With everything that's going on in the world—increasingly larger threats and ransomware—cryptography asset management is more and more important than ever for the Global 5,000 to embrace. We’ve seen the cyber threat complexifying. Bad actors are becoming more and more advanced. They also leverage techniques that sometimes exploit machine identities to perpetrate a variety of attacks.
On top of that is the looming approach of post quantum and the quantum computer. Back when we founded InfoSec Global (ISG) in 2013, we went to customers and started discussing cryptography and everybody was looking at us and saying, “oh, cryptography is maybe for some particular guys in the organization.” But now we are meeting with many types of people within organizations. Banks are a good example of enterprises that have really started to build programs for cryptographic modernization as they become more aware that it’s critical to them. I think that's why we are seeing this momentum for cryptography, and not only for technical people, but also for top management as well. We are seeing more budgets allocated for cryptography, because crypto is very transversal across organizations. As cryptography’s profile increases, it puts a spotlight on machine identities.
Historically speaking Global 5,000 organizations have not approached cryptography asset management very well. It's been a very manual, disjointed, fragmented process. Why? Well, cryptography is spread out across these large organizations. There are hundreds or even thousands of instances of these assets, from encryption to digital certificates, to keys and so on.
CIO Study: Outages Escalating with Massive Growth in Machine Identities
To start with, most large organizations have no idea what they're dealing with and where their cryptography assets are located and being used. A lot of times, crypto assets are introduced from outside sources—such as through acquired companies or new products. A large majority of organizations are probably vulnerable without even knowing it. It's really been a blind spot. Every once in a while, they find old cryptography and it's a very labor-intensive process to go in and swap out vulnerable cryptography. Sometimes it's embedded within the source code, so they must go in and basically mess with the source code, and many lack the expertise to do that.
What ISG brings to the table is something we call crypto-agility, which basically allows enterprises to go in and approach cryptography management in a more unified, less fragmented and more automated fashion. Using a single platform or dashboard saves them a ton of time and effort. In a nutshell, that's how we’ve done it, and that is our unique value.
Our AgileSec platform helps organizations find and analyze where all their cryptography assets sit across the network, across the applications, various hosts, etc. Our tool is very good at sniffing out the shadow IT that might be lurking across the network and in different applications—even the hidden crypto that might not have been implemented correctly or might not have the right configuration. That's the first step. The tool will go in and help the organizations find it. And then the tool will also help rank the severity of the threat level. That’s important because you can have a whole list of instances that it finds, but unless you can prioritize actions based on severity and threat level, it doesn't do you a whole lot of good. You just won't know where to start.
But now let’s talk about identities. I think machine identities are the first layer, and that's usually where ISG starts, because they have the most potential to be abused. The AgileSec platform searches for machine identities since detection capabilities are a vital step for us.
As I said earlier, many organizations don't really know what machine identities they have. People generate certificates, and then they don't know what people are doing with those identities. Are they using the machine identities in the right way? Where are those machine identities stored? And that that's where ISG and Venafi come in. ISG can find those identities, wherever they are embedded, and then we'll feed that data back to Venafi.
The product we have, AgileSec Analytics, is hunting for any type of cryptography—machine identities, certificates, keys, libraries, algorithms—across infrastructures at scale. When we help customers do a cryptographic discovery or inventory, we are not looking at just a few systems or a few hubs, we are looking at hundreds of thousands of systems that are running in their infrastructure. That's where a tight integration with Venafi is advantageous. Across a large organization with a hundred thousand hosts, ISG can detect every certificate that is present within it. This includes certificate files, certificates that are integrated into, let's say, configuration, but also into an application. And that’s a great value, because when you look into all the systems that exists today, there are systems that can scan a machine but those usually just focus on, let's say, classical certificate files, temp files and things that are using just a classical extension. But we go much deeper, we can even detect certificate keys and cryptography that is within binaries.
Scalability is critical
One of the biggest benefits is the scalability and the architecture that we have. It's not something that is constrained to just a few systems or a few hosts. It can scale at large and can repurpose existing scans from sensors. An organization’s investment in cryptography is important, and we can help them leverage that investment even better with our approach—they will not need a new solution just for cryptography, because we can augment the data that already exists. For example, we can augment Venafi with new machine identities that we detect.
We can also augment cryptographic data for different systems of the company, such as a GRC solution for risk and compliance. We can give them information about the crypto health into the organization. We can also send alerts to the same system to inform them whenever there is something potentially bad in their infrastructure. In other words, our integration with the architecture of the customer supplements what they have inside of their organization instead of replacing everything. This allows organizations to have full visibility into their infrastructure to supplement compliance, risk mitigation and other key enterprise-wide security programs.
Information Security teams benefit from this Venafi integration. But compliance teams benefit as well. For example, large banks may have a dedicated cryptography program that focuses on minimizing their cryptographic challenges. And that's really where we can help them with information about how crypto machine identities are good and compliant across their infrastructure. On the flip side, we can find bad crypto used in an application developed internally. We can also inform them that they should actually change this cryptography or replace machine identities in their application. The solution is for operations, but also for development and risk & compliance.
At the end of the day, we see cryptography as the backbone of digital trust. We see it as critical infrastructure. We're seeing more and more that the castle and moat approach to security is woefully insufficient. You really need to protect data at the core, because the attackers are eventually going to get past the network and firewalls. But if you can protect the data itself, even if attackers can get through those initial barriers, the data's basically going to be rendered useless. Essentially, what we're doing is helping to support the concept of a zero-trust architecture where you don't trust anything until you validate or verify it. That's really a key thing that ISG brings to the table.
The Venafi integration with InfoSec Global’s AgileSec solutions is now available. Visit InfoSec Global on the Venafi Marketplace for more information. And stay tuned for future interviews with Machine Identity Management Development Fund recipients.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.
Why Do You Need a Control Plane for Machine Identities?
Related posts
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.