SHARING INTEL: Why full ‘digital transformation’ requires locking down ‘machine identities’

Digital commerce has come to revolve around two types of identities: human and machine.

Great effort has gone into protecting the former, and yet human identities continue to get widely abused by cyber criminals. By comparison, scant effort has gone into securing the latter. This is so in spite of the fact that machine identities are exploding in numbers and have come to saturate digital transformation.

Related: IoT exposures explained

I’ve conversed several times with Jeff Hudson about this. Hudson is CEO of Salt Lake City, UT-based Venafi, a leading provider of machine identity protection solutions. Each time I’ve come away with a better grasp of how machine identities have come to play such a pivotal role in the IT systems taking us forward – and yet how vulnerable they remain to attack in the current environment.

We had a chance to meet again at Black Hat 2019. For a full drill down of our wide-ranging discussion please give a listen to the accompanying podcast. Here are a few key takeaways:

Machines on the march

Cloud computing and DevOps have given rise to a whirlwind of new types of machines. A machine, in this context, refers to any piece of hardware or software that can accept and execute instructions. The hardware servers humming along in vast data centers are, indeed, machines.

And so are the modular “microservices” written by far-flung third-party developers, who specialize in mixing, matching and reusing microservices assembled inside of software “containers,” which are another type of machine. APIs, the interface coding that allows two different machines to exchange data – for instance, an IoT device and a command server — are machines as well. This is how cool new digital services are getting spun up at high velocity.

Each single one of these digital machines, obviously, needs a unique identity or there would be chaos. Machine identities are divvied out as digital certificates issued by Certificate Authorities (CAs) —  vendors that diligently verify the authenticity of websites. These certificates leverage something called the public key infrastructure (PKI), a framework for encrypting data and authenticating the machines talking to each other. This all unfolds in Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS.)

Now consider that cloud computing is still on the rise, and that the Internet of Things is on the verge of rapid expansion as more 5G networks come on line. The number of machines, and machine identities in the form of digital certificates, has only one way to go: up.


“One of the really interesting things that’s happened is that corporations are actually turning into software developers,” Hudson observes. “You’ve got people throughout the organization creating code. It’s not just the developers in IT anymore. It’s business analysts, people doing workflows, and robotics being created, all of which raises the question, ‘How do I know if I can trust the code?’”

Untrustworthy certificates

The answer for many organizations in today’s environment is, simply: “you can’t.” Threat actors on the leading edge are taking full advantage of ripe opportunities. They’ve been quick to recognize that all too many organizations have a limited understanding about these fresh cyber risks.

Many senior executives have little clue as to how many SSL/TSL digital certificates, which expire and need to be renewed, exist in their network. A recent Venafi poll found CIOs reporting a rising level of system outages over the past 12 months caused by expiring certificates. It’s typical for an enterprise to rely on tens of thousands of digital certificates, with the number growing daily, thanks to digital transformation. CIOs are having trouble wrapping their minds around the complexity of keeping all of their digital certificates current, much less secure.

“This is the lower level technology that represent the keys to the kingdom,” Hudson says. “The technology makes a certificate, which is an encrypted key — in effect an identity. It just like you have a driver’s license, a passport or a birth certificate.”

In one attack that drew headlines earlier this year, computer maker Asus confirmed reports that someone successfully hacked the servers that Asus used to remotely issue firmware updates to its customers. The attackers then sent out an update containing malware — signed with what appeared to be a legitimate Asus digital certificate. This cleared the way to push malware onto 70,000 Asus computers in field.

Notably Asus declined to comment on reports that the hackers were tied to the Chinese government and were able to pull off the hack by using a stolen digital certificate to authenticate the tainted firmware updates. Stolen and counterfeited machine identity certificates have become common place.

Over the past two years a thriving cottage industry has taken shape around creating and selling counterfeit digital certificates. According to a report from Recorded Future, anyone can purchase a faked certificates issued by Certificate Authorities such as Comodo, Thawte and Symantec, which has since sold its certificate business to DigiCert. Prices for bogus machine identities range from $299 to $1,799.

“What we know is today there’s about 22 million pieces of malware floating out there in the wild that look like authentic code-signing certificates, because someone stole the code-signing certificate from the legitimate source, or impersonated it,” Hudson says.

Avoiding derailment

From Hudson’s perspective, a major choke point today is the fact that software developers, many of whom are toiling as independent contractors, are generally held responsible for obtaining digital certificates for the components they’re working on. Many have come to view this as a burdensome necessity. One result has been key sprawl —  a proliferation of poorly managed keys that translates into ripe criminal opportunities.

Venafi recently rolled out a service called Next-Gen Code Signing meant to address these shortcomings. It’s essentially a turn-key service to help software developers more efficiently obtain needed certificates while helping organizations proactively manage and secure machine identities going forward.

Venafi is helping 60% of Fortune 500 companies protect their machine identities. However, we’re in the early part of a familiar curve. The exponential increase in new machines supporting digital transformation — each requiring a trustworthy identity – in in an early phase. Criminal opportunities abound, and  criminals using widely available hacking tools and proven tactics are taking full advantage.

“There’s only one thing that’s going to derail digital transformation, and it’s not Moore’s Law, it’s not storage, it’s not memory, it’s nothing like that,” Hudson says, “it’s ‘can we secure it?’ Right now there is an explosion in the number of machines, whether it goes into multiple clouds, or into a data center, or on mobile devices or in the Internet of Things, they’re going everywhere – and that is all an attack surface.

“And if we have machine identities that we can’t trust what do we have? Chaos. “

I agree with Hudson. Enterprises are going to have to fully address how to secure machine identities in an increasingly complex and dynamic environment. At some point, they may have to take their foot off the innovation accelerator to do what’s necessary. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: