According to one report, many enterprises are unaware of the number of machine IDs they own — the study found “45 times more machine identities than human ones,” most of which go untracked, as noted in a VentureBeat analysis. In our case, I estimate we had hundreds of these identities, far more than we realized.
Cloud identity sprawl in the multi-cloud era
This is the new battleground in cloud security. While we often hear about threats like phishing or ransomware, a more insidious risk is on the rise — machine identities. In a multi-cloud environment, the number of credentials for each microservice, virtual machine (VM) or serverless function can quickly spiral out of control. We found ourselves managing half a dozen IAM systems without a unified view of them. Roles like “etl-service” in one cloud were performing the same function as “etl-worker” in another, and we were struggling to keep track of the duplicates.
It was easy to make mistakes. In our rush to deliver, we gave many service accounts broad admin rights, planning to narrow them down later. The statistics are clear: In its 2024 Top Threats report, the Cloud Security Alliance ranked IAM as the number one concern. That includes human and machine accounts. In practice, a stolen or misused machine identity lets an attacker move laterally — after all, workloads are supposed to trust each other.
