About a month ago, SANS hosted a Venafi-sponsored webcast that went into detail about why Barclays chose Venafi to manage its machine identities. Titled What Works in Certificate and Key Management: Enabling Secure Digital Business Using Venafi’s Trust Protection Platform, the webinar features SANS’ John Pescatore and Troels Oerting, formerly group chief security officer and group CISO at Barclays (Oerting recently left Barclays to head the Global Centre for Cybersecurity at the World Economic Forum).
No time to watch the webcast? I also recommend checking out the case study.
Here are some highlights. But rather than giving you simple recap of this webinar, I would like to focus on two general points that Oerting and Pescatore discuss. Those are:
- Encryption is easy to do wrong and hard to do right.
- Developing and maintaining trust will become increasingly difficult going forward—and your solutions will make or break your success.
Why Is Encryption so Hard?
Perhaps my favorite part of the webcast was Pescatore’s quick history of encryption. In fact, cryptocurrencies predate Bitcoin by 800–900 years. Back in the 1200s, the Knights Templar developed the first form of secured currency. If you were traveling to, say, the Holy Land, you could pay them an amount of money, and they would give you a piece of paper with some random numbers on them. The paper was useless to robbers because what could they do with that parchment (Europe was at least 500 years away from adopting paper money)? Then, when you reached your destination, you presented this paper to another Knights Templar, who would decode it and give you your amount minus the equivalent of a bank charge.
Of course, things have gotten more complex since those chivalric days. There are countless more things that need to be encrypted and the management of encryption not surprisingly is more intricate. Not only do you have to manage random data and algorithms, you need to manage the machine identities of all the machines transporting this encrypted information.
Part of the problem happened after public key infrastructure started taking hold in the 1970s. Pescatore says:
“The assumption was, we would all agree on common trusted third parties, whether they were governments, industry organizations, big tech giants or phone companies, [but] that hasn't happened. There are no totally centralized places we can trust to obtain the latest certificates and latest values of public and private keys to do encryption and digital signatures and other things. So, this world of having to figure out ways to manage keys and certificates ourselves is the reality we're in.”
Pescatore says that’s why it’s so “hard to do encryption well and easy to do it badly.” Encryption itself is easy, but ensuring that only the right people are able to decrypt it is difficult. You have to manage keys and certificates effectively, and that means tracking and managing third-party trust. In the past, organizations have relied on spreadsheets and pop-up messages reminding you to renew keys and certificates, but “That obviously hasn’t scaled,” he says.
Oerting concurs with Pescatore’s assessment. “I'm fan of encryption, and I think we should encrypt everything, both in rest and in flow, but that requires also a strong key and certificate management system for identifying expired and rogue certificates and keys—and that is a huge task,” he says.
Why Trust Is More Important Than Ever
In choosing Venafi, Oerting describes a world where financial institutions have to contend with so many components—from public and hybrid cloud environments to IoT devices. “All of that needs to be managed in a new reality that flawlessly needs to avoid false positives that shut down services that need to work while keeping services from being open to attack,” Oerting explains. “Machine identity will play an increasing role in who survives in the future of this online landscape” because of the growing number of devices that connect without human interaction.
Oerting says that you have to ensure your data is secure because trust will end up being one of the biggest competitive differentiators. “I happen to believe that customers will choose banks not because they get 0.1% loan interest rate but because they can trust that company with their most sensitive data—because [the bank] will know so very much about you,” he says. And all that data—your address, your place of employment, your identity card number, your credit cards—that is data you want to secure from threat actors because data is quickly becoming the new oil.
“In the old days you chose a bank because your dad chose that bank or because it was nearby. But now you have other criteria, which why I think that those who are most trusted will actually also be those who will win,” Oerting concludes. And machine identity management will play an important role in securing that trust.