Preparing large organisations to protect their machine identities is the entire focus of our jobs here in Australia, New Zealand and Southeast Asia. Many of these organizations are grappling to achieve security at speed while sustaining rapid market advantage through cloud-based infrastructure.
So, Wilson and I put our futurist hats on and evaluated what’s happening right now and what we can anticipate happening in the near term. With an eye on the future, we can help organisations build a strong, scalable defense to safeguard their machine identities—one that is future proofed with convergence of IT, OT and IoT. As we begin to gear up for a new year of machine identity protection, we’d like to share with you some of the developments that we see on the horizon.
Expanding attack surface for machine identities
As machine identities continue to explode across the board in organizations of all sizes, the threat landscape also becomes bigger and more appealing. As the assets secured by machine identities become more valuable, cyber criminals will pay more to access them. Cyber Security Research Institute (CSRI), found that code signing certificates sell for up to US$1,200 on the dark web.
Greater sophistication of attacks. Criminals and hackers are becoming more strategic in their approach, and no longer so interested in fast access to small amounts of ransom. Instead we see an increasing number of attackers carefully considering how to gain the most advantage (politically, financially, or for notoriety) by carefully calculating how to release data strategically for maximum gain.
Increased political motivation of attacks. As more attackers gain more experience in manipulating machine identities, we expect to see an increase in the use of hackers for hire. These “special projects” are likely to be focused on influencing the outcome of sensitive elections and other key decision outcomes from public voting, referendums, plebiscites and statistical research.
More attacks targeted at nation states. As the political climate continues to be relatively uncertain, we believe there will be a significant increase in sophisticated attacks from organized criminal organisations. Some of these groups have the resources equivalent to a Nation state attack and will be very difficult to defend against. This will particularly impact government agencies and private organisations managing highly sensitive data.
Escalated maturity of the machine identity industry.
The anticipated increase in machine identity attacks is likely to trigger further evolution of the overall machine identity industry. We’re likely to see new uses of machine identities and more discipline about how they are acquired. We’ve already seen changes in certificate authorities (CAs) and browsers, and we’re likely to see more.
Expanded use of blockchain. As the technology matures and we begin to be more comfortable with it, we believe there will be an increase in block chain first stage projects. The initial focus will likely be on trading platforms (stocks and materials), as well as in education and manufacturing processes. This move will present new and challenging security implications not previously considered.
Further CA consolidation. As the CA market continues to grow and evolve, it may challenge smaller players. As a result, we’re likely to see more consolidation of public CAs. In fact, we believe that we will see several of the smaller public CA companies be acquired for their customer base, and respected roots of trust will be reduced.
Falling prices for DV certificates. Devaluation of DV certificates will continue, thus the increasing competition will hurt smaller CAs and help the larger companies that have established enterprise or public sector root of trust, as they can issue higher value EV certs. Use of DV certificates will rapidly grow but will be low priced or free.
Increasing consequences for machine identity violations.
Last year, the Facebook/Cambridge Analytics scandal opened a new door in concerns over the perceptions of privacy. But arguments over government-mandated encryption backdoors have been active for several years now. GDPR certainly upped the ante for privacy violations. And we’re likely to see further discussion and developments on privacy in the coming year.
Tighter privacy laws. Until recently, there has been a reluctance to enforce the laws and levy the penalties. However, the honeymoon is over and that is expected to change in 2019 and beyond. Enforcement of privacy laws will continue to strengthen as community tolerance for large scale breaches decreases. We believe that move will be exacerbated by a correspondent increase in the lack of trust as consumers opt out of public records and data retention.
Greater accountability at the top levels. C-level executives are coming under increased pressure and scrutiny. As a result, some have been removed by Boards of Directors for lack of governance and compliance that have resulted in large scale sensitive public breaches. As evidence surfaces about executives covering up breaches, shareholder patience is waning. As a result, these large-scale breaches impact investor funds by devaluation of share price or brand reputation.
Looking ahead: The future of machine identities in a nutshell
Wilson and I believe that we’ll see further widespread use of encryption to help organisations alleviate threats and protect privacy, and this will exacerbate the need for protection of machine identities. These identities will be used to create encrypted connections, which, whilst protecting privacy of authorized users, also protect the privacy of any criminal who has entered the environment via a stolen certificate or set of keys.
Machine identities will continue to explode in both IT and OT environments. Many of these devices previously considered innocuous locations (white and brown goods, guest access, POS and kiosks etc) will be used by criminals to gain access to core networks, and gain access to critical protected assets. We believe this will change the security posture for architectures such as segmented networks and increase the importance of short validity cycles and immediate revocation for privileged access and certificate lifecycles.
Are you ready to protect your machine identities in the coming year?