Skip to main content
banner image
venafi logo

DLP Strategies Protect Human Identities but Ignore Machine Identities

DLP Strategies Protect Human Identities but Ignore Machine Identities

DLP Protect Humans Ignore Machines
October 24, 2018 | Diederik Klijn

A lot of companies have implemented data leakage protection (DLP) solutions that are designed to protect against the leakage of personal (human) information. For example, most of the DLP Solutions are optimized to protect personal identifiable information (PII) and classified/business-critical information shared (un)intentionally by employees. There are also a lot of default templates in these products that help customers to comply with all kind of regulations, like PCI or HIPAA, that are designed to protect personal information.

But what many organizations fail to consider is that most DLP products also include the ability to recognize the leakage of machine identities, such as private keys. In many ways, these machine identities are just as valuable (and arguably more valuable) than human identities.

Machine identities control the safe and private communications between machines as well as between humans and machines. If cyber criminals gain access to machine identities, then they can create covert channels that allow them to exfiltrate data under the cover of encryption. And while these encrypted tunnels are indeed nefarious, they use bona fide machine identities so they will appear to be legitimate.

That is why it is critical that organizations leverage DLP capabilities to include monitoring machine identities. But the sad reality is that, in a lot of cases, organizations do not identify the leakage of machine identities as part of their DLP policy.

The fact that most organizations do not privilege machine identities as part of their DLP efforts, confirms a suspicion that I have long harbored: that machine identities are not on the radar of the people that are protecting key assets. This general ignorance begs the question, “why aren’t the keys to the crown jewels better protected?” In other words, why would organizations pay so much attention to preventing the unauthorized flow of personal data from the enterprise, yet so little attention to protecting the machine identities that would allow attackers to disguise the illicit flow of that privileged personal data.

Ironically, one of best ways to protect human identities is by protecting machine identities. Indeed, once an underlying machine is compromised, cyber criminals may (in most cases) gain access to the critical personal data that they contain. Once this data is accessible, the attackers will find a way to hide the data in all kinds of (encrypted) protocols and exfiltrate them from the network, like we have seen recently. And, as I mentioned above, they will often misuse machine identities to do so.

Given the significant role that machine identities play in protecting data that resides on machines, my advice to organizations would be to check whether machine identities are a significant part of your DLP policies.

After all, what is the value in trying to protect user data leaving the network, if you don’t protect the identity of the machines on which the data resides?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Trust anchors, DarkMatter, Mozilla, trust store, certificate authority

What Are Trust Anchors and How Can They Protect You?

Why You Need More than Certificate Authority Management Solutions

devops and cloud security

Slow IT vs Fast IT: Resolving Chaos around Machine Identities

About the author

Diederik Klijn
Diederik Klijn

Deiderik Klijn writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat