Venafi: Securing machine identities in a connected world

Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi, spoke to Cyber Magazine about rising cyber threats and visibility of cyber environments

Can you tell me about Venafi? 

Every aspect of human life is influenced and changed by machines — from visiting the GP, to purchasing online, to accessing bank accounts, to flying on an aeroplane. We count on the digital world which consists of many millions of machines and machines are basically software.

Venafi envisions a world where humans and machines work together in harmony to improve the human condition. To make this a reality, machines must have identities that are used to authenticate and control access. Unfortunately, machine identities are not well managed: we can see this in the costly outages from systems going down when machine identities expire, or when attackers steal machine identities to evade detection and have their malware trusted globally. 

Venafi enables businesses and government to succeed with machine identity management. Venafi provides a control plane for machine identity management that accomplishes four key tasks:

  1. Lifecycle to provide and maintain a machine identity
  2. Authentication to determine trustworthiness of a machine identity
  3. Authorisation to allow or deny access
  4. Governance to oversee and control machine identities and these tasks

In doing so our customers stop costly outages, automate for efficiency, prevent breach and compromise, and modernise at new levels of speed and agility.

What is your role and responsibilities at the company? 

I’m fortunate to contribute to success of Venafi’s technology ecosystem and threat intelligence initiatives. This means I get to spend 100% of my time focused on innovation, working alongside the world's most innovative developers. I'm also continuously looking for new machine identity threats that have yet to be identified and exposed. But, to me it's not work – it's fun!

With the rise in state-sponsored cybercrime, what can firms do to protect themselves?

Unfortunately, defending against nation state sponsored cybercrime is very difficult. The groups responsible for much of the activity are often well funded, highly sophisticated, and capable of thinking outside the box to find new ways to attack networks.

Organisations must now be proactive, not reactive in their security defences. One way to defend against attacks is simply to reduce and secure the attack surface. The more vulnerable devices that are in use on a network, the greater chance attackers have of finding to one to hijack.

Often, these attacks are enabled by stolen code-signing machine identities. These are the keys and certificates that machines use to identify themselves. They’re present in more or less every device you can think of and allow machines to communicate securely. Threat actors hijack these identities to pass off their own malicious software as legitimate. This is key for executing devastating attacks as this area is still a blind spot in the security landscape of many organisations.

In response, businesses must have visibility over their environments in order to spot changes and react fast. Without the effective management of machine identities, we’ll continue to see APT groups thrive, and high-profile nation-state attacks will continue to affect businesses and government. The automation of machine identity management can help to take this element of security out of already overstretched security teams hands. This is why a control plane for machine identity management is crucial, as it offers complete visibility and control over machines across a company’s entire business from the data centre to cloud.

As companies continue to shift to the cloud, do you think there will be a rise in machine identity outages? 

I have absolutely no doubt that we’ll see an increase in outages as companies continue to rely more heavily on the cloud. We’ve seen cloud first companies like Microsoft, Spotify, LinkedIn, and others all have outages due to expired machine identities like TLS certificates that could have been easily prevented. Our recent research shows that on average, companies increased the number of machine identities in their environment over the last year, and that’s set to continue, meaning that by 2024, the average company will have more than half a million machine identities to manage. Digital transformation is driving this, and more specifically the adoption of cloud, which has boomed since the start of the pandemic. This has created unprecedented levels of complexity in networks, and the task of machine identity management is becoming more and more difficult by the day.

More machines mean more problems, and we’ve seen in the past such as LinkedIn and O2 suffering outages as a result of poorly managed TLS certificates. In the last few weeks, people in Germany were left unable to buy food or fuel for their cars, because of an outage from Verifone, the card payment processor. We’ve also seen recent outages from Spotify, taking its podcasts offline and Microsoft’s Windows Insider being taken offline. These were all because of expired certificates.

What do you see as being one of the top emerging cyber trends this year?

We’re seeing a lot of attacks that are targeting software build environments. One of the main reasons for this is the unprecedented growth of open source solutions in build environments, and we’ve seen high-profile security incidents – such as Log4J – which have taken advantage of vulnerabilities in open source software. 

Research shows that 92% of applications contain open source components – it makes the world go round. However, with so many people contributing to open source solutions, it’s very difficult for developers to keep track of the provenance of the software. Developers are often under extreme pressure to innovate at speed, so they’re not going to stop using open source solutions. The security industry must work with developers to enable the safe use of open source. Manually evaluating the provenance of each and every open source component isn’t an option for them, so this process must be automated.

What can we expect from Venafi in 2022?

Our mission remains the same as ever. We’re constantly on the lookout for ways in which we can make the world safer as we rely on more and more machines in business and government. With much of the focus of the last couple of years being on human identity management as perimeters have widened from offices to anywhere, the machine identity perimeter has expanded through the cloud concurrently.

This has opened up opportunities for threat actors, with new ways of exploiting machine identities surfacing as complexity has grown. It’s our job to find these attack vectors before they do and create solutions to combat this. So, we’re continuing to optimise our control plan to offer businesses complete control and visibility over their environments.

Alongside this, we have a number of initiatives we’re working on to proactively combat threat actors, such as sponsoring innovation through our Machine Identity Management Development Fund. We’ve sponsored over 50 startups, consultancies, and individuals to build new innovations. And we’ve expanded this to university programmes at Oxford University and Carnegie Mellon University that are specifically looking at machine identity. We’re also investing time heavily into other relatively new areas of machine identity security, such as Kubernetes and other cloud native environments.
 

Share

Featured Articles

Zscaler and NVIDIA Join to Upskill Zero Trust with Gen AI

NVIDIA is joining with Zscaler to help integrate its AI solutions into their Zero Trust Exchange platform and Zscaler ZDX Copilot

Gigamon Sound Alarm on Cloud Security as Unseen Attacks Soar

Gigamon's latest Hybrid Cloud Security Survey shows unseen cyber attacks have increased 20% year on year

Helping APAC Curb the Threat of Cyber Attacks

With cyberattacks continuing to rise across the Asia-Pacific (APAC) region, technology advancements are having to intensify to thwart threat actors

SolarWinds: IT Staff Dubious on Organisation's AI Readiness

Technology & AI

Is Stress a Driving Force Behind the Cyber Skills Shortage?

Operational Security

Rapid7 AI Engine Update Sees Gen AI Supporting SOC With MDR

Technology & AI