Machine Identity
What is Machine Identity?
Machine IdentityThe cryptographic identity of a non-human entity — workload, device, container, or API client — used to authenticate and establish trust with other systems.
Machine identities are the digital credentials that allow software to prove who it is. They include TLS certificates, SSH keys, API tokens, cloud workload identities, SPIFFE IDs, and code-signing certificates. As organisations adopt microservices, Kubernetes, and multi-cloud, the number of machine identities now vastly exceeds human ones, creating a sprawling attack surface. Managing them at scale requires automated issuance and rotation, a public-key infrastructure, secret-management platforms, and observability over expiry and misuse. Notable incidents involving stolen or expired certificates and signing keys highlight machine identity as a foundational concern of zero-trust architectures.
● Examples
- 01
A SPIFFE ID issued to a Kubernetes workload to authenticate calls between microservices via mTLS.
- 02
An automated certificate issued by AWS Private CA to an IoT device for mutual TLS authentication.
● Frequently asked questions
What is Machine Identity?
The cryptographic identity of a non-human entity — workload, device, container, or API client — used to authenticate and establish trust with other systems. It belongs to the Identity & Access category of cybersecurity.
What does Machine Identity mean?
The cryptographic identity of a non-human entity — workload, device, container, or API client — used to authenticate and establish trust with other systems.
How do you defend against Machine Identity?
Defences for Machine Identity typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Machine Identity?
Common alternative names include: Workload identity, Non-human identity.