Back in the days of the credit crunch, in 2007 and 2008, banks stopped trusting each other. It ended in the crash of 2008, the biggest financial crisis since 1929. Suppose something similar happened between machines. Machine identities are the key to supporting machine to machine communication. If these identities were not considered secure, then the consequences would be nasty, very nasty.
There is a fix, and it comes in the form of being quantum ready, a process that not only means that machines are ready for the day when quantum computers can do what is impossible for current computers to do, but also means machine identities are safe today, in the pre-quantum age, when their vulnerability is still an issue.
Kevin Bocek, who is the Vice President of, Security and Strategy & threat Intelligence at machine identify protections company, Venafi, said: “If you’re ever with a bunch of IT professionals, and you ask: ‘how many of you have ever changed a TLS key and certificate?’ Not many would raise their hand. Most would probably say that they’ve had experience with databases, such as SSL And then you would ask ‘how many do that every year?’ And it’s a lot fewer. And then ‘how many do it every month?’ It might be, in a room of seasoned IT professionals, maybe one or two.”
The analogy with the credit crunch comes to mind. The Queen asked: “Why did nobody notice it.”
Yet, when in December 2018 we saw the outages at O2 in the UK and and Softbank in Japan— affecting a total or around 60 million customers in both countries — the expiration of a digital certificate got the blame. Something nobody had noticed.
Quantum computing — coming soon to an enterprise near you?
Complexity compounds — different application require different processes. “If I run my business on Microsoft IAS, I have to do it one way,” continued Bocek, “If I use my F5 load balancer, I do it another way. When I use Amazon application load balancer, I have to do it a whole different way.”
And easy it isn’t. “Imagine I said, ‘here’s a Citrix netscaler, go figure it out, because the online trading system just went down and the machine’s identity had expired. How do you do it? What’s the right way to do it? You might have to talk to somebody, you might have to get somebody to approve it and then you’ve got to get back and install it and then you’ve got to make sure it’s working. And that might take, for someone who hasn’t done it before, over eight hours just to do it once.”
Venafi itself says that data from its customers revealed 50,000 unknown machine identities.
The solution, say Venafi, lies with automating the process of changing or updating machine identities. This has multiple benefits, not only is it easier to take preventive action ahead of machine identities expiring, not only does this reduce the chances of making mistakes whilst changing machine identities, it creates two other advantages:
Firstly it reduces the risk of identity theft. Secondly, it can help make security quantum ready.
We hear about identify theft all the time, for an individual to find someone else has stolen their identity, it can be quite devastating. But it is not likely we will respond by changing our identity, changing our name by deed pole. If machine identities are stolen, then machines can’t communicate effectively — the entire system is devastated. The prevention may lie with changing machine identities regularly.
“We see a lot more machine identities are now being used in phishing attacks; machine identities are also being combined with some of the complex DNS hijacking, actually taking over organisations. And we see machine identities being sold on the underground marketplace. So if we change the frequency of them, you’ve got less risk.
“Google, for example, changes their machine identities — TLS keys and certificates — every three months. If you look at the high street banks, high street retailers, insurance companies, the airlines, they’re changing machine identities every 18 months.”
Bocek cites the Equifax breach as an example. “If you read the Information Commissioner Office report or the US Government Accountability Office report, on the breach, they all came to the same conclusion: that the organisation did not have awareness and control over machine identity. Their threat protection systems were essentially blind because they did not have awareness of what machine identities were being used.”
Machine identity has a public key and a private key. The machine has to keep the private key private. And the cryptographic methods that we use, all rely on having some keys public and one key private.
One way to break that process is to steal the key that’s private. Another way is to reverse the function. “Knowing the public component, find out the private component. To do that with today’s computing hardware and the type of cryptography that high street banks, retailers, insurers, etcetera apply, those machine identities could take – well we could maybe wait for the end of the universe for current computing to be able to go back and through reverse mathematics find out what the private key is.”
With quantum computers it will be different. That is why the dawn of the era of quantum computing has such profound implications for cyber security.
One day quantum computers will arrive. It won’t happen next Saturday, but “maybe a Saturday in five years time.” And quantum computers, will be several orders of magnitude faster than conventional computers.
IBM achieves highest quantum volume to date
Of course, the big advantage of quantum computers is that they can operate simultaneously on large variable sets in multiple states.
IBM recently announced a quantum computer but as Bocek said: “We’re still at the very early stages and quantum computers are not something that you are going to have in your office any time soon. And right now, it’s mostly for research — only universities, governments, and the largest businesses in the world will be able to afford them any time soon.”
IBM unveils the world’s first commercial quantum computer: Q System One
But then again, that is what computers were like once. As Popular Mechanics once said: “Computers in the future may weigh no more than 1.5 tons.”
But quantum computers, suggests Bocek, will represent such an enormous leap, “not the equivalent of jumping from horse and cart to motor car, more like from horse and cart to rocket.”
The day when we carry a quantum computer around with us in our pockets may be many decades away, if indeed it does ever dawn. But the day we can access a quantum computer via the cloud, will be much sooner — Bocek speculates 2030.
But you don’t need a quantum computer to create a wall that a quantum computer can’t hack into, and by reverse mathematics ascertain machine identities. You just need much more complex machine identities. Furthermore, machine identities that can be generated via current technology using automation.
Being quantum ready is a win win strategy, suggests Bocek, a strategy for preparing for quantum computers, a strategy for today, for helping avoid O2 type outrages, Equifax type breeches, or ensuring that the next time the US government shuts down, as had happened when we spoke to him, machine identities, can be changed or renewed, TLS key and certificates renewed, even when there is no one around to do it. At least, that is what Venafi, reckons.