Skip to main content
banner image
venafi logo

Identity Wars: Episode II – Attack of the Clones

Identity Wars: Episode II – Attack of the Clones

graphic of a digital rendering of a 3D matrix, lit up with a dark background
July 9, 2020 | Juan Asenjo, nCipher Security


In the second episode of the Star Wars franchise, Attack of the Clones, the Galactic Republic breeds a massive army of clone troopers to fight separatist forces. However, a compromised identity template is used to program the clones, and makes them later turn against their Jedi masters and the Republic. In the real world today, organizations use growing armies of machines for efficiency, productivity, agility and speed. Machines, including smart devices and applications, increasingly manage critical enterprise systems and data. Without a way to assign trusted identities, the legitimacy of machines and the integrity of the data they process cannot be validated, creating serious threats for organizations.
 

In this blog, and in an accompanying one by Paul Cleary from Venafi, titled “Identity Wars: Episode I – The Phantom Menace” [HYPERLINK], we explore the challenges that organizations face when orchestrating machine identities and how to mitigate risks.



 

Trusted identities

People and machines make up enterprise systems. To ensure trust, both must have trusted identities. People typically employ usernames, passwords, and tokens to identify themselves when seeking access to systems. Machines use keys and digital certificates. However, it is not difficult to forge or clone identities and enable rogue users and machines to impersonate their legitimate counterparts.

While for years organizations have spent millions protecting user (people) identities, they spend only a fraction protecting the identities of machines, even though they significantly outnumber people in the make-up of today’s enterprise systems. With the number of connected machines rapidly growing, organizations require automated life cycle orchestration of keys and certificates to establish machine identities. As demand for these identities increases, enterprises need tools to enable the secure orchestration of the keys and certificates throughout their lifecycles.
 

Attack scenarios

As enterprises embrace digital transformation and its innovative services through the deployment of interconnected Internet of things (IoT) machines, they quickly recognize the need to orchestrate an exponentially growing volume of machine identities. Securing this process is the first step in ensuring that devices and applications are authentic and authorized to be part of the ecosystems delivering new services. Interconnected and distributed ecosystems have also increased the number of attack vectors that can be exploited. These may compromise not only machine identities, but also the software and firmware that run in these machines. To safeguard from these vulnerabilities, and protect the confidentiality and integrity of the data that machines collect, organizations face an increasing need for robust cryptographic keys and key protection across the enterprise.

Keys that are generated and stored in software can be susceptible to file and memory scraping, and can be subject to side-channel attacks that exploit the inherent internal operation of the systems. When enterprises orchestrate their SSL/TLS certificates and SSH keys—as well as their code signing, mobile and IoT certificates—it is critical that these keys be produced with high entropy random number generators, and that they be given the strongest protection throughout their lifecycle.
 

Root of trust

Keys and certificates underpin the security of cryptographic systems. A compromised signing key can enable an attacker to issue rogue certificates to users and machines that would appear—and be validated—as being legitimate. For this reason, keys establish the root of trust, and protecting them is fundamental.

Generating keys in a hardware security module (HSM) addresses these risks by producing strong FIPS-compliant signing keys with maximum entropy, using random number generation and secure hardware protection. HSMs are specialized, hardened devices designed especially for the purpose of generating and protecting underpinning cryptographic keys.   
 

Way forward

Just as the Republic needed to trust the identities of its clones, organizations today need to trust the identities of increasing numbers of machines conducting critical business. Venafi and nCipher have joined forces to help address the machine identity protection challenge. Venafi’s fast, automated orchestration of machine identities leverages the strong hardware-based security provided by nCipher nShield HSMs. The Venafi Trust Protection Platform delivers key and certificate orchestration with key pairs securely maintained by the nCipher nShield HSM, deployed on-premises or as a service. With enforced security policies and workflow controls, customers improve their security posture, maximize availability, increased efficiencies, and ensure compliance. The integrated solution ensures the trustworthiness of critical systems and secures the data upon which enterprises depend.
 

To learn more, download our solution brief and stay tuned for more episodes of this saga. In the next blog series, we will explore security considerations for producers and consumers of machine identities.






Related Posts:

Like this blog? We think you will love this.
automating F5 certificates
Featured Blog

Automating Certificate Management for Your F5 Infrastructure [Thinking Too Small?]

 

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Juan Asenjo, nCipher Security
Juan Asenjo, nCipher Security
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat