I’m often asked about machine identities—mostly because that is where my professional life is focused. I realize that the answer can be somewhat complex. I often attempt to simplify the answer so that the everyday Joe can relate to what machines are, why they need identities and what that means to them. Most people get it right away. But what they sometimes fail to understand is the scope of the issue and the challenges that it surfaces.
Here’s the machine identity story that I like to tell:
There are two actors on a network
There are two actors on a network. People and machines. In general, people rely on usernames and passwords to identify themselves to machines so they can have access to networks and data. Well, machines are no different. They also need to identify themselves to one another. But they are not using usernames and passwords. Instead, they are using machine identities (such as digital certificates). Both are important. However, today, organizations spend over $11 billion protecting and managing human identities, yet they spend a tiny fraction of their identity management budgets protecting and managing machine identities. Cybercriminals know this, which is why they are increasingly targeting machine identities in their attacks.
So that’s the 30,000 ft view of machine identities. But what does this really mean for us in our everyday lives? Is it just some high-flying cybersecurity concept that won’t really impact most of us in our everyday lives? The simple answer to that is found in a couple of questions: Do you use the internet in your daily life? And how many of the activities that you participate in are performed online?
Every time you connect to the Internet, machine identities are involved
Cut to the chase: every time you connect to anything over the internet, you are connecting to a machine. And that whole scheme fails if you can’t trust the machine that you are communicating with.
Let me break it down further with some real-world examples. As I mentioned in a recent interview with Venafi developer partner Futurex, here’s how I saw the importance of machines and their identities in a recent night out.
“Recently, my wife and I went to a local restaurant. As we approached the entrance, we saw a barcode allowing us to sign for a waiting list. So, I scanned this code, and my iPhone took me to the page where I filled in my name and phone number and clicked the submit button. Within 10 minutes, I received a message to come in, and we were escorted to a table where I saw another barcode sticker which took me to the menu page where we placed an order that was delivered to us shortly. As we finished our lunch, I got a check to pay on the way out. But I noted on the tab another barcode that I used to pay the bill and tips. On the way out, we saw yet another barcode that took me to a survey page.”
This is an excellent example of digital transformation and how we (humans) interact with machines—seamlessly, quickly, and securely. Most likely, I would not continue with any of those four separate applications should I get an alert or error message.
But it is only me working the front end. Think about the complexity that happens on the back end, where non-human instances (applications and machines) securely and reliably interact with each other getting my order or processing my payment.
Those machines implement security protocols that rely on machine identities to authenticate to each other before anything happens. A single mistake with the machine identity can lead to error, a broken business flow, and potentially displeased customers. There are plenty of examples of such misses. Machine identity management aims to ensure that every non-human actor gets its identity right and in time to truthfully serve the business flow.
How much do you know about the machines that you are using in your business?