If you’ve been following Venafi for any length of time, you’re probably familiar with John Graham, CISO of Birmingham, Ala.-based conglomerate EBSCO. Before I interviewed John for our eBook 7 CISOs Explain Why You Need Machine Identity Protection, I researched his background and discovered he had already worked with Venafi on a short video. I recommend watching this video, if only to admire John’s great hair—and of course, get his take on certificate management, a primary component of machine identity protection.
While John doesn’t say so straight out in his video, I gleaned that the reason so many organizations and security professionals have their proverbial heads in the sand (which ostriches in fact do not do!) when it comes to machine identity protection is because addressing it seems overwhelming and frankly, terrifying. Given what can possibly happen, who wouldn’t want to hide and hope some other part of their security stack magically handles the situation?
As with loanDepot CISO Billy Spears, I was unable to include John’s more in-depth viewpoints in the CISO eBook. Fortunately, this blog post lets me share more of John’s interview. I hope it illuminates and fortifies you in your quest for effective machine identity protection!
Robyn Weisman: Do you think visibility is the biggest challenge to effective machine identity protection?
John Graham: Visibility certainly is one of them. It’s that very first piece of knowing what’s there and what’s being consumed. If you don’t have that visibility, you won’t know how to tell when an anomaly happens. Visibility dovetails into the operational aspects of knowing when certificates are going to expire and making sure they are renewed—and managed overall, too.
Robyn: In your video, one of the main points you make has to do with lack of visibility and central oversight. Why do organizations let this continue? Is it a sort of learned helplessness?
John: There has been a historical perception around certificates being a bad thing because without using any kind of management tool set, they would expire. And that creates an entire escalation stack of: Wait, what’s what, and how do we get them renewed without a process in place?
When I was CISO of a global manufacturing company, we had these types of dialogues. We didn’t have too many certificate expirations occur there, but we also weren’t heavily utilizing certificates until we really started using Venafi. Then we had the inventory and some of the processes and modeling in place, which allowed us to start expanding the use of certificates for machine identity protection. And this was great for us because it let us do more authentication by using device authentication [automation?]. The users didn’t really have to be involved in it.
Robyn: What was the progression toward effective machine identity protection at your company?
John: First, we realized that the internal teams were doing their own things separately from one another, and that bothered us because we had no inventory and no real visibility of what was legitimate and what wasn't legitimate. Then one of our competitors suffered a hack based on a fraudulent key, which hit the media. So, those two combined impressed upon us that we needed to solve this problem.
Robyn: How did you pitch the need for machine identity protection to your board?
John: We knew we needed something, but we actually had to wait until we were able to mature some of the other fundamental security processes before we could address machine identity protection, let alone recommend Venafi as a solution. We had to see some maturity in the shared services our infrastructure team was running—around server management, endpoint management, things like that.
So, it wasn’t as if we woke up one day and said, Hey, we gotta do this! We knew we needed to implement machine identity protection, but it actually took several quarters before we executed on it because we just weren’t mature enough to consume it at first.
Robyn: When you recommended Venafi to your board for approval, how did you do so? As part of an overall IAM (Identity and Access Management) solution?
John: Yes, absolutely. It fit in that identity and authentication model in my head, so I aligned it to that. Since I already had the IAM team and the Active Directory structure within my purview, it was fairly easy for me to push Venafi into that space. We showed machine identity protection’s connection to human identity and how Venafi’s automation meant that employees no longer had to take action themselves to authenticate machines. So, it was a value add from that perspective.
That visibility and centralized management is crucial. Because you may not have an issue today, but at some point, it’s going to happen—just like the old saw that it’s not a matter of if you will be breached, but when you will be.
Robyn: But I have to imagine that CISOs are so overwhelmed managing so many aspects of security and all the solutions that go with them that the thought of having to oversee machine identities, especially given the meteoric growth in number and types, that it can’t be something they are eager to add to their list of responsibilities.
John: CISOs need to keep in mind that just because you're running the solution that handles the management, the visibility and the oversight, and the service of certificates, it does not mean that you own all of it. CISOs at many companies tend to jump to this conclusion of: Oh man, I'm going to own it all and administrate it all and be accountable when anything breaks, which is not necessarily the case.
At the global manufacturing company we were pretty good at listening and federating. Take our Docker team as an example. I didn’t have anybody on my staff administratively vending certificates because it was all automated. But from an accountability perspective, the Docker team was responsible for managing theirs. We just had the visibility and oversight. So, I think that's an important piece in this whole model.