Significant advances in the 21.3 release of Venafi Trust Protection Platform for Protecting Machine Identities
It seems that with every passing week, a new software supply chain attack is announced. Everyone gets hurt by these attacks: the producers of the software that was breached where reputation, customer trust, stock price, market share is often impacted or the consumers of the infected software where sensitive company data or customer information is siphoned off and misused.
By now, we’ve all heard about the attacks at SolarWinds, Codecov, and Kaseya. According to VentureBeat, software supply chain attacks have increased by 650% in the past year. The European Union Agency for Cybersecurity (ENISA) has concluded that strong security protection is no longer enough and that more action is needed. ENISA expects that these types of attacks are just going to get worse and are going to involve more types of machine identities.
For example, earlier this year in an incident dubbed Facefish Secure Shell (SSH) machine identities and user keys were leveraged to inject malicious code into Linux systems that injected malicious code to hijack SSH servers to install a backdoor to steal sensitive information and other SSH keys. This is especially concerning since SSH keys play a critical role in providing the highest level of privileged access to a machine.
Another concerning SSH-related attack in the past year occurred in SaltStack. Again, this shows that attackers are targeting SSH keys. Why? Traditional SSH keys are like master keys to the mansion. Once generated, they do not expire, and they provide the highest level of privileged access between machines.
Venafi Trust Protect Platform helps protect against next-gen attacks
In Venafi’s latest release of its Trust Protection Platform, new capabilities have been added to help our customers address these next-gen type of attacks. For those unfamiliar with the Venafi Trust Protection Platform, it provides machine identity management for TLS/SSL certificates, SSH certificates and keys, code signing certificates and keys, and end user device certificates.
While there are too numerous of new capabilities to mention in this blog, I will mention the following:
- Safer SSH usage & easier policy enforcement. Organizations need to reduce the management complexity of their SSH access. This includes simplified on- and off-boarding process of users and servers and less complex enforcement of policies. They also want to improve the security of their SSH access by ensuring that the SSH credentials that they have are used only for the purpose that were initially created. Customers are also beginning to get recommendations to move toward an SSH strategy that includes SSH certificates. Organizations can now use Venafi SSH Protect to issue SSH certificates for client and host authentication. The certificates are signed by the built-in certificate authority. InfoSec teams can create multiple certificate authorities and define specific issuance restrictions. To achieve perfect isolation between the different environments or groups of servers, teams can use individual certificate authorities for each of the. Consumers can request and retrieve SSH certificates via REST API which simplifies the integration with a variety of solutions and tools.
- Quickly identify risks associated with code signing across the enterprise. When an InfoSec team is monitoring code signing activities across an entire enterprise, they may be dealing with millions of code signing operations, on hundreds of projects spread across dozens of geographically dispersed development teams. A new dashboard helps InfoSec as well as development team owners and managers spot unusual activity in code signing such as frequency and usage of specific keys/certificates. In addition, administrators are now able to create custom tags/attributes for code signing projects, keys, and certificates to enable them to more easily identify things like: which keys are associated with this business unit, which certificates should be charged to this cost center, etc.
- Token authentication for Adaptable Framework scripts. One of the strengths of the Venafi Trust Protection Platform is its extendibility using its powerful REST API. This enables customers and partners alike to integrate their solutions to the Trust Protection Platform. Venafi encourages all who use our APIs to transition from using API keys for authentication to token authentication. Leveraging token authentication instead of API keys reduces risk of password compromise and can also limit access within the Venafi Platform to what users and applications have access. Developers will be able to implement scripts easier and transition to the more secure token authentication.
If you are a current Venafi customer, please check your Inbox for an email that provides more details on all of the new features that this latest release has to offer as well as a registration link to a customer-only webinar where we’ll discuss these features in detail. For a detailed list of changes in this release, customers may visit here.
If you’re not currently a Venafi customer, learn more about our award-winning machine identity management platform, the Venafi Control Plane.