Futurex Crypto Chat with Venafi: Machine Identities, Digital Trends, Ransomware’s Great Grandfather
Adam Cason, vice president, global and strategic alliances, Futurex, chats with Tal Kushnirsky, solutions architect, Venafi
Adam: Why is machine identity management so important now?
Tal: We always rely on the individual identity before engaging in meaningful interaction, be it a human or machine. For example, for decades, we use product serial numbers, Vehicle Identification Numbers (VIN), and so on to uniquely identify a physical machine and apply services and contracts.
The same level of trust is required in a digital space where machines communicate with each other. The digital transformation entirely relies on non-human identities (virtual machines, containers, applications, bots, IoT devices) that we categorize as machine identities. We are at the stage when machines create another machine, initiate connections, and communicate with each other to process information at lightning speed. This creates unprecedented numbers of interconnected communications among machines, and every one of these connections requires a machine identity — most of these come in the form of TLS certificates or SSH keys.As a result of this rapid growth, machine identity management has become increasingly complex and can directly impact the security posture of all organizations.
Earlier this year, Gartner’s Top Security and Risk Trend for 2021 research described Machine Identity Management as a critical security capability for any enterprise.
Adam: Tell us more about identity-based security.
Tal: Here is a small personal story. Recently, my wife and I went to a localrestaurant. As we approached the entrance, we saw a barcode allowing us to sign for a waiting list. So, I scanned this code, and my iPhone took me to the page where I filled in my name and phone number and clicked the submit button. Within 10 minutes, I received a message to come in, and we were escorted to a table where I saw another barcode sticker which took me to the menu page where we placed an order that was delivered to us shortly. As we finished our lunch, I got a check to pay on the way out. But I noted on the tab another barcode that I used to pay the bill and tips. On the way out, we saw yet another barcode that took me to a survey page. They got all 10 from me! But seriously, what is in this story? I see it as an excellent example of digital transformation and how we (humans) interact with machines — seamlessly, quickly, and securely. Most likely, I would not continue with any of those four separate applications should I get an alert or error message. But it is only me working the front end. Think about the complexity that happens on the back end, where non-human instances (applications and machines) securely and reliably interact with each other getting my order or processing my payment. Those machines implement security protocols that rely on machine identities to authenticate to each other before anything happens. A single mistake with the machine identity can lead to the error, a broken business flow, and potentially displeased customers. There are plenty of examples of such misses. Machine identity management aims to ensure that every non-human actor gets its identity right and in time to truthfully serve the business flow.
Adam: What do you recommend organizations do to protect their machine identities?
Tal: Venafi developed an eight-step framework that aims to protect the availability of TLS machine identities by ending certificate-related outages. The approach, which is based on a deep understanding of all the components needed to achieve this outcome, is VIA Venafi, the Venafi Way. VIA Venafi is founded on technology invented by Venafi that delivers the Visibility, Intelligence and Automation necessary to stop outages.
There is plenty information on the web on how to implement this framework, but I will touch on the very first step: the need to establish an Outage Safety Net.
If your organization has been hit by certificate-related outages, the first thing to do is “stop the bleeding.” Unfortunately, machine identity owners frequently don’t understand the certificate renewal process and can be caught unprepared by sudden outages. Although information security teams cannot stop outages by themselves, they can identify certificates that are about to expire by using the Venafi Platform. The InfoSec team can then create an outage safety net to alert critical parts of the organization about impending outages. An effective outage warning system notifies organizational leaders rather than trying to track down individual owners of certificates. It builds executive awareness of impending outages and promotes action before sites, services and applications are crippled.
Adam: What are the big digital transformation trends taking place in the next few years?
Tal: A lot is going on from the application architecture to the network infrastructure standpoints. We keep pushing computation processes to the cloud. The corporate security perimeter is not associated with big firewalls or routers anymore, but with every application we expose to the world, with every employee and their machine accessing the corporate data. With the zero-trust security model, we constantly validate and authorize access to those resources. Yet, security incidents happen to companies of any size, and it primarily starts with the weakest link — impersonated users and machines.
It is easy to imagine a multi-factor authentication model and the certificate being deployed on the Load Balancer or a Web server. But what about implementing machine identities to a cluster of microservices, or serverless applications, or to applications that are spread across multiple cloud environments?
I think in the coming years, we will spend more resources to improve how we handle and govern user and machine identities. We will focus more on the goals to automate identity management because in the digital transformation era, security starts with identity.
Adam: What was the first computer you owned?
Tal: In the early 1990s, I worked on an IBM PC. I think back in the days, this computer was already five or six years old, but was still performing well for WordPerfect and Pascal programming. It was already connected to the university network and ran some SPSS statistical applications. I remember the 5-inch floppy drives we used to boot this PC and the funny noises it made. I remember the occasion I needed to deal with DIR-II virus (the great-grandfather of ransomware) … the good old days…