When it comes to machines, I always recall Terminator. I still remember the names of the machines. Yes, they actually had names and identities—identities that distinguished the good robots from the bad ones. As Kevin Bocek, VP, security strategy & threat intelligence at Venafi, stressed in an (ISC)2 webinar: “There are billions of machines living in the physical layer but also in the cyberspace, and their number will increase exponentially in the near future. The only way to identify them as friend or foe is, like in the movie, by their identity.”
While the billions of machines out there don’t have deadly intentions, they do pose risks that can have direct consequences on your businesses and on people. Last year, for example, the expiration of just one TLS certificate, which served as a machine identity, delayed the distribution of more than 300,000 COVID-19 test results in California.
Given this “rise of machines” world we now live in, we need to ask certain questions:
- How great is our exposure to risk when our machines aren’t properly managed and protected?
- How do threat actors (human and machine) exploit organizations whose machine identity management strategies are weak or incomplete?
- How do we best manage and protect our billions of machines?
The rising importance of machines
In our digitally transformed world, the definition of what constitutes a machine has broadened dramatically, from traditional physical devices, such as a PC or a server to include:
- VMs (virtual machines) that are virtual versions of servers and computers
- Mobile devices
- IoT devices
- Cloud instances
- Online apps and microservices
- APIs and SDKs
And machines are everywhere, with their numbers rising dramatically by the day. They connect and communicate with one another across networks, and we rely on them for countless tasks across most every industry. Given their importance, it’s essential that their identities are verified and secured just as human identities are.
Why it’s critical that we manage our machine identities
Aristotle, the famous Greek philosopher, once said “An entity without an identity cannot exist because it would be nothing.” And just as humans have identities, such as usernames, passwords, multifactor authentication and biometrics, machines also have identities—most commonly, SSL/TLS certificates, SSH keys and code signing keys and certificates. These identities ensure that machine communications are trusted and allowed only upon verified authentication.
These machine identities are, not surprisingly, complex to manage and protect. TLS certificates have relatively short lifespans, while SSH keys never expire. Procuring and renewing keys and certificates can entail arduous and outdated security processes that end users often circumvent. When organizations fail to put comprehensive machine identity management strategies and solutions into practice, they leave themselves open to a host of risks—everything from unplanned outages caused by expired certificates to software supply chain attacks that leave their own customers vulnerable to threat actors.
Rise of the machine identities
With digital transformation, the number of machines is growing exponentially—with no sign of abating. That’s why we need to treat this “rise of the machines” era as the “rise of the machine identities” era as well.
Venafi can help you effectively manage your machine identities that scales as the population of your machines rise. For more information, you can reach out to us here. Also, you can check out Kevin Bocek’s presentation at the (ISC)2 Security Briefings here.