Skip to main content
banner image
venafi logo

Making a Business Case for Machine Identity Intelligence

Making a Business Case for Machine Identity Intelligence

Breach, cybersecurity, certificate management
April 18, 2019 | Guest Blogger: Helen Beal

When we talk about cybersecurity and particularly identity and access management, we frequently default to thinking about the human element of the risks involved, rather than the machine. But enterprises manage a proliferating number of machines, the rate accelerating with the adoption of cloud, container and microservices technologies—all of which have their own identities, validated by certificates, which present another attack surface to cybercriminals and a considerable management overhead. In this blog post I explore the business case for automating the management of these certificates to reduce work and risk.

Georgia State University's Evidence-Based Cybersecurity Research Group (EBCS) and the University of Surrey have discovered a thriving marketplace for SSL and TLS certificates on the dark web where the certificates are packaged with additional cybercrime services to make it easy to acquire extended validation certificates and perform attacks on web applications to steal data or eavesdrop on encrypted traffic.

A Forrester report, Securing the Enterprise with Machine Identity Protection, identified that organizations do recognize machine identity protection is core to their cybersecurity strategy and that they use three key success measures:

  1. Faster detection of breaches
  2. Improving automated compliance with security regulations and policies
  3. Reducing the total number of breaches

The report goes on to state:

“Sixty-one percent of companies say their biggest concern about machine identity and access management failure is internal data theft or loss, followed closely by theft or loss of customer data. At a time when safeguarding data helps generate and protect competitive advantages, it’s imperative that firms invest in the tools that deliver comprehensive machine identity protection.”

But how do individuals in Infosec roles justify the people and software investments required to ensure these risks associated with machine identities are properly mitigated?

The obvious place to start is with the worst-case scenario—the breach. The Breach Level Index tells us that nearly six and a half million data records are lost or stolen every day—that’s 75 a second. And these are numbers that are increasing all the time.

According to the 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost at $3.8 million, or $148 per data record. Again, these numbers are only expected to increase. Fixing a data breach is expensive, fixing it badly can be catastrophic when it comes to reputational damage.

The famous 2018 breach, at Equifax, went undetected for 76 days because of an expired certificate.

So, there’s your first calculation: Avoidance of $3.8M cost of breach

Certificate expiration can cost organizations real money in lots of different ways too though. How about how Ericsson left millions of their UK customers without their mobile network services? Or, the horror, not being able to access Pokémon Go? Or being the party in power in the UK and having your website down? Or not being able to connect on LinkedIn?

All of these examples of the consequences of certificate expiration are downright embarrassing and some more than just inconvenient for the user—some have potential to cost users business and money too.

But what does it cost to do our best to avoid having our machine identities used in a breach in the first place?

From a people perspective we need to reduce the pressure for machine identity security skills and the need for human compliance to focus on machine identity use and protection; in other words, we need to automate this activity. Automation reduces errors and mistakes around forgetting to perform activities. We also need to make machine identity protection more visible and easier for everyone to understand. In the DevSecOps world there is the tenet that security is not one person or team’s job, but everyone’s job.

From a process point of view, we need to enforce policies efficiently and build an inventory of machine identities. From a human perspective, this could be done by getting the right people in the right meetings (project and sprint planning for example) at the right time—a notoriously hard thing to do, particularly when most organizations experience security skills as a constraint, incidents happen and people want to spend less time meeting and more time doing anyway. Building an inventory of machine identities can be an onerous and time-consuming job that’s almost impossible to maintain manually, especially with the movement to treat machines like cattle, not pets, a challenge once more exacerbated to rapid environment provisioning in the cloud.

Your next calculation: The cost of policy enforcement and inventory creation and management

From a technical perspective, we want to minimize the manual overhead around the switching of certificate authorities and replacement of vulnerable machine identities and be assured that we are responding quickly to cryptographic security events.

Your next calculation: The cost of certificate provisioning and management, and fixing certificate expiration issues

What is the human cost to achieve the level of risk mitigation an automation solution provides?

I’ve put together a table that you might want to use to estimate the costs in your organization, adjusting the amounts for the set-up in your own organization. The calculations are based on managing 1000 machine identities and assuming fully loaded cost of an FTE of $100 per hour (use the calculation: ((a x b) x $100) = c for all lines):

Over and above all of this, you may want to consider the hidden costs of certificate management, things like: slowing down revenue generating functions, fixing avoidable audit findings and stealing resources from more value-added work.

Using your business case, you can justify making an investment in a continuous visibility capability that is actively surveilling machine identities. You’ll be prepared to rapidly identify unauthorized access and privilege escalation and prevent a horrible breach, thus protecting your reputation from damage and avoiding all the necessary remediation costs.

Having comprehensive intelligence across the entire machine identity life cycle that includes certificate enrollment, installation, renewal, and revocation to protect and secure authorized, encrypted communications between machines. This level of machine identity intelligence will allow you to avoid much of the cost associated with managing the certificates in your machine landscape—and be confident you’re covered with your boss, your peers and your auditors.

It’s a safer, cheaper way to run your business and should be a core part of your cybersecurity strategy and operation.

Related posts

Like this blog? We think you will love this.
casually dressed man whispering into seated businesswoman's ear
Featured Blog

The Power of Dojos and ChatOps in Security Knowledge Share [CALMS for DevSecOps: Part 5]

The 80:20 rule appears

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

casually dressed man whispering into seated businesswoman's ear
DevOps

The Power of Dojos and ChatOps in Security Knowledge Share [CALMS for DevSecOps: Part 5]

man facing a clock
DevOps

CALMS for DevSecOps: Part 4— Measuring to Save Time and Avoid Breaches

assembly line lean machine
DevOps

CALMS for DevSecOps: Part 3—How Lean Improves Performance

About the author

Guest Blogger: Helen Beal
Guest Blogger: Helen Beal
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat