.
- Other party verifies.
3. Renewal / Rotation
- Before expiry; ideally automated (ACME, cert-manager).
4. Revocation
- When compromised or no longer needed.
5. Decommission
- When workload retired.
Common Issues
- Expired certificates causing outages (Microsoft, Cloudflare incidents).
- Self-signed certs for "convenience"; trust failures.
- Long-lived keys (10-year SSH keys still in use).
- Hardcoded SSH keys in code / CI.
- Unrotated mTLS in service mesh.
- No inventory — IT doesn't know what certs / keys exist.
- No ownership — when cert expires, no one knows who fixes it.
- Wildcard / overly broad certs create lateral movement risk.
Real-World Examples
1. Major Outage from Expired Cert
Production cert expired at 3 AM; mTLS broke; service down 6 hours. Mitigation: cert-manager auto-renewal + monitoring 30 days before expiry.
2. Stolen Code-Signing Cert
Attacker stole code-signing cert; signed malware that bypassed endpoint controls. Mitigation: HSM-backed signing; CI-only access; revocation + re-issuance.
3. SSH Key Sprawl
Org had 60K SSH keys across thousands of servers; no inventory. Compromised dev laptop yielded one key with access to 30% of servers. Mitigation: SSH cert authority (short-lived); inventory; rotation.
4. Workload Federation Replaces Static Keys
Migrating from SA JSON keys to Workload Identity Federation eliminated 800+ long-lived credentials and reduced compromise surface dramatically.
5. Self-Signed Cert in Production
Service used self-signed cert; downstream clients had cert validation disabled "to make it work." MITM possible across internal network. Mitigation: internal CA; automated cert issuance.
Best Practices
- Inventory all certificates and keys (CMDB / discovery tool).
- Owner per machine identity (team / individual).
- Automated lifecycle (ACME, cert-manager, CSI).
- Short-lived preferred; rotation default.
- Internal CA for internal services; trust chain managed.
- HSM / secure enclave for high-value identities (code-signing, root CA).
- Workload Identity Federation to replace static keys.
- Monitoring — expiry warnings, anomaly detection on cert use.
- Revocation capability tested.
- Standards — SPIFFE for workload identity.
Checklist
- Inventory of all machine identities?
- Owner per identity?
- Automated lifecycle (issuance / renewal)?
- Short-lived preferred?
- Internal CA in place?
- HSM for high-value?
- WIF replacing static keys?
- Expiry monitoring?
- Anomaly detection on cert use?
- Revocation tested?
- SPIFFE / standards-based identity?
How Forestall Helps
Forestall maps machine identities and credentials across environments, identifies stale / over-permissioned / unrotated identities, and tracks remediation.
Frequently Asked Questions
Is "machine identity" the same as "service account"?
Overlap but not identical. Service accounts are one form. Machine identity also includes certs, SSH keys, hardware identities.
Are TLS certs machine identities?
Yes — they identify a server (or client) for TLS authentication.
How long should machine identity credentials live?
As short as operationally feasible. Modern best practice: hours / days for service mesh; ≤ 1 year for TLS; ≤ 1 year for SSH cert authority.
What is SPIFFE?
Secure Production Identity Framework for Everyone — a standard for issuing workload identities (X.509 SVIDs / JWT SVIDs) at scale.
What's the most common machine identity failure mode?
Expired certificate causing outage. Automate renewal.
Conclusion
Machine identities underpin authentication for everything that isn't a human — devices, servers, containers, workloads. Inventory, automate lifecycle, prefer short-lived and federated identities, monitor expiry, and use standards (SPIFFE, ACME). Get this right and you eliminate entire classes of outages and breaches simultaneously.
Discover and govern every machine identity in your environment.
Forestall maps machine identities, certificates, and credentials across your stack.