Skip to main content
banner image
venafi logo

Identity Wars: Episode IV – The Rise of Skywalker and Cybersecurity

Identity Wars: Episode IV – The Rise of Skywalker and Cybersecurity

machine identity management
August 11, 2020 | Paul Cleary

The final episode of the expansive Star Wars saga sees the Resistance engage in one last, great battle with what has evolved from the First to the Final Order. Ultimately this battle is representative of the larger scale struggle of the series, the Dark Side vs. the Light Side of the Force, but it also lends itself rather well to an analogy for the opposing forces present in the cybersecurity space. Everyone in our industry, from customer support engineers to CISOs, and all the security admins and enterprise architects in between are our Jedi.
 

The Sith, on the other hand, are represented by all the malicious actors out there hiding in encrypted traffic, selling stolen credentials and machine identities, and using every attack vector they can to get access to critical systems and data.
 

In the first two episodes of this blog series, my colleague at nCipher, Juan Asenjo, and I discussed some of the phantom menaces that target machine identities and can threaten an organization’s security. We offered insight into tools and best practices that can help protect against those threats.
 

In his next post, “Identity Wars: Episode VIII – The Last Jedi,” Juan will outline how a secure root of trust provided by a Hardware Security Module (HSM) like nShield, acts as the last line of defense for the security of the enterprise, and how an organization can incorporate that strong root of trust into their code-signing processes. In this blog, I’ll focus on how organizations, and their Jedi armies, can rise to the challenge of managing and protecting their critical machine identities.
 

Beware the dark side, use trusted machines & HSMs to support critical business. Join the webinar.


The Case of Mistaken Identity

Emperor Palpatine, thought to be long defeated, is revealed to be calling the shots once more. Even more surprising is just what he’s been able to accomplish in that forgotten state, including producing a massive fleet of Star Destroyers that will eventually be used in a final push to take over the galaxy once and for all. All of this was made possible because he’d been using a puppet (Snoke) to do his bidding, gather followers and spread his message.
 

In the world we live in, a mistaken machine identity, or perhaps better put, a compromised machine identity, can be just as dangerous. The difference between Star Wars and the real world is the fact that if a machine identity is compromised and used as an entry point to an enterprise network or used to legitimately sign a piece of malware, it’s going to take more than 120 minutes and some special effects to recover from the damage. In fact, it might even be too late.
 

The best defense is to be prepared. Be aware. Have visibility into the identities, both human and machine, that are in use in your organization. Ensure that these critical identities are as secure as possible to prevent a compromise from happening in the first place. If a machine identity compromise does happen, have the tools needed to discover and alert you when it does and a plan in place to recover quickly.
 

Next-generation Code Signing

A code-signing certificate is a type of machine identity—signing a piece of code legitimizes that code and lets the end user know that it’s safe to install and use. It’s been said that, today, ALL companies are software companies. Even if your organization doesn’t publish applications consumed by your customers, there’s an increasingly likely chance that it employs some developers still writing software. It doesn’t matter whether the software will be packaged and shipped to millions of users, or if it’s only going to be used internally by a few teams in your organization—it must be trusted, and that trust is established using a machine identity. Even better, it originates from, and is secured in an HSM, which provides greater entropy for the initial private key generation and stronger, more secure hardware storage.
 

When it comes time to actually utilize that machine identity to sign code, the process to check the code-signing certificate out of secure storage needs to be protected as well. The certificate should only be accessible by specified users or build processes, and it should be available only at the time of signing. Once the code has been signed, there should be a clear audit trail providing details about that process. What code was signed? Which user or bot initiated the build? Did it receive the proper approvals beforehand? It’s much easier to answer these questions if you have the tools in place designed to secure the process.
 

The Force of the Ecosystem

If the Jedi are the security experts protecting us from the evils of the dark side of threat actors, then the ecosystem of integrated tools and technologies is the force that supports the efforts of those experts. You should feel confident that you have the industry leaders behind you, building tools that seamlessly connect and make securing the data and machines of the enterprise a little easier. Together, nCipher and Venafi provide the tools needed to securely generate and store machine identities and orchestrate and secure the process by which those identities are automatically renewed, provisioned, and used.
 

To find out more, join Juan and I for an upcoming webinar Beware the dark side, use trusted machines and HSMs to support critical business” and may the force be with you.
 

Related posts


 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS MIM For Dummies
eBook

TLS Machine Identity Management for Dummies

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Paul Cleary
Paul Cleary

Paul is an experienced Solutions Architect with a demonstrated history of working both with technology partners and end users in the data security industry. He currently works to architect Venafi's expanding ecosystem of partners. Protecting machine identities for the Global 5000, his skillset includes Customer Service, Sales, Software Implementation, and Project Planning & Management.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more