SHARED INTEL: Study shows mismanagement of ‘machine identities’ triggers $52 billion in losses

By Byron V. Acohido

In one sense, digital transformation is all about machines.

Related: Authenticating IoT devices

Physical machines, like driverless vehicles and smart buildings; but, even more so, virtual machines. I’m referring to the snippets of “microservice” coding placed inside of modular software “containers” that get mixed and matched in “storage buckets,” and then processed in  “serverless computers” residing in the Internet cloud.

These virtual machines – which happen to be mushrooming in number — underly the physical machines. This all adds up to high-speed, agile innovation. But the flip side is that fresh software vulnerabilities are getting spun up, as well. Machines control the flow of all types of sensitive data. As a result, the way in which they connect and authorize communication makes them a primary security risk for organizations. And, cyber criminals, no surprise, are taking full advantage.

Now comes a study from Boston-based consultancy Air Worldwide that puts some hard numbers on the degree to which threat actors are plundering virtual machines. The report, titled The Economic Impact of Machine Identity Breaches, was commissioned by Salt Lake City, UT-based security vendor Venafi.

According to the study, poor management of machine identities leads directly to an estimated $52 billion to $72 billion in losses annually. What’s more, large enterprises, i.e. those with $2 billion or more in annual revenue, are getting hit twice as hard as smaller organizations, when it comes to cyber attacks that exploit anemic protections for machine identities.

I had a chance to visit once again with Jeff Hudson, Venafi’s outspoken CEO at RSA 2020. We had a lively discussion about the backdrop of the study, and its going-forward implications. For a full drill down, please give the accompanying podcast a listen. Here are excerpts, edited for clarity and length:

LW: Can you frame the top challenges businesses face as digital transformation accelerates?

Hudson: The world as we once knew it is becoming digitalized. Everything. We’re in the very early innings of this. It’s already a large trend, but it’s growing faster than most people can wrap their minds around; the entire digital transformation is built on the backs of machines – on physical machines, virtual machines, containers and software applications. Everything happens on machines.

The machines have been virtualized. For all intents and purposes, these virtual machines look like hardware. You don’t know any different; you can’t tell if you’re in a virtual machine or a real machine.

LW: So what’s worrisome about that?

Hudson: There are really two actors on any network, humans and machines. The humans use usernames and passwords to identify themselves to machines. And the machines have to identify themselves to each other, many times over. The machine don’t use usernames and passwords; they use machine identities . . . we spend about $10 billion a year protecting human identities and we’re just getting started protecting machine identities.

The number of virtual machines is going through the roof. The bad guys know this, and they know these machine identities aren’t protected. So, they’re stealing both human and machine identities and moving right in there, going after all this value that has moved from the physical world to the virtual world.

LW: This isn’t theoretical is it? The study looked at firmographics and technographics and factored in actual events.

Hudson: We have about 400 customers worldwide: big banks, big airlines, airplane manufacturers, big payment card companies, big health care insurers, big retailers. Our customers are the ones who are really digitally transforming the most rapidly. We see, everyday, what they’re up against.

Our study with Air Worldwide looked at the impact and the losses associated with compromised machine identities. It’s not hypothetical. The damage and losses are in the multiple billions of dollars per year . . . We think in terms of human attackers. Yet in almost every single attack there is a machine identity that’s manipulated to further the attack. And when you add it all up, it represents a very real cost, at least $52 billion a year, and it’s growing very rapidly.

LW: To break it down a bit, these are losses stemming from malicious manipulation of machine identities?

Hudson: Right. So, these machines have to be able to trust each other because the bad guys can use the machines in their attacks. This enables them to attack at the speed of machines and at the scale of machines. With ransomware, or denial of service or almost any type of attack, there’s no need for a human to log on to the system. The bad guys have their own SaaS services running fully automated attacks – and that’s what we’re up against.

The study is yet another piece of evidence pointing to the importance of protecting machine identities. These exposures are real and can cost a lot of money. . . the Equifax breach is a very real example. What happened was the machine identity failed, the certificate expired, and that allowed the attackers to exfiltrate 145 million records. This survey categorizes many, many instances like that that. It’s a real threat. The thing that’s most amazing to me is that most organizations still haven’t dealt with it.

LW: Will so many new machines popping up and disappearing very quickly, it becomes very complicated, very quickly.

Hudson: It’s complicated by the fact that the perimeter is gone. We used to trust everything we let inside our network perimeter. But the perimeter is gone. And so how are you going to protect data when there’s no perimeter at which to protect anymore? It’s almost impossible.

So, the model that’s emerged is the zero trust model. That means, very simply, that you’ve got to protect the data. And to do that, you’ve got to have access control; you’ve got to limit access to people—and machines—based on a verified identities. If you can verify all of the identities, both human and machine, you can apply access controls and you can protect the data.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone