Phil Agcaoili, Chairman Ponemon Institute Fellows, can boast more experience in machine identities than almost anyone you’ll meet outside of Venafi itself. Back in 1998, Phil introduced himself to VeriSign by breaking into its network while he was sitting in in a VeriSign conference room discussing his startup SecureIT—which VeriSign later bought. “I recognized there’s one way hackers can easily infiltrate a network, and that’s by just plugging in,” Phil said during our interview for our ebook 7 CISOs Explain Why You Need Machine Identity Management.
As was the case with the other security executives I interviewed last year, Phil discussed a lot of great stuff that I wasn’t able to include in our ebook. So, I’m using my latest blog post to share with you more of the details about what motivated Phil to deploy Venafi in his security stack and why machine identity protection is especially important for the payment card industry.
First, let’s talk about the early days. Before machine identities became so prevalent, why was Network Access Control, or NAC, so important in the banking industry?
Phil Agcaoili: NAC restricts access to your network using identity management and determines whether machines can connect to it based on certain specific criteria. If the machine is non-compliant it’s denied access, even if the user of the machine has been properly identified. For big banks NAC is an FFIEC (Federal Financial Institutions Examination Council) regulatory requirement. According to the FFIEC handbook, you have to maintain a controlled environment and that includes knowing who or what is plugging into your network.
What did you see as the biggest challenges with using NAC to manage identities at previous companies?
Phil: Early on, I was acutely aware of NAC requirements. But at that time Network Admission Control was fairly unstable. I needed a way to get around the technical difficulties of that technology at the time. By the mid 2000s, I left Cisco for Dell. My “Aha!” moment came when I melded Cisco’s network perspective with Dell’s hardware one. When you marry those two together and start thinking about the technical difficulties around Network Admission Control, you start asking yourself: “How do I connect a laptop into this network and make sure it’s properly authenticated and the person connecting the machine to the network is authorized to enter this space?
Then as network-based client technology changed, I moved us back toward using machine identities as a means to meet NAC requirements.
In addition to the obvious regulatory requirements, why do you think having machine identity management is important for the payments industry?
Phil: Machine identity protection acts as a countermeasure for rogue or unauthorized wireless access points. It enables legitimate infrastructure equipment to detect valid devices.
For example, if somebody succeeds in compromising your multifactor authentication, he’s not going to come in and steal your credentials. Instead he would VPN in with his own hardware. If he doesn’t have a valid machine certificate on his laptop, he wouldn’t be able to VPN his machine into my network even with the right credentials and multifactor authentication.
Depending on what industry research you read, compromised credentials has always been one of the top three reasons why a company gets hacked. Having certificates as machine identities on a laptop while it's connecting remotely over a VPN, subverts that type of compromise. Machine identity protection gives you another control you can use to avoid that single point of failure.
When did you implement machine identity management in your organization’s network security environment?
Phil: Venafi was part of my strategic road map from the moment I started working at my current company. There were other higher risk fundamental areas I had to address first. But the need was solidified when we changed how we did NAC here. When the network-based client technology changed, I moved us back toward machine identities.
If you were talking to another CISO in the financial services industry, and they asked you for advice on machine identity management, what would you tell them?
Phil: I would ask a couple questions: “How are you protecting your network from somebody plugging into it, either remotely or physically?” And “What are your other controls to mitigate compromised accounts?” Then I would tell them to take a good look at the various threat scenarios that are highest risk to them and consider how machine identity protection would make a difference in preventing them.
Has your organization considered machine identity management as a necessary part of your network security, regardless of your industry? Let us know in the comments or on Twitter!