In the spirit of full disclosure, please be aware that I’ve received compensation for promoting this #ad for Venafi’s Machine Identity Protection event that was streamed live on 13 December 2018. Because your success is important to me, I only align myself with brands I believe in and Venafi is one of them.
Speeches. Events. Private dinners. Inner circles. Mixing with global influencers and thought leaders, I’ve participated in my fair share this year. And, as we draw to the end of 2018, one thing has become crystal clear. When we consider cybersecurity and our immediate future, threat actors are becoming far more strategic in whom they’re targeting.
They’re carefully considering how they can gain the most, whether it’s for politics, money or fame, by carefully calculating how, when and where to manipulate, steal, or release data.
With 0.8% of our global GDP coming from cybercrime, a rapidly increasing attack surface and a volatile global political climate, in 2019 it’s highly likely that we’ll see more sophisticated attacks coming from both organised criminal gangs and state sponsored attackers. And, with fuzzy lines drawn between both threat actors, it’s going to become even more difficult to ascertain who’s working for who. That’s why getting the balance right between people, processes and technology will become even more key to ensuring an organisation’s survivability and competitive edge.
On 13 December, at Venafi’s Machine identity Protection Live event, this message was brought home. As Jeff Hudson, Venafi’s CEO, opened the event, he shared where we are now with machines. Using equity traders as an example, he relayed how, in 2003, 85% of equities were traded by humans, and how it had fallen to 5% in 2018. Furthermore, how in 2003, 15% of equities were traded by machines and how it had risen to 95% in 2018. He warned,
“What’s happening is that machines are replacing traders on the stock exchange floor. These are people who are highly trained, skilled, compensated, and who are licensed to trade.”
As you know from my last blog about change, the 4th Industrial Revolution and machine identity protection, machines are rapidly replacing humans everywhere – in our court rooms as judges and jurors, in our hospitals as surgeons, in our transport systems as operators, in our supermarkets as checkout staff, in our factories as robots, and so on – all in an effort to achieve more speed, scale and profits.
Defined as ‘an apparatus using mechanical power and having several parts, each with a definite function and together performing a particular task,’ in the Industrial Revolution, machines freed people from animal power and made mass production possible.
But, now that we’re on the cusp of the 4th Industrial Revolution, machines aren’t only evolving, they’re being redefined. No longer are they limited to devices and software. Today, they’ve expanded to include a range of new technologies – like cloud, containerisation, the Internet of Things (IoT) and the blockchain. Working in unison and constantly communicating with one another, they’re also now getting ready to follow through on the actions they decide to take.
Machines are completely disrupting the enterprise network, too, and they’re merging our physical, digital and biological worlds. They’re impacting all disciplines, economies and industries, and driving unprecedented improvements. And, being in our network, they’ve now joined people as one of only two threat actors.
As Jeff put it on the livestream,
“As organisations have required more flexibility and remote ways of working, the perimeter has dissolved, and it’s become increasingly difficult to establish what’s yours and how to protect it. Security has therefore become identity, and protecting identity is now the foundation of all security.”
So, let’s look at identity.
To get access to a network, people use usernames, passwords and biometrics to identify and authenticate themselves (to machines). Whilst machines also use identities, unlike people they don’t rely on the same mechanisms. Instead, they use cryptographic keys and digital certificates. And, at the beginning of every secure communication, they check digital identities to establish trust, authenticate other machines and encrypt communication.
According to a study from Forrester and Venafi, entitled ‘Securing the Enterprise with Machine Identity Protection,’ the global identity and access management (IAM) market is worth over $8bn. Yet, alarmingly, most of this money is spent on protecting human identities despite the fact that machine identities form the foundations of all online trust and communications!
Whilst people are controllable and fairly static in terms of the numbers entering the network, machine numbers are skyrocketing. This creates a worrying vulnerability, and threat actors not only know this but are exploiting this. According to an earlier Venafi study, cyber criminals are paying up to $1,200 on the dark web to buy machine identities to help them evade detection, distribute malware and attack enterprises. Furthermore, Gartner, predicts that by 2020, 70% of all network attacks will use SSL – a type of machine identity.
Getting real, unless machine identities are protected, we’re going to see uncontrollable chaos and intolerable risks.
To date, we’ve seen this with some major incidents. For example, when Edward Snowden breached the NSA, he used compromised machine identities to exfiltrate secrets and information. When the Equifax breach started, and 150 million consumer records were stolen, it was with an expired machine identity. And, just last week, when millions of smartphones around the world stopped working, it was because the networks that they were on, were powered by Ericsson networking equipment that had expired software certificates. It caused a major network outage, taking down the O2 Network in the UK, the SoftBank in Japan, and networks in nine other countries.
To effectively manage and protect machine identities, organisations must ensure three things. Firstly, they must have a register of all machine identities across their networks. Secondly, they must have actionable intelligence on each one. Thirdly, they must have the capabilities to effectively put all of that intelligence into action, at machine speed and at scale.
And, this is one of the reasons why Venafi has launched an innovative Machine Identity Protection Development Fund. Providing insight and education on protecting machine identity, $12.5m is being made available to a range of developers, including consultants, systems integrators, cloud providers, data visualisation providers, fast-moving start-ups and other cyber security suppliers.
The aim is to build a community of funded developers who will accelerate the delivery of machine identity protection. Whilst concentrating on DevOps first, Venafi will then look at emerging technologies such as code signing, blockchain, the internet of things (IoT) and artificial intelligence/machine learning as this will ensure all new integrations and machine identities will be automatically updated in the Venafi Platform.
As Kevin Bocek, vice president of security strategy and threat intelligence for Venafi said on the livestream event,
“The Machine Identity Protection Development Fund is the next logical step for cybersecurity….
“As the volume, velocity, variety and volatility of machines continue to increase, the need for comprehensive machine identity protection grows exponentially. By providing developers with direct sponsorship, Venafi is accelerating the rate at which these complex problems are solved for the Global 5000 and, at the same time, expanding their strong, thriving partner ecosystem.”
Now I want to hear from you…
- Tell me what insights you have gained on machine identity protection and how you plan to work with the changes that are to come.
- And, if you’re using machine identity protection, tell me about the benefits you’re reaping.
If you’d like to know more about machine identity protection or the development fund, watch Venafi’s Machine Identity Protection event which streamed live on 13 December 2018. There’s a lot of information that was shared and you can still get access to it. The link is: https://www.venafi.com/livestream/influencer/machine-identity-protection/.
Finally, in the spirit of full disclosure, once more, please be aware that I’ve received compensation for promoting this #ad for Venafi’s Machine Identity Protection event.