Skip to main content
banner image
venafi logo

An Interview with CISO Justin Metallo: What It Takes to Protect Machine Identities

An Interview with CISO Justin Metallo: What It Takes to Protect Machine Identities

enterprise cyber security, PKI tool, iot protection
February 26, 2019 | Robyn Weisman

Justin Metallo, CISO at distilled beverages retailer Beam Suntory, had a fascinating story to tell when I interviewed him for Venafi’s ebook 7 CISOs Explain Why You Need Machine Identity Protection—and his excerpt in the book only scratched the surface of his story. And I wasn’t able to address Justin’s background, which includes being one of the first people ever to attend the U.S. Army’s elite cyber warfare school and his subsequent work on the Computer Network Defense Team (CND).

Unfortunately, I won’t be going into detail about Justin’s pre-Beam Suntory history (which, in a just world would be a feature in People); however, I wanted Justin to go into more detail on the accounts he related in our CISO ebook. When Justin arrived at Beam Suntory, the company was not using a machine identity protection solution. They had a third-party partner that handled their internal PKI infrastructure, but Justin quickly discovered that neither the partner’s tool nor the company’s homegrown certificate management solution could not handle the assignment of protecting machine identities.

Robyn Weisman: What was the first thing you experienced that awakened you to the PKI problem?

Justin Metallo: We had a pretty big network services outage in our APAC region. It affected Singapore, New Zealand and Australia. The certificates for all of their Cisco wireless access points expired at the same time because they all were bought in the same lots. Because all of these offices ran true wireless, no one in any of these offices had internet for several days. In fact, it took two or three days before they figured out the cause.

Our partner’s PKI tool couldn’t do discovery scans or manage anything that wasn’t in our PKI. So, there was no way it could handle a third-party certificate like the ones that had expired.

Robyn: What led you to consider a machine identity protection solution?

Justin: We started asking how many certificates we have, and we knew we had way more than those showing up in our PKI infrastructure. We had SSL certificates on our brand sites, code-signing certificates that are used by legal and compliance teams and certificates everywhere in our devices, like in our iPhones. And many of our apps used certificates. Our laptop certificates were part of our PKI, but our home-brewed certificate management system couldn’t manage them.

Robyn: So, what features were you looking for in a machine identity protection solution?

Justin: We had two criteria. First, it had to be able to discover and manage any type of certificate we had, whether it was on an IoT or traditional device or anything in the future. Also, it had to be cloud-based or hybrid-based because we're going that direction as part of a digital transformation. In five years, we probably will have few, if any, on-premise data centers. They will all be cloud based.

Second, it would need to be internet routed. We're dismantling a lot of our physical network infrastructure in favor of internet-routed WAN. So, the platform has to be able to operate in this sort of environment. Venafi not only checked both boxes, it outperformed the two other tools we did a bakeoff on as well.

Robyn: You mentioned “digital transformation.” Why is having machine identity protection so important given this transformation?

Justin: Because there are so many things no one has been looking at. For example, we have new vending machines that talk to each other. They not only dynamically update if they need restocking, but the ads they display on their LCD screens drive consumption. For example, at 10 PM, these machines know an ad for beer is going to work better than one for water. Instead of doing customer research and doing regression testing on data that we already have, they can, in real time, update themselves and each other with the ads that work the best—with no human intervention.

When I thought about how they identify themselves to one another, this whole little world universe in my brain exploded like the meme. Because none of those machines have any kind of identity or access management. And they’re connected to our SAP, which is our backend ERP, where all our money is stored.

Robyn: Yikes!

Justin: If anyone gets in at any point, they can spoof an order or pivot into the rest of our environment as well. That’s when I knew we had to get a handle on our machine identities.

After Justin came to this realization, he looked to see what other people in his industry were doing and then asked colleagues for their opinions. He was told that the most effective strategy would be to craft digital certificates in such a way that they also serve as machine identities. This would allow Beam Suntory to provision new machine identities on the fly and loop them into the company’s privileged access management solution?

How did your organization come to the conclusion you needed machine identity protection? Let us know in the comments or on Twitter!

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

small house model on a spiderweb of cracks in the pavement

Outages Are Like Earthquakes—Both Are Catastrophic and Hard to Predict

Privileged access management, certificate manager, NIST

An Interview with CISO Shawn Irving: Why Machine Identity Protection Is Critical to Privileged Access Management

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat