Jeff Hudson, CEO of cyber security machine identity protection specialists Venafi, talks to TEISS about the importance of protecting the identities of the many machines that are connected to the internet.
All digital transactions are built on machines. In fact the whole of the internet is built on machines. Why then, Jeff Hudson asks, are we so poor at protecting their identities?
By machines, Jeff means various things. Physical machines such as printers, cameras and factory equipment that connects to the internet. IT hardware such as servers, computers, phones and firewalls that connect to the internet. And software machines such as virtual machines, containers, phone apps, search engine “bots”, the algorithms that drive stock market transactions, and virtual service desks.
The importance of identity
Identity is important. Without a knowledge of true identity we may end up sharing information or collaborating with the wrong person.
People use their usernames and passwords (often backed up by other authentication) to identify themselves before they are able to sign on to a corporate network. Their identity is then used to give them certain privileges around what they can see and do while on that network.
Of course it is never 100% perfect. Someone who telephones you may say they are a particular person – the bank manager, someone from HR, the CEO’s PA. But you don’t necessarily know they are telling the truth, especially if you haven’t spoken to them before.
And someone who signs on to an online network may not always be the person they claim to be. They may have “borrowed” or stolen someone’s online identity. That’s why businesses spend a great deal of money, around $8 billion pa by some estimates, solving the problem of how to identify people on line accurately.
But compare that $8 billion with the tiny amount we spend on protecting machine identities.
Machine identities are important too. Machines need to identify themselves when they connect with networks or other machines. You might set up your house with a webcam that can connect to your mobile phone to keep a track on your sleeping children. You don’t want a stranger to be able to connect their phone to your webcam.
Unfortunately, “machines have identities that want to be stolen” Jeff tells me. By this he means that It’s very easy for one machine to assume the identity of another machine, for instance during a cyber attack. That’s because we are poor at preventing this from happening.
We find it very hard to have visibility and intelligence on machine identities. And we are not investing fast enough in order to get better at solving this problem.
Also of interest: Balancing risk and reward
Why is machine ID fraud a problem?
Typically, a machine identity involves a trusted certificate or a key that has been issued by a recognised certificate authority such as Entrust or Digicert. There are problems with this approach however. Authority can be corrupted.
One thing that can go wrong is that certificates can be stolen. Jeff describes how in 2011 Dutch certificate authority DigiNotar was hacked by a criminal who was then able to issue fraudulent certificates. This is one example and there are many others.
Much more recently, Google has decided not to trust Symantec certificates because of a lack of trust in the accuracy of their certification processes.
Cyber attacks using stolen or forged machine identities are rising. According to Gartner, a quarter of cyber attacks will involve Internet of Things (IoT) machines by 2020, in part because half of IT manufacturers won’t be addressing cyber security in their products.
If that is the case, how can you trust online machines? And you need to be able to trust integrity of machine ID if you wish to transact with them. It’s difficult though, increasingly so.
There are lots of machines online (11 billion IoT devices plus any number of software machines). And they can be created very fast: 5 years ago if you wanted a new server it might take you 6 months to buy it set it up and test it; now your new server, sourced from the cloud, can be set up and ready to use in a few seconds.
Another problem is that the corporate network perimeter as we used to know it has largely disappeared. In a stable network it was relatively easy to manage the machines allowed to operate inside. But when fixed corporate networks merge with cloud services, home networks and privately owned devices, managing which machines you allow near your corporate information is very hard indeed. There is no perimeter.
Let’s take personal data as an example. In order to remain compliant with GDPR you need to know who saw that personal data and when. On the internet, the word “who” really means “which machine saw the data”. If you don’t know which machine saw the data you have no way of knowing whether the data was accessed or shared lawfully.
That’s a very real danger because online software machines can steal or change data. They can set up encrypted tunnels between themselves and the outside world, tunnels where you can’t peer inside and see what malware is coming in and what data is flowing out..
If that happens, either you have to decrypt the tunnels (vanishingly difficult) or stop them from being set up in the first place. If you don’t then it is as though you are letting people tunnel into your building into room where you keep your personal data files. The ICO wouldn’t be impressed.
Also of interest: How AI is changing cyber security
How can we protect machine ID?
Machine identity is a giant blind spot in cyber security. We don’t manage machine identities because we can’t easily see them and nor can we see the damage that fraudulent identities can cause. They are out of sight, no we have no awareness of them and have not built compensating controls.
Ask yourself this. How many people understand that many Social Media accounts are not human: they are software robots that impersonate people. Facebook are reported as having closed over half a billion (583 million) fake accounts already this year. Because machines are invisible almost all social media platforms allow accounts to be set up without any evidence of a human owner.
A beautiful world would be a world where have machines that can do amazing things and where those machines are capable of being trusted by us to do the things we want, for instance to keep data private.
A world where “bad” machines like Stuxnet can be spotted and kept away from things we want to protect.
In short we need to protect machine identity and to do that we need to make four things happen.
- We need create visibility: a knowledge of what machines are active at any one moment and what they are doing,
- We need to gather and use intelligence: we need to know whether a machine is trusted, who owns it, how it should be behaving, does it conform to policy, and what do if the wrong behaviour is recorded.
- We need automation: because humans make mistakes and can even be malicious, we must where possible take them out of routine processes and give them the role of overseer instead. Also at the speed of business today, processes relying on humans can’t keep up.
- And we need to develop rules: rules that allow machines to distrust other machines. Rules that enable people need to control the identity of machines so they can’t change them themselves.
All too often when solving problems, technologists start with the solution and back-fit it to the problem. We mustn’t do that with machine identity. It’s too important. We need to prioritise an understanding of the problem before we look for a solution so that we can find the best solutions to the most important parts of the problem.
Security is founded on identity and machine identity is one of the most important parts of security. Protecting machine identity is a problem that we must accept as being very real and a high priority. And we need to agree how to solve this problem effectively and efficiently. And because this is a growing threat, solutions are needed now.
Venafi.com is a cyber security company that secures and protects the cryptographic keys and digital certificates that every business and government depends on for secure communications, commerce, computing, and mobility. Their report on the machine identity crisis is available here (registration required).