Safeguarding machine identities shapes up as next frontier in cybersecurity

New tools needed to lock down networks as hackers find lucrative channel to exploit

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Com­pa­nies spend about $8 bil­lion a year on iden­ti­ty and access man­age­ment (IAM) sys­tems, geared to keep track of humans, but spend prac­ti­cal­ly noth­ing guard­ing machine iden­ti­ties. This is a prob­lem because, accord­ing to con­sul­tan­cy firm Gart­ner, 50 per­cent of all net­work attacks in 2017 will use stolen or forged machine iden­ti­ties to launch the attack.

Just as peo­ple use names and pass­words to get onto the net­work and iden­ti­fy them­selves to a machine, the machine also needs to have an “iden­ti­ty” by which it can be iden­ti­fied ver­i­fied, and allo­cat­ed par­tic­u­lar per­mis­sions. If not, we—or the oth­er peo­ple and machines on our network—could be talk­ing to the wrong per­son or the wrong machine.

Relat­ed arti­cle: How IAM tools lim­it intrud­ers’ abil­i­ty to roam breached networks

By steal­ing or using a forged machine iden­ti­ty, the hack­ers can pre­tend to be the “right” machines with the right per­mis­sions to infil­trate your net­work, access your data, or launch an attack. In fact, lock­ing down machine iden­ti­ties cur­rent­ly is on a curve to become a major growth sec­tor of cybersecurity.

Scam­mers find a new loophole

The sit­u­a­tion is com­pound­ed because the bad guys know that most peo­ple don’t invest in secur­ing the iden­ti­ties of the machines on their net­work, so they are steal­ing machine iden­ti­ties and launch­ing attacks with gusto.

Jeff Hud­son, Venafi CEO

I had a chance at Black Hat 2017 to meet with Jeff Hud­son, CEO of Venafi, a lead­ing ven­dor of machine iden­ti­ty secu­ri­ty tech­nolo­gies. A con­ver­gence of devel­op­ments is bring­ing this to a head:

• The num­ber of machines on the net­work is growing
• The machines are get­ting more capable
• The machines are com­mu­ni­cat­ing between them­selves with­out human intervention
• Dig­i­tal­iza­tion is dri­ving increas­ing val­ue into the dig­i­tal world, mak­ing cyber crime increas­ing­ly lucrative

Growth of cloud, con­nec­tiv­i­ty is catalyst

The dig­i­ti­za­tion of our human world means more and more aspects of our lives are con­trolled or influ­enced by machines. Exam­ples of this include hard­ware devices, soft­ware that runs in the cloud, jet planes, ATMs, dri­ver­less cars, giant earth-mov­ing equip­ment, and defense equipment.

Hud­son observes: “The rea­son it’s impor­tant is that [machines] are get­ting real­ly capa­ble. Iden­ti­ty is com­ing into play because these things have to con­nect, they have to talk to each oth­er, and they have to iden­ti­fy each other.”

Giv­en this new real­i­ty, the stark dif­fer­ence in our invest­ment in pro­tect­ing people’s online iden­ti­ties and that which we invest into pro­tect­ing machine iden­ti­ties begins to look absurd and, frankly, dangerous.

In some cas­es, machines are respon­si­ble for actions that could have more poten­tial impact than many humans. We give these machines iden­ti­ties but we don’t pro­tect those iden­ti­ties. Or, as Hud­son points out: “We don’t watch them; we don’t make sure they aren’t stolen, we don’t make sure they are not duplicated.”

No built-in protection

Accord­ing to Hud­son, users have been play­ing catch-up from the very begin­ning. If you go back to the begin­ning of com­put­ing, nobody real­ly con­cep­tu­al­ized that peo­ple would use it in a nefar­i­ous sense. So, there was not that secu­ri­ty built in from the beginning.

Ear­ly main­frames and mini-com­put­ers didn’t have pass­words or user­names: one sim­ply con­nect­ed to them.

Then every­body fig­ured out ‘wow, the bad guys are con­nect­ing to them—we’d bet­ter put user­names and pass­words on them,’ ” Hud­son said. “So, they shipped them out with the same user­name and pass­word on every one!”

Secu­ri­ty, even today, is an after­thought Says Hud­son: “Every evo­lu­tion­ary step of tech­nol­o­gy always comes out with func­tions and fea­tures first, and we’ll say ‘well, we’ll secure it lat­er on, let’s get it to work first.’ Let’s get it to dri­ve a car – and then we’ll wor­ry about the secu­ri­ty on it. In the cre­ation of the inter­net, secu­ri­ty was the sec­ond thought, so it’s a fun­da­men­tal­ly inse­cure plat­form. Now, we’re com­ing back and try­ing to secure it.”

Accord­ing to Hud­son, the bad guys aren’t going to stop; they are just get­ting more sophis­ti­cat­ed. He pre­dicts the num­ber of attacks in the cyber realm will con­tin­ue to esca­late because so much val­ue is mov­ing up into it.

Under­es­ti­mat­ing machines’ pwoer

Hud­son sug­gests: “The attack­ers are peo­ple who want to steal things for mon­ey, and they want to dis­rupt things for polit­i­cal pur­pos­es. … The bot­tom line is we need to know who is on the network.”

A key ques­tion is why peo­ple are not pay­ing atten­tion to the threat. Hud­son sug­gests it is because “we are humans, and we look at every­thing through the eyes of humans” and peo­ple find it dif­fi­cult to con­cep­tu­al­ize that machines are as pow­er­ful as they are.

He adds: “Iden­ti­ty is the foun­da­tion for every­thing. If you can­not iden­ti­fy the actors—people and machines—you can­not secure the net­work. … And peo­ple don’t real­ly under­stand that, even some secu­ri­ty pro­fes­sion­als. But the bad guys do under­stand this—and they are attack­ing it.”

For a deep­er drill down, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to net­work pro­tec­tion and cybersecurity:
Admit­ting there are secu­ri­ty prob­lems with encryp­tion is the first step toward a solution
It’s time to close the secu­ri­ty loop­hole on unstruc­tured data
As data mul­ti­plies, tech­nol­o­gy helps tack­le more chal­leng­ing secu­ri­ty issues