Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Technology

Outages: A Symptom of Machine Identity Protection Weakness

Outages: A Symptom of Machine Identity Protection Weakness

By Steven Satchwell, Director UKI at Venafi

Digital transformation has fundamentally changed the way business works. And nowhere is this change more profound than in the financial services industry, where the emergence of fintech and its rapid adoption of new technologies has dramatically changed the number of machines on enterprise networks.

Driven by the adoption of cloud, DevOps, and smart device technologies – as well as the growth of IoT devices – the definition of what is considered a machine on financial services networks has fundamentally changed. A machine can still be a physical device – a server, laptop or a router– but now, virtual machines, mobile applications, algorithms, containers and APIs also need to be treated as machines. All of these machines need to communicate securely and meet stringent compliance, reliability and availability requirements, which are all difficult challenges for many organisations. Organisations struggle to address these challenges because the keys and certificates that act as machine identities are poorly understood, weakly defended. They are also managed by two different teams, IT and security, with different goals which has allowed most organisations to overlook the important role machine identities play in security.

Machine Identities and IT

Traditionally, in financial services IT has been responsible for maintaining reliability, but this responsibility doesn’t address the role of machine identities in protecting corporate and consumer financial data. Instead, IT administrators focus on preventing machine identities from expiring unexpectedly, because when they do, critical infrastructure goes down and reliability and availability suffer. When certificate-related outages occur – and they happen to most organisations routinely – they are very difficult to diagnose, making it nearly impossible to respond quickly. This means IT administrators often choose the most expedient way to deploy and renew machine identities. This frequently involves a few shortcuts that can impact the security of these identities, but they allow the IT team to meet reliability and availability targets. After all, in banking, reliability and trust is what matters most. When a bank stops working it can severely constrain people’s lives and business, especially as in the UK with the decline of cash, set to fall to just 26% of sales by 2026.

Machine Identities and Security

Security teams work to ensure that communications between the rapidly shifting populations of machines on enterprise networks remain secure. Security teams don’t physically manage or even have access to the machines on which machine identities are installed. This creates a challenge, as security admins need to make sure machine identities comply with corporate policies, are deployed and configured correctly, and are renewed before they expire. The problem gets worse since these teams usually don’t have the tools needed to enforce corporate machine identity policies. In fact, they rarely even have basic information about all of the machine identities on their networks. In a recent survey by Venafi it was found financial services companies are only tracking 42% of the most common types of machine identities. When you think about it, it’s no wonder cybercriminals are exploiting weak, missing or unprotected machine identities in cyberattacks.

Security and Machine Identities

Let’s take a step back: Why do we even need machine identities? Enterprise networks use machine identities in all over their networks. One of the most common examples is TLS certificates that allow machines to determine if they can connect and communicate securely with other machines. This process is very similar to the way usernames and passwords function for humans. Without these credentials, access is denied. Keys and certificates function in the same way for machines.

Organisations recognise the fundamental role that identities play in security, so they spend billions of dollars every year protecting human identities. As a result, organisations can respond quickly when they have evidence that user credentials have been stolen or compromised.

Although machine identities grant even greater levels of privileged access than human identities, most organisations haven’t invested in technology to keep them secure. This means that a stolen, compromised or weak machine identity can persist on an enterprise network for weeks, months or even years. Machine identity protection is even more important in the payments industry as it can enable infrastructure to detect valid devices, preventing multifactor authentication being compromised and avoiding a single point of failure.

Outdated Security for Machine Identities

Organisations are not investing in machine identity security controls because they don’t understand the scale or scope of the problem. Often security teams are managing these critical security assets with a combination of patchwork dashboards, homegrown software and scattered spreadsheets.

These solutions might have worked five ago when organisations were only worried about a few hundred physical servers in the data centre, but today organisations have hundreds of thousands of machine identities. Without automated solutions to track, manage and protect their machine identities, there’s no way security or operations teams can keep up, never mind have full visibility. In financial services the most sensitive data people have is in question, the recent study found that 58% of people are most concerned about customer data theft or loss

The Link Between Outages and Security

Once you understand the profound lack of machine identity intelligence available to IT teams, it makes sense that nearly every IT department struggles with certificate-related outages. If you’re in the trenches, it’s less obvious that these outages are a symptom of a much larger security issue. And because the IT team isn’t discussing outage prevention with the security team it’s unlikely that executives will make the connection between persistent operational reliability problems and security risks.

The Light at the End of the Outage

The good news is that financial services organisations have found a way to solve this problem; we’ve figured out what needs to be done to improve machine identity protection. We also know that when we do this effectively, security and reliability also improve – often dramatically. Machines will only become smarter, more flexible and more ubiquitous over the next few years; will your organisation be ready?

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post