PODCAST: Why ‘machine identities’ represent a wide-open attack vector — and what your company should do about it

By Byron V. Acohido

Companies spend about $8 billion a year on identity and access management (IAM) systems, geared to keep track of humans, but spend practically nothing guarding machine identities. This is a problem because, according to consultancy firm Gartner, 50 percent of all network attacks in 2017 will use stolen or forged machine identities to launch the attack.

Just as people use names and passwords to get onto the network and identify themselves to a machine, the machine also needs to have an “identity” by which it can be identified verified, and allocated particular permissions. If not, we—or the other people and machines on our network—could be talking to the wrong person or the wrong machine.

Related article: How IAM tools limit intruders’ ability to roam breached networks

By stealing or using a forged machine identity, the hackers can pretend to be the “right” machines with the right permissions to infiltrate your network, access your data, or launch an attack. In fact, locking down machine identities currently is on a curve to become a major growth sector of cybersecurity.

Scammers find a new loophole

The situation is compounded because the bad guys know that most people don’t invest in securing the identities of the machines on their network, so they are stealing machine identities and launching attacks with gusto.

I had a chance at Black Hat 2017 to meet with Jeff Hudson, CEO of Venafi, a leading vendor of machine identity security technologies. A convergence of developments is bringing this to a head:

• The number of machines on the network is growing
• The machines are getting more capable
• The machines are communicating between themselves without human intervention
• Digitalization is driving increasing value into the digital world, making cyber crime increasingly lucrative

Growth of cloud, connectivity is catalyst

The digitization of our human world means more and more aspects of our lives are controlled or influenced by machines. Examples of this include hardware devices, software that runs in the cloud, jet planes, ATMs, driverless cars, giant earth-moving equipment, and defense equipment.

Hudson observes: “The reason it’s important is that [machines] are getting really capable. Identity is coming into play because these things have to connect, they have to talk to each other, and they have to identify each other.”


Given this new reality, the stark difference in our investment in protecting people’s online identities and that which we invest into protecting machine identities begins to look absurd and, frankly, dangerous.

In some cases, machines are responsible for actions that could have more potential impact than many humans. We give these machines identities but we don’t protect those identities. Or, as Hudson points out: “We don’t watch them; we don’t make sure they aren’t stolen, we don’t make sure they are not duplicated.”

No built-in protection

According to Hudson, users have been playing catch-up from the very beginning. If you go back to the beginning of computing, nobody really conceptualized that people would use it in a nefarious sense. So, there was not that security built in from the beginning.

Early mainframes and mini-computers didn’t have passwords or usernames: one simply connected to them.

“Then everybody figured out ‘wow, the bad guys are connecting to them—we’d better put usernames and passwords on them,’ ” Hudson said. “So, they shipped them out with the same username and password on every one!”

Security, even today, is an afterthought Says Hudson: “Every evolutionary step of technology always comes out with functions and features first, and we’ll say ‘well, we’ll secure it later on, let’s get it to work first.’ Let’s get it to drive a car – and then we’ll worry about the security on it. In the creation of the internet, security was the second thought, so it’s a fundamentally insecure platform. Now, we’re coming back and trying to secure it.”

According to Hudson, the bad guys aren’t going to stop; they are just getting more sophisticated. He predicts the number of attacks in the cyber realm will continue to escalate because so much value is moving up into it.

Underestimating machines’ pwoer

Hudson suggests: “The attackers are people who want to steal things for money, and they want to disrupt things for political purposes. … The bottom line is we need to know who is on the network.”

A key question is why people are not paying attention to the threat. Hudson suggests it is because “we are humans, and we look at everything through the eyes of humans” and people find it difficult to conceptualize that machines are as powerful as they are.

He adds: “Identity is the foundation for everything. If you cannot identify the actors—people and machines—you cannot secure the network. … And people don’t really understand that, even some security professionals. But the bad guys do understand this—and they are attacking it.”

For a deeper drill down, please listen to the accompanying podcast.

More stories related to network protection and cybersecurity:
Admitting there are security problems with encryption is the first step toward a solution
It’s time to close the security loophole on unstructured data
As data multiplies, technology helps tackle more challenging security issues

This article originally appeared on ThirdCertainty.com

(Editor’s note: Last Watchdog has supplied consulting services to Venafi.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone