Skip to main content
banner image
venafi logo

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection
April 17, 2019 | Robyn Weisman

Phil Agcaoili, Chairman Ponemon Institute Fellows, can boast more experience in machine identities than almost anyone you’ll meet outside of Venafi itself. Back in 1998, Phil introduced himself to VeriSign by breaking into its network while he was sitting in in a VeriSign conference room discussing his startup SecureIT—which VeriSign later bought. “I recognized there’s one way hackers can easily infiltrate a network, and that’s by just plugging in,” Phil said during our interview for our ebook 7 CISOs Explain Why You Need Machine Identity Protection.

As was the case with the other security executives I interviewed last year, Phil discussed a lot of great stuff that I wasn’t able to include in our ebook. So, I’m using my latest blog post to share with you more of the details about what motivated Phil to deploy Venafi in his security stack and why machine identity protection is especially important for the payment card industry.

Robyn Weisman: First, let’s talk about the early days. Before machine identities became so prevalent, why was Network Access Control, or NAC, so important in the banking industry?

Phil Agcaoili: NAC restricts access to your network using identity management and determines whether machines can connect to it based on certain specific criteria. If the machine is non-compliant it’s denied access, even if the user of the machine has been properly identified. For big banks NAC is an FFIEC (Federal Financial Institutions Examination Council) regulatory requirement. According to the FFIEC handbook, you have to maintain a controlled environment and that includes knowing who or what is plugging into your network.

Robyn: What did you see as the biggest challenges with using NAC to manage identities at previous companies?

Phil: Early on, I was acutely aware of NAC requirements. But at that time Network Admission Control was fairly unstable. I needed a way to get around the technical difficulties of that technology at the time. By the mid 2000s, I left Cisco for Dell. My “Aha!” moment came when I melded Cisco’s network perspective with Dell’s hardware one. When you marry those two together and start thinking about the technical difficulties around Network Admission Control, you start asking yourself: “How do I connect a laptop into this network and make sure it’s properly authenticated and the person connecting the machine to the network is authorized to enter this space?

Then as network-based client technology changed, I moved us back toward using machine identities as a means to meet NAC requirements.

Robyn: In addition to the obvious regulatory requirements, why do you think having machine identity protection is important for the payments industry?

Phil: Machine identity protection acts as a countermeasure for rogue or unauthorized wireless access points. It enables legitimate infrastructure equipment to detect valid devices.

For example, if somebody succeeds in compromising your multifactor authentication, he’s not going to come in and steal your credentials. Instead he would VPN in with his own hardware. If he doesn’t have a valid machine certificate on his laptop, he wouldn’t be able to VPN his machine into my network even with the right credentials and multifactor authentication.

Depending on what industry research you read, compromised credentials has always been one of the top three reasons why a company gets hacked. Having certificates as machine identities on a laptop while it's connecting remotely over a VPN, subverts that type of compromise. Machine identity protection gives you another control you can use to avoid that single point of failure.

Robyn: When did you implement machine identity protection in your organization’s network security environment?

Phil: Venafi was part of my strategic road map from the moment I started working at my current company. There were other higher risk fundamental areas I had to address first. But the need was solidified when we changed how we did NAC here. When the network-based client technology changed, I moved us back toward machine identities.

Robyn: If you were talking to another CISO in the financial services industry, and they asked you for advice on machine identity protection, what would you tell them?

Phil: I would ask a couple questions: “How are you protecting your network from somebody plugging into it, either remotely or physically?” And “What are your other controls to mitigate compromised accounts?” Then I would tell them to take a good look at the various threat scenarios that are highest risk to them and consider how machine identity protection would make a difference in preventing them.

Has your organization considered machine identity protection as a necessary part of your network security, regardless of your industry? Let us know in the comments or on Twitter!

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

small house model on a spiderweb of cracks in the pavement

Outages Are Like Earthquakes—Both Are Catastrophic and Hard to Predict

Privileged access management, certificate manager, NIST

An Interview with CISO Shawn Irving: Why Machine Identity Protection Is Critical to Privileged Access Management

enterprise cyber security, PKI tool, iot protection

An Interview with CISO Justin Metallo: What It Takes to Protect Machine Identities

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat