Venafi: Five Ways Organizations Use Machine Identities

Organizations spend billions protecting usernames and passwords, but
machine identities are often ignored

SALT LAKE CITY SALT LAKE CITY–(BUSINESS WIRE)–lt;a href="" target="_blank"gt;#Cybersecuritylt;/agt;–On May 2, World
Password Day
reminds consumers to “layer up” their logins by
enabling multifactor authentication on their devices and online
accounts. Held annually on the first Thursday of May, World Password Day
is a collaborative effort supported by dozens of companies, nonprofits
and cybersecurity organizations to raise awareness about the importance
of improving password security. Through the efforts of World Password
Day, millions of internet users across 251 countries have pledged to use
better password habits – a good step toward addressing the threat of

According to Kevin Bocek, vice president of security strategy and threat
intelligence for cybersecurity market leader Venafi, businesses still
need to address another growing security concern.There are two
actors on every network: people and machines,” said Bocek. “People rely
on usernames and passwords to identify themselves to machines so they
can gain access to data and services. Machines authenticate themselves
and communicate with one another using digital keys and certificates,
which serve as machine identities.”

Every year businesses spend billions of dollars protecting user
identities. While the industry invests in many password security
awareness events like World Password Day, it spends very little on
machine identity protection. Cybercriminals see this vulnerability and
target machine identities because they are much more powerful and
valuable than human identities.

Machine identities are used to protect many types of sensitive
machine-to-machine communication; Bocek outlines five ways in which
organizations use them:

  • Securing web transactions. SSL/TLS certificates are critical to
    the security of web transactions, such as online banking and
    e-commerce. These certificates create an encrypted connection between
    a web browser and web server. If cybercriminals gain access to these
    critical machine identities, they can eavesdrop on encrypted traffic
    or impersonate a trusted system in a phishing attack.
  • Securing privileged access. Most organizations use SSH to
    secure system-administrator-to-machine access for routine tasks. SSH
    is also used to secure the machine-to-machine automation of critical
    business functions. SSH keys ensure that only trusted users and
    machines have access to sensitive network systems and data. However,
    if cybercriminals gain access to an organization’s SSH keys, they can
    use them to bypass security controls and gain privileged access to
    internal network resources and data.
  • Securing DevOps. Developers use cloud-based, self-contained
    runtime environments, known as containers or clusters, to run
    individual modules called microservices. Each microservice and
    container should have a certificate to identify and authenticate it
    and to support encryption. These certificates serve as machine
    identities that allow containers to communicate securely with other
    containers, microservices, the cloud and the internet. Because DevOps
    teams are optimized for speed and have tight deadlines, developers may
    skimp on key and certificate security, thereby exposing their
    organizations to unnecessary security risks.
  • Securing communication on consumer devices. Digital
    certificates provide the foundation for authenticating mobile devices
    that access enterprise networks. They can also enable access to
    enterprise Wi-Fi networks and remote enterprise access using SSL and
    IPSEC VPNs. However, without central machine identity oversight, it’s
    difficult to protect these functions on mobile devices. If
    certificates are duplicated on multiple devices or past employees
    continue to use unrevoked certificates, an organization’s security
    risk increases.
  • Authenticating software code. Software is often signed with a
    certificate to verify the integrity of the publisher. When used
    properly, these certificates authenticate the code, which lets users
    and machines know it’s published by a trusted source. However, if
    cybercriminals steal code-signing certificates from legitimate
    companies, they can use them to sign malicious code or tamper with
    legitimate code. Because the malicious code is signed with a
    legitimate certificate, it doesn’t trigger any warnings, and
    unsuspecting users will trust that it is safe to install and use.

“We need to expand events like World Password Day to include machine
identities so that we can educate and encourage businesses to improve
their machine identity protection practices and avoid unnecessary
security risks,” said Bocek. “As the number of machines in businesses
continues to grow, protecting machine identities is critical. Cyber
criminals are becoming bored primarily targeting people, so they are now
exploiting the power of machine identities. Unfortunately, because many
organizations don’t understand these risks, they haven’t invested in the
intelligence or automation necessary to protect their machine

Additional Resources:

Is World Password Day Forgetting about Another Critical Type of Identity?

Machine Identity Protection for Dummies

How the Explosive Growth of Machines Creates a Machine Identity Crisis

About Venafi

Venafi is the cybersecurity market leader in machine identity
protection, securing machine-to-machine connections and communications.
Venafi protects machine identity types by orchestrating cryptographic
keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi
provides global visibility of machine identities and the risks
associated with them for the extended enterprise – on premises, mobile,
virtual, cloud and IoT – at machine speed and scale. Venafi puts this
intelligence into action with automated remediation that reduces the
security and availability risks connected with weak or compromised
machine identities while safeguarding the flow of information to trusted
machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the
world’s most demanding, security-conscious Global 5000 organizations and
government agencies, including the top five U.S. health insurers; the
top five U.S. airlines; four of the top five U.S., U.K., Australian and
South African banks; and four of the top five U.S. retailers. Venafi is
backed by top-tier investors, including TCV, Foundation Capital, Intel
Capital, QuestMark Partners, Mercato Partners and NextEquity.

For more information, visit:


Shelley Boose

Sky Optics Media drone video