Sign up for our newsletter
Technology / Cybersecurity

Unmasking the machine identity monster

Machine identity is when authentication is applied to network entities that are not human, a concept becoming increasingly common in our digital world that is bristling with cyber threats. The world is continuing to change at great pace, with processes and services constantly being released from their linear, physical bonds.

PSD2 is a prime example of one of these technological sea changes impacting our world and bringing with it disruption that will be advantageous to banking customers, opening up opportunities to leverage the innovative services offered by third parties while continuing to use your original bank. This new cross-fire of communication will be conducted by machines, machines that must have identities to conduct their valuable work.

CBR spoke to Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at Venafi, he said: “With PSD2 opening up the banking environment, really what we are opening up are these new types of machines that are APIs and they are little bits of a bank that now anyone can talk to. It is also a whole new exciting area in the cloud which involves this idea of serverless or algorithmic computing.”

Unmasking the machine identity monster
Kevin Bocek, Vice President, Security Strategy & Threat Intelligence, Venafi.

The use of the term machines as an overarching name may be a daunting prospect for some, but Mr Bocek was able to concisely break down the four different kinds of machines and their sub species that have identities.

White papers from our partners

“The first type of machine that is easy for people to understand is the device, it is physical and it is something that people can see – whether that is a phone, a server or an IoT device. Then there is a second type, any type of software, an application for example. You put it on a device, you install it, it runs and it performs a function,” Mr Bocek said.

These physical devices are an important aspect but the complexity really begins at the invisible level, the realm in which many may not have considered the notion of identity.

Mr Bocek said: “There is a third type which is a cloud service. That is a really interesting type of machine because when your mobile app for banking talks to the cloud, they are different species. What you want to be sure of though is that it is really the cloud, who it says it is, and that you have a private communication.”

The fourth type of machine are algorithms, Mr Bocek explained, and as an example he spoke about blockchain. Distributed ledger technology is being experimented with globally, creating new sub-species of the technology like smart contracts. This, however, adds another layer of complexity according to the Venafi VP.

So what is the machine? Is the machine the blockchain or the smart contract?” asked Mr Bocek.

“They are probably both machines, and the way I would equate them is that the blockchain is the equivalent of a physical device, it is the actual compute. The smart contract is what is executed; it is the application, which is in and of itself a machine. Definitely I would say blockchain has an identity, it actually has multiple identities too because each contributor has an identity.”

IT jobs boom but skilled candidates failing to apply
Cyberattacks ranked THIRD greatest global risk in 2018
Top 5 ethical hackers you should doff your white hat to

Smart contracts could be considered a sub-species of machine, according to Bocek, providing a glimpse into the unfathomable mass of machines that have identities. Mr Bocek made it clear that it is vital to track and be aware of anything that is engaged in communication and governs the execution of a process, the majority of which dwell in the depths of the non-physical world.

Returning to the topic of banking and summing up the four main types of machine, Mr Bocek said: “There is also algorithmic trading, and this is what runs the whole world of banking today. Also in the cloud you have all the providers moving fast to offer what is called serverless computing, which is basically algorithmic computing.

“As each one of those operates they need to have an identity for themselves, each of these functions gets a URL and it has a machine identity too. Those are the four types, a device, an application, a cloud and an algorithm; with each one you can have different types.”

In regard to PSD2, machine identities will be responsible for carrying out a multifaceted task, Mr Bocek created an example on how different components in the process have to be represented. He said: “Let’s pretend now that I am going to use a new banking app like Monzo and it is going to access my Barclays account. The machines at Monzo that talk to Barclays are going to have a dual identity. It is going to be Monzo, but then also it is going to take on the identity of the person.”

These complex ideas are fast becoming sewn into the fabric of modern life, and all of this complexity must be conducted with the most robust security possible, this colossal task is where the likes of Venafi come in.

Comparing the human notion of identity with that of the machine, Mr Bocek said: “There are people; we have an identity which is username, password, biometrics. Then there are machines, everything that is digital, they have their own identities as well that are cryptographic. We people cannot fathom the machine identity, a cryptographic key, which if we looked at are just bits. These bits then translate into mathematical identity, which then machines use. Other parts of cybersecurity like firewalls, behavioural analytics, authentication, these are things that we as people can associate with.”

The Venafi VP entrenched the importance of private communication, using the example of a real world communication between two people where nobody could listen in. He said that a machine may be engaged in thousands of communications, potentially a major threat to privacy.

This visual image encapsulates the importance of identity; after all, you would not just share the details of your private conversation before being sure that you know the person you are telling.
This article is from the CBROnline archive: some formatting and images may not be present.