Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Venafi CEO: Symantec-Google certificates spat underscores machine identity risk

Tamlin Magee | April 26, 2017
In Venafi's view, machine identity is a fundamental part of internet security.

"Twenty-five percent of the world's certificates today still use SHA-1 and we know that these things are vulnerable. People just don't know."

Symantec first issued a statement of confidence in its certificates and has since released its messages to customers about its ongoing meetings with Google to address the latter's proposals. The company said that meeting Google's initial proposal of a maximum nine-month validity to newly issued certificates could cause significant business disruption to customers, but that talks are ongoing.

"Symantec issues machine identities and we've all agreed there's a policy it needs to follow to keep them safe," says Hudson. "Google, which arguably knows more about the internet than anybody, has said: 'you know those 35,000 machine identities you created? They're not safe and we're not going to trust them anymore.'

"Google has said those are really important but they're no good and we're not going to trust them - that is huge. Now, all of a sudden, somebody that really knows a lot about how the world works is saying these things are really important, and they went after the world's largest creator of certificates and said, 'don't do that anymore, in fact, we're not even going to trust those because you haven't been following the policy'."

"Every large corporation will have to sneak around inside their organisation and see where all the certificates are that don't conform to policy, and not trust them," Hudson says. "Google is leading the way, we all have to pay attention to that."

But according to Hudson, there are plenty of CISOs in both small and large organisations that aren't paying attention to machine identity.

Yet this problem is only set to be compounded with the twin trends of an emerging internet of things and the exponential growth of on-demand software-powered compute. The vast new networks of virtual machines being created will also create vast new networks of machine identities. And the IoT is creating its own set of enormous networks, sometimes without security as a first consideration.

Hudson explains: "If you look at the infrastructure that creates virtual machines and containers, that is code. You push a button and these machines run off and create other machines, so the speed at which new things get created and the numbers at which they get created in the virtual world - I'm talking about software that runs on AWS or Azure or an internal data centre - boom, you can create 10,000 machines.

"You used to have to get the purchasing guy, do the budgeting, get the money, and six months later a computer warehouse would deliver a server. You had all that time to get ready to secure it. Now, within minutes you can get 10,000 servers running. The speed at which machines are being created, software defined machines and virtual machines, is just like nothing anybody had ever thought about. The opportunity for chaos to explode is huge, and we see it happening."


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.