Skip to main content
banner image
venafi logo

Is World Password Day Forgetting about Another Critical Type of Identity?

Is World Password Day Forgetting about Another Critical Type of Identity?

Is World Password Day Forgetting about Another Critical Type of Identity?
April 30, 2019 | Eva Hanscom

Thursday is World Password Day. This event serves reminds consumers to “layer up” their logins by enabling multifactor authentication on their devices and online accounts.

World Password Day is a collaborative effort supported by dozens of companies, non-profits and cybersecurity organizations to raise awareness about the importance of improving password security. Through the efforts of World Password Day, millions of internet users across 251 countries have pledged to use better password habits – a good step toward addressing the threat of cybercrime.

However, is this important day missing a crucial element of identity protection? After all, businesses still need to address another growing identity and access management (IAM) concern: protecting their machine identities.

There are two actors on every network: people and machines. People rely on usernames and passwords to identify themselves to machines so they can gain access to data and services. Machines authenticate themselves and communicate with one another through the use of digital keys and certificates, which serve as machine identities.

Every year businesses spend billions of dollars protecting user identities. Indeed, the industry invests in many password security awareness events like World Password Day, but it spends very little on machine identity protection. Cybercriminals see this vulnerability and target the much more powerful and valuable machine identities for the access they grant across corporate networks.

“I think we need to expand events like World Password Day to include machine identities so that we can educate and encourage businesses to improve their machine identity protection practices and avoid unnecessary security risks,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “As the number of machines in businesses continues to grow, protecting machine identities become even more critical.”

A good first step for many organizations is to learn how they use machine identities on networks. For more, be sure to check out is Scott Carter’s blog: 5 Ways Machine Identities Are Being Used In Your Organization [Why You Should Protect Them].

In the blog, Carter outlines five ways in which organizations use machine identities to protect sensitive machine-to-machine communication:
  • Securing web transactions. SSL/TLS certificates are critical to the security of web transactions, such as online banking and e-commerce. These certificates create an encrypted connection between a web browser and web server. If cybercriminals gain access to these critical machine identities, they can eavesdrop on encrypted traffic or impersonate a trusted system in a phishing attack.
  • Securing privileged access. Most organizations use SSH to secure system-administrator-to-machine access for routine tasks. SSH is also used to secure the machine-to-machine automation of critical business functions. SSH keys ensure that only trusted users and machines have access to sensitive network systems and data. However, if cybercriminals gain access to an organization’s SSH keys, they can use them to bypass security controls and gain privileged access to internal network resources and data.
  • Securing DevOps. DevOps teams use cloud-based, self-contained runtime environments, known as containers or clusters, to run individual modules called microservices. Each microservice and container should have a certificate to identify and authenticate it and to support encryption. These certificates serve as machine identities that allow containers to communicate securely with other containers, microservices, the cloud and the internet. Because DevOps teams are optimized for speed and have tight deadlines, developers may skimp on key and certificate security, thereby exposing their organizations to unnecessary security risks.
  • Securing communication on consumer devices. Digital certificates provide the foundation for authenticating mobile devices that access enterprise networks. They can also enable access to enterprise Wi-Fi networks and remote enterprise access using SSL and IPSEC VPNs. However, without central machine identity oversight, it’s difficult to protect these functions on mobile devices. If certificates are duplicated on multiple devices or past employees continue to use unrevoked certificates, an organization’s security risk increases.
  • Authenticating software code. Software is often signed with a certificate to verify the integrity of the publisher. When used properly, these certificates authenticate the code, which lets users and machines know it’s a trusted source. However, if cybercriminals steal code-signing certificates from legitimate companies, they can use them to sign malicious code or tamper with legitimate code. Because the malicious code is signed with a legitimate certificate, it doesn’t trigger any warnings, and unsuspecting users will trust that it is safe to install and use.

Bocek concludes: “Cyber criminals are becoming bored primarily targeting people, so they are now exploiting the power of machine identities. Unfortunately, because many organizations don’t understand the risk, they haven’t invested in the intelligence or automation necessary to protect their machine identities.”

Related Posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat