“We’re a digital company or we want to become one in the next few years”.
How many times have we heard this? In all honesty, every time I meet with a company, I more or less hear this same message.
I’m very pleased to hear (and proud) that France and the European Community are working hard to become digital like the US, and we are bridging this gap very quickly.
But what is the price of this and for our cyber security strategy and teams?
As I mentioned in my last post, the US has had almost 2 decades to build their digital economy and adjust their levels of defense in this area. In Europe we want to do this in a maximum of 5 years, focusing on the need to become competitive in the digital world whilst forgetting we’re also becoming more vulnerable at the same time.
And yes, Europe is more vulnerable than the US. You can always find companies or people very well prepared and protected against cybercriminals, howeverthe vast majority of European companies and citizens are not well prepared to live in this digital world.
Let’s talk about the businesses where we work.
What a wonderful world it is now! We have desktops, laptops, tablets, smartphones, apps, code, services, datacenters, the cloud, the internet—and a lot of connected objects. All are just machines, created or built to serve us; to accelerate the digital transformation of our economy and of our companies.
Machines drive the most change - are least understood
Machines are responsible for the main changes in our world, but they are also more complex, more numerous, more powerful, more critical but also less understood, less managed and less visible.
Are they invisible? Hopefully not.
We need to decide whether we to let them proliferate without controlling who they are. But we also should know if these machines are still the same as when we allowed them access to our network, to manage our data, to transfer our money all to another machine.
A little voice in my head says,”Hold on Stephane please, we have cyber security teams., Our companies already spend money to defend our business, our data and our customers.’’
Yes, we are spending money but not in the area of managing machine identities. When I speak to cyber security professionals, they all talk about how to protect human digital identities, but a very small minority talk about how to govern and control machine identities.
Yes, wake up guys! We built the digital world and we made the rules. And one of these rules is simple: to access the digital world you have to be identified and recognized as a trusted person … or as a trusted machine.
“Oops … what do you mean Stephane that machines also need to be identified? “
Machine identities are at greater risk of getting hacked than human identities
Don’t be naïve, machines are connected to our network and they have the same chance to be hacked as a human, more chance I would say. A machine is silent, a machine is dumb, a machine will never complain; not alerting us if something goes wrong with its identity. It’s time to stop playing with the machines in a digital world.
The upside is that more and more companies are becoming aware of this issue and want to take control back. The downside is that machines are far more numerous and diverse than humans, and almost no-one knows where to start or everybody wants to start from a different point.
This is where the cherries on the cake analogy starts to play out.
Many companies are focusing on the cherries, or the topping for the cake. In machine identity terms, we would refer to this as governance and automation. This is understandable—automation is mandatory to eliminate outages, to reduce the burden on the operational teams who manage the certificates on a day-to-day basis and to help these teams become more agile and reactive. Likewise, governance is required to define the rules and roadmaps.
Cake before the Cherries: Find all of your machine identities [then protect them]
But what is the cake? Before I answer that, let me ask what do you want to govern and what do you want to automate? If you don’t have visibility into your machines, you will not able to govern or automate them. Or you will do so badly, or only partially, and you will end up wasting money. So visibility is your cake.
In my next blog, I’ll discuss why all companies or cyber security teams accept that visibility is key to solving the challenge of managing and protecting machine identities.