Outages: A Symptom of Machine Identity Protection Weakness

By Steven Satchwell, Director UKI at Venafi

Digital transformation has fundamentally changed the way business works. And nowhere is this change more profound than in the financial services industry, where the emergence of fintech and its rapid adoption of new technologies has dramatically changed the number of machines on enterprise networks.

Driven by the adoption of cloud, DevOps, and smart device technologies – as well as the growth of IoT devices – the definition of what is considered a machine on financial services networks has fundamentally changed. A machine can still be a physical device – a server, laptop or a router– but now, virtual machines, mobile applications, algorithms, containers and APIs also need to be treated as machines. All of these machines need to communicate securely and meet stringent compliance, reliability and availability requirements, which are all difficult challenges for many organisations. Organisations struggle to address these challenges because the keys and certificates that act as machine identities are poorly understood, weakly defended. They are also managed by two different teams, IT and security, with different goals which has allowed most organisations to overlook the important role machine identities play in security.

Machine Identities and IT

Traditionally, in financial services IT has been responsible for maintaining reliability, but this responsibility doesn’t address the role of machine identities in protecting corporate and consumer financial data. Instead, IT administrators focus on preventing machine identities from expiring unexpectedly, because when they do, critical infrastructure goes down and reliability and availability suffer. When certificate-related outages occur – and they happen to most organisations routinely – they are very difficult to diagnose, making it nearly impossible to respond quickly. This means IT administrators often choose the most expedient way to deploy and renew machine identities. This frequently involves a few shortcuts that can impact the security of these identities, but they allow the IT team to meet reliability and availability targets. After all, in banking, reliability and trust is what matters most. When a bank stops working it can severely constrain people’s lives and business, especially as in the UK with the decline of cash, set to fall to just 26% of sales by 2026.

Machine Identities and Security

Security teams work to ensure that communications between the rapidly shifting populations of machines on enterprise networks remain secure. Security teams don’t physically manage or even have access to the machines on which machine identities are installed. This creates a challenge, as security admins need to make sure machine identities comply with corporate policies, are deployed and configured correctly, and are renewed before they expire. The problem gets worse since these teams usually don’t have the tools needed to enforce corporate machine identity policies. In fact, they rarely even have basic information about all of the machine identities on their networks. In a recent survey by Venafi it was found financial services companies are only tracking 42% of the most common types of machine identities. When you think about it, it’s no wonder cybercriminals are exploiting weak, missing or unprotected machine identities in cyberattacks.

Security and Machine Identities

Let’s take a step back: Why do we even need machine identities? Enterprise networks use machine identities in all over their networks. One of the most common examples is TLS certificates that allow machines to determine if they can connect and communicate securely with other machines. This process is very similar to the way usernames and passwords function for humans. Without these credentials, access is denied. Keys and certificates function in the same way for machines.

Organisations recognise the fundamental role that identities play in security, so they spend billions of dollars every year protecting human identities. As a result, organisations can respond quickly when they have evidence that user credentials have been stolen or compromised.

Although machine identities grant even greater levels of privileged access than human identities, most organisations haven’t invested in technology to keep them secure. This means that a stolen, compromised or weak machine identity can persist on an enterprise network for weeks, months or even years. Machine identity protection is even more important in the payments industry as it can enable infrastructure to detect valid devices, preventing multifactor authentication being compromised and avoiding a single point of failure.

Outdated Security for Machine Identities

Organisations are not investing in machine identity security controls because they don’t understand the scale or scope of the problem. Often security teams are managing these critical security assets with a combination of patchwork dashboards, homegrown software and scattered spreadsheets.

These solutions might have worked five ago when organisations were only worried about a few hundred physical servers in the data centre, but today organisations have hundreds of thousands of machine identities. Without automated solutions to track, manage and protect their machine identities, there’s no way security or operations teams can keep up, never mind have full visibility. In financial services the most sensitive data people have is in question, the recent study found that 58% of people are most concerned about customer data theft or loss

The Link Between Outages and Security

Once you understand the profound lack of machine identity intelligence available to IT teams, it makes sense that nearly every IT department struggles with certificate-related outages. If you’re in the trenches, it’s less obvious that these outages are a symptom of a much larger security issue. And because the IT team isn’t discussing outage prevention with the security team it’s unlikely that executives will make the connection between persistent operational reliability problems and security risks.

The Light at the End of the Outage

The good news is that financial services organisations have found a way to solve this problem; we’ve figured out what needs to be done to improve machine identity protection. We also know that when we do this effectively, security and reliability also improve – often dramatically. Machines will only become smarter, more flexible and more ubiquitous over the next few years; will your organisation be ready?