Justin Metallo, CISO at distilled beverages retailer Beam Suntory, had a fascinating story to tell when I interviewed him for Venafi’s ebook 7 CISOs Explain Why You Need Machine Identity Protection—and his excerpt in the book only scratched the surface of his story. And I wasn’t able to address Justin’s background, which includes being one of the first people ever to attend the U.S. Army’s elite cyber warfare school and his subsequent work on the Computer Network Defense Team (CND).
Unfortunately, I won’t be going into detail about Justin’s pre-Beam Suntory history (which, in a just world would be a feature in People); however, I wanted Justin to go into more detail on the accounts he related in our CISO ebook. When Justin arrived at Beam Suntory, the company was not using a machine identity protection solution. They had a third-party partner that handled their internal PKI infrastructure, but Justin quickly discovered that neither the partner’s tool nor the company’s homegrown certificate management solution could not handle the assignment of protecting machine identities.
Justin Metallo: We had a pretty big network services outage in our APAC region. It affected Singapore, New Zealand and Australia. The certificates for all of their Cisco wireless access points expired at the same time because they all were bought in the same lots. Because all of these offices ran true wireless, no one in any of these offices had internet for several days. In fact, it took two or three days before they figured out the cause.
Our partner’s PKI tool couldn’t do discovery scans or manage anything that wasn’t in our PKI. So, there was no way it could handle a third-party certificate like the ones that had expired.
Justin: We started asking how many certificates we have, and we knew we had way more than those showing up in our PKI infrastructure. We had SSL certificates on our brand sites, code-signing certificates that are used by legal and compliance teams and certificates everywhere in our devices, like in our iPhones. And many of our apps used certificates. Our laptop certificates were part of our PKI, but our home-brewed certificate management system couldn’t manage them.
Justin: We had two criteria. First, it had to be able to discover and manage any type of certificate we had, whether it was on an IoT or traditional device or anything in the future. Also, it had to be cloud-based or hybrid-based because we're going that direction as part of a digital transformation. In five years, we probably will have few, if any, on-premise data centers. They will all be cloud based.
Second, it would need to be internet routed. We're dismantling a lot of our physical network infrastructure in favor of internet-routed WAN. So, the platform has to be able to operate in this sort of environment. Venafi not only checked both boxes, it outperformed the two other tools we did a bakeoff on as well.
Justin: Because there are so many things no one has been looking at. For example, we have new vending machines that talk to each other. They not only dynamically update if they need restocking, but the ads they display on their LCD screens drive consumption. For example, at 10 PM, these machines know an ad for beer is going to work better than one for water. Instead of doing customer research and doing regression testing on data that we already have, they can, in real time, update themselves and each other with the ads that work the best—with no human intervention.
When I thought about how they identify themselves to one another, this whole little world universe in my brain exploded like the meme. Because none of those machines have any kind of identity or access management. And they’re connected to our SAP, which is our backend ERP, where all our money is stored.
Justin: If anyone gets in at any point, they can spoof an order or pivot into the rest of our environment as well. That’s when I knew we had to get a handle on our machine identities.
After Justin came to this realization, he looked to see what other people in his industry were doing and then asked colleagues for their opinions. He was told that the most effective strategy would be to craft digital certificates in such a way that they also serve as machine identities. This would allow Beam Suntory to provision new machine identities on the fly and loop them into the company’s privileged access management solution?