Q&A: Here’s why it has become vital for companies to deter ‘machine-identity thieves’

By Byron V. Acohido

We’re undergoing digital transformation, ladies and gentlemen. And we’re in a nascent phase where clever advances are blossoming even as unprecedented data breaches arise in parallel.

The latest example of this dichotomy comes from Timehop, a service that enables social media users to plug into their past. On Sunday, Timehop shared details about how a hacker got into their network, conducted several reconnaissance forays, and then moved swiftly on July 4th to pilfer personal information for 21 million Timehop users, including their social media “access tokens.”

Related article: How DevOps contributed to the Uber hack

Much like the recent hacks of Uber and Tesla, the Timehop caper revolved around the attackers manipulating admin credentials and maneuvering extensively through Timehop’s cloud environment.

I recently had a fascinating conversation with Jeff Hudson, CEO of Venafi, about why we are currently in a situation where criminally motivated actors are proving to be every bit as innovative as legitimate businesses, when it comes to leveraging cloud services, and developing breakthrough uses of mobile computing and the Internet of things.

Venafi is a leading supplier of machine identity protection; it helps companies secure authentication and privileged access to key components of critical systems. As such, Hudson argues persuasively that the root of the matter comes down to the need for organizations to keep a much closer account of access logons and encryption keys. And they must do this, not just for human users, but especially for machine-to-machine communications.

For a drill down on our conversation, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: Can you frame what’s going on with identities when it comes to digital transformation?

Hudson: Sure. The actors on digitally transformed networks come from two realms: people and machines. We secure the people by giving them usernames and passwords, which they use to get on the network of machines. And then every machine in that network has to identify itself to other machines, and they use machine identities.

So we spend $8 billion a year protecting human identities, and we’re just getting started protecting machine identities. The problem is that the growth is in machine identities. As the number of machines explodes, the number of machine identities explode. And so what we see is a giant attack surface; all of these machines, and people going really fast and not securing the identities of those machines.

LW: So the bad guys recognize the weak points?


Hudson: That’s exactly right. They’re stealing machine identities, and then they’re getting in the middle, they’re impersonating. A machine thinks it’s talking to another trusted machine. But it’s really talking to a machine controlled by the attacker that’s in the middle of the communications looking at everything. So you’re exactly right. They’re stealing machine identities and using them in attacks, and it’s happening more and more.

LW: Are machine identities somehow less intrinsically secure than human user identities?

Hudson: Part of that structure of human identity protection is that you can tell if one user is logged on multiple times. But corporations today typically cannot tell if one machine identity is  being used in multiple places.

And if a machine is logged onto a network twice, you can’t trust either one, because you can’t tell which one is authentic. With machine identities, a lot of times there are duplicates all over the place. The bad guys actually look for the ability to duplicate a machine’s identity, so that they look like they’re a trusted part of the system and are thus able to steal the data.

LW: How big is this challenge?

Hudson: There’s an awful lot of work to be done inside company firewalls, inside internal data centers. Then there are cloud workloads and mobile devices that need to be secured. We’re seeing corporations seeking to be hybrid. They want to operate on premises, as well as in the cloud. And they want to be able to move workloads back and forth.

Now, more than ever, we’re seeing people that want to be in multiple clouds, to avoid putting everything into Amazon Web Services, for example. So we have all these different pieces, and machine identities have got to be secure, first the machine identities inside and then outside. And the organization has to be in control of that. They can’t turn them over to Amazon because Amazon’s not going to let things move around into the Azure cloud or the Google cloud.

LW: What basic approach should companies take?

Hudson: There are the three things that corporations have to do. First they have to have a line of sight to all these machine identities. Then they have to be able to apply intelligence to say, ‘Is this machine identity going to hurt me? Or is it a rogue one? Or is it good and going to help me? Where did it come from? How long has it been there? Where has it been used before? What other machines is it associated with?’

There is a whole lot of intelligence available to  apply. Once you do that, then you can actually automate this whole machine identity protection process. So those are the three things: visibility, intelligence and automation.

LW: This implies big data sets, which is perfect for machine learning.

Hudson:  Yes, exactly. We’ve been at this for a while. We have over 300 customers. They are the ones that went through digital transformation first, and what they saw was this: number of people is staying fairly constant, but the number machines exploded. They understood that you need to  protect the identities of those machines, just the way  we protect the identities of people.

LW: Why haven’t more organizations moved this way?

Hudson: There are a lot of homegrown systems out there. People have built little machine identity silos around application distribution controllers, around active directories, around firewalls, web servers and databases. But with the increased in speed and volume of digital transformation, these systems don’t work anymore. And now the problems are really starting to multiply. The bad guys know corporations has very little visibility over all of their machine identities. So they look around and  it’s easy to  find some that are unprotected.

LW: Where do you see this progressing to five years from now?

Hudson: First of all, digital transformation does some amazing things for our society. It’s really a  great thing, as long as we can keep it secure. So first thing that’s got to happen is, in the boardrooms and in management teams, people have to realize digital transformation doesn’t just create money that all goes to the bottom line. There are costs, and one of the costs is security.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone