RSA 2019: Machine Identity Protection
•
0 j'aime•263 vues
This document discusses the growing problem of machine identities in organizations. It notes that while billions are spent annually protecting user identities, protection of machine identities is just beginning. The number of machines and their identities is growing exponentially due to factors like cloud computing, IoT, and containerization. When machine identities fail through things like expired certificates, it can lead to security breaches. Most organizations don't have full visibility or control of their machine identities. The document argues that organizations need intelligence, automation, and visibility into their machine identities to avoid security risks like man-in-the-middle attacks stemming from misused certificates or compromised certificate authorities.
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à RSA 2019: Machine Identity Protection
Similaire à RSA 2019: Machine Identity Protection (20)
Dernier
Dernier (20)
RSA 2019: Machine Identity Protection
- 1. // // Identity Iceberg Ahead! Machine Identities and Their Protection © 2019 Venafi. All Rights Reserved.1 Michael Thelander, Director of Product Marketing, Venafi
- 2. // // Two Actors on a Network © 2019 Venafi. All Rights Reserved.2 Machines Machine Identities People Usernames & Passwords Identity?
- 3. // // Two Actors on a Network People Usernames & Passwords : Identity & Access $8 Billion spent annually to protect Machines Machine Identities Just beginning… © 2019 Venafi. All Rights Reserved.3
- 4. // // Number of People vs Machines People Usernames & Passwords Machines Machine Identities © 2019 Venafi. All Rights Reserved.4
- 5. // // Identities Want to Be Stolen People Usernames & Passwords © 2019 Venafi. All Rights Reserved.5 Machines Machine Identities
- 6. // // Slide Content What Are Machines? © 2018 Venafi. All Rights Reserved.6 Devices Futures: Algorithm & Blockchain ServicesCode
- 7. // // What Establishes Machine Identities? © 2018 Venafi. All Rights Reserved.7 SSH Keys SSL/TLS Certificates Code-signing Certificates Mobile & IoT Certificates Digital Keys and Certificates = Machine Identities
- 8. // Copyright © 2018 InformationSystems Audit and Control Association, Inc. All rights reserved. The Network is Growing Exponentially 0.0 10.0 20.0 30.0 40.0 50.0 2005 2010 2015 2020 2025 0.0 50.0 100.0 150.0 200.0 250.0 300.0 2005 2010 2015 2020 2025 PROJECTED GROWTH (IN BILLIONS) PEOPLE APPLICATIONS MACHINES DEVICES Growth Factors • Cloud • Virtual Machines • Containerization • DevOps • Mobile Devices • Internet of Things • Industrial IoT • Data Access • Privacy Laws More Machines = More Automated Connections People Machines
- 9. // // //9 © 2018 Venafi. All Rights Reserved. When Machine Identities Fail: Part 1 Detailed, factual investigation into the failures leading to a damaging, costly breach
- 10. // // //10 © 2018 Venafi. All Rights Reserved. When Machine Identities Fail: Part 1
- 11. // // //11 © 2018 Venafi. All Rights Reserved. When Machine Identities Fail: Part 1 Unknown machine identity Expired certificate Expired means it can’t inspect Can’t inspect means it’s blind to attack “Defense in Depth” fails because a machine identity failed.
- 12. // // //12 © 2018 Venafi. All Rights Reserved. When Machine Identities Fail: Part 2 & 3
- 13. // // When Machine Identities Fail: Part 4 13 © 2019 Venafi. All Rights Reserved.
- 14. of organizations don’t know where machine identities are active in their networks1 95% Global 5000 companies have tens of thousands of SSL/TLS certificates and keys on average2… With a 25% annual growth rate3 Many organizations have millions of SSH keys1 1. Venafi Professional Services. 2017. 2. Ponemon Institute. 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. 2015. 3. Dimensional Research. Survey on Growth of Cryptographic Keys and Digital Certificates. 2017. © 2018 Venafi. All Rights Reserved.14 //
- 15. 0% 10% 20% 30% 40% 50% 60% 2013 2014 2015 2016 2017 2018 2019 2020 Percentage of SSL-related Network Attacks “70% of network attacks will use SSL by 2020” - Gartner Predictions Gartner. Predicts 2017: Network and Gateway Security. December 13, 2016. Gartner ID# G00317597 © 2018 Venafi. All Rights Reserved.15 //
- 16. Risk of Inaction// • Man-in-the-middle attacks are enabled by misused certificates • Spoofed websites use stolen or forged SSL/TLS keys & certificates • Compromised CA’s threaten trusted status • Code-signed malware sidesteps infosec controls • SSH keys are shared or leave with terminated employees © 2018 Venafi. All Rights Reserved.16 //
- 17. // // © 2018 Venafi. All Rights Reserved.17 Enterprises must have insight & intelligence about their machine identities – where they are, how they’re used, the risks they pose, and what actions are required Intelligence Enterprises must have powerful, automated capabilities to secure, protect and manage their machine identities at the speed & scale of the modern AutomationVisibility Enterprises must have a single pane of glass and a single system of record for all their machine identities What’s Needed to Avoid the Iceberg?
- 18. // // Venafi Invented the Technology*…… that protects machine identities for the world’s largest and most security- conscious organizations. © 2019 Venafi. All Rights Reserved.18 *31 patents for machine identity protection
- 19. - 3 of 5 top U.S. Retailers U.S. Health Insurers 5 of 5 top U.S. Airlines 5 of 5 top U.S., U.K., AU & S. African Banks 4 of 5 top3 of 5 top Accounting / Consulting Firms 4 of 5 top Payment Card Issuers The top global businesses are making Machine Identity Protection a priority
- 20. // // Thank You Visit www.venafi.com © 2019 Venafi. All Rights Reserved.20
Notes de l'éditeur
- Today we’ll be talking about machine identities—what they are and how to protect them. The problem is bigger than most people realize. As we step through this, ask yourself if you’re protecting all your machine identities. And if you’re not protecting all of them, we’ll discuss what you can do about it and why. Transition: Let’s start by discussing how machines are impacting business.
- Machine identities are critical to security and availability, but tend to be under protected. To understand why, let’s look at the two kinds of actors on every network—people and machines. [Click] People rely on user names and passwords to identify themselves and to gain access to machines, applications and devices. But machines don’t. They use digital keys and certificates to authenticate and secure communication between machines. [Click] Transition: In any complete identity and access management program, it’s important to secure and protect the identities of both people and machines, but in most organizations, that’s not what’s happening.
- Machine identities are critical to security and availability, but tend to be under protected. To understand why, let’s look at the two kinds of actors on every network—people and machines. [Click] People rely on user names and passwords to identify themselves and to gain access to machines, applications and devices. But machines don’t. They use digital keys and certificates to authenticate and secure communication between machines. [Click] Transition: In any complete identity and access management program, it’s important to secure and protect the identities of both people and machines, but in most organizations, that’s not what’s happening.
- Machine identities are critical to security and availability, but tend to be under protected. To understand why, let’s look at the two kinds of actors on every network—people and machines. [Click] People rely on user names and passwords to identify themselves and to gain access to machines, applications and devices. But machines don’t. They use digital keys and certificates to authenticate and secure communication between machines. [Click] Transition: In any complete identity and access management program, it’s important to secure and protect the identities of both people and machines, but in most organizations, that’s not what’s happening.
- Machine identities are critical to security and availability, but tend to be under protected. To understand why, let’s look at the two kinds of actors on every network—people and machines. [Click] People rely on user names and passwords to identify themselves and to gain access to machines, applications and devices. But machines don’t. They use digital keys and certificates to authenticate and secure communication between machines. [Click] Transition: In any complete identity and access management program, it’s important to secure and protect the identities of both people and machines, but in most organizations, that’s not what’s happening.
- The first problem is that 95% of organizations don’t know where machine identities are active in their networks. Organizations have tens of thousands of SSL/TLS certificates—and these are growing 25% per year on average. And we regularly see organizations that have hundreds of thousands, if not millions, of SSH keys and little or no visibility into how they are being used. Transition: These machine identities secure the connections and communications of our most critical systems, yet most organizations have limited visibility into their use—very unlike how they secure their usernames and passwords.
- Cybercriminals already know that businesses lack visibility and control of their machine identities and they are actively taking advantage of this. One example is the increasing use of SSL in network attacks. Today, about 50% of attacks use SSL to get malware in to enterprise networks and sensitive data out undetected, and Gartner predicts that this will increase to 70% by 2020. Transition: Let’s look at some of the ways that keys and certificates are used in cyber attacks.
- What is the risk of inaction? In other words, what happens if organizations continue to rely on manual or homegrown solutions? Here are some of today’s common threats. As mentioned before, compromised or forged keys and certificates enable man-in-the middle attacks, allowing cybercriminals to break into encrypted tunnels and eavesdrop on communications. Compromised or forged certificates are also used to make spoofed websites appear legitimate. This makes it difficult for users to recognize the site as malicious and has even fooled employees of the victimized companies. Companies that don’t have automated machine identity protection also struggle following a CA compromise. They can’t identify all of the certificates issued by the compromised CA and can’t replace those certificates quickly. Without machine identity protection, organizations are also vulnerable to the theft of their code-signing certificates, which can be used to sign malware to make malware appear legitimate. Code signed malware can’t be caught by security controls because the automatically trust code signed by certificates from legitimate companies. According to Intel, there are now well over 20 million malicious binaries signed by legitimate certificates. Unprotected SSH keys also make organizations vulnerable. Employees leave companies and take SSH keys with them—intentionally or unintentionally. Often these SSH keys are not disabled, exposing companies to unauthorized privileged access that can be used to further elevate access and allow broader network penetration to go undetected. Transition: And these risks are on the rise.
- Here’s what’s required for effective Machine Identity Protection: Visibility – start with visibility into all your machine identities across your hybrid IT enterprise. Awareness – know when any changes are made to your keys and certificates Centralization – create a centralized inventory with automated lifecycle management Standardization – set consistent security policies across the business, but customize by use case when needed Integration – make machine identity management part of your broader identity and access management, operations and security processes Automation – build keys and certificates into your IT services with automated provisioning and lifecycle Incident Response – ensure machine identity management and security is part of your incident response plan—before an incident occurs. This enables detailed investigations and automated replacement of keys and certificates when needed. Transition: Let’s look at how Machine Identity Protection could be rolled out step by step.
- About 60 percent of the Fortune 200 are investing in Machine Identity Protection and actively managing and securing their keys and certificates. [CLICK] And those investing in key and certificate security span across industries. The top companies in Airlines, Health Insurance, Retail, Banking, and more. Transition: Are you ready to join them?