Posted by Marc Heimlich
September 23, 2024
Why enterprises must act now to secure mission-critical systems.
We live in unprecedented times. In the last month, I was notified by Ticketmaster,
Change Healthcare, and Pentester.com that my credit card, health care, and social
security details were compromised. Taking the advice of Pentester, I froze my credit and
I’m glad I did.
Today, I received a letter from Bank of America that if I wanted to open my BoA
Unlimited Cash Rewards Visa Signature card, I would have to unfreeze my credit. I
didn’t apply for this card. Bad actors can now open fraudulent credit card accounts in my
name, get access to my health benefits, and get every detail of my family’s spend and
medical records.
I am not alone. The Ticketmaster compromise impacted over 560M consumers
(ShinyHunters). The Change Healthcare breach involved an estimated one-third of
Americans (UnitedHealth CEO estimates) and the social security theft resulted in the
compromise of 2.7B records (Bleeping Computer) in the US, Canada, the UK, and a few
other Western Nations. The social security identities were in an open file!
In the last year, we’ve read about compromised credentials at Disney, Uber, Change
Healthcare, MGM, CDK Software, Halliburton, Snowflake, SolarWinds, Okta, and
LastPass. These are some of the largest enterprises in the world.
And it impacts the bottom line. The Wall Street Journal recently reported that the
Change Healthcare breach is up $2.3B in financial losses due to service disruptions
related to payments, claims processing, and medical care. CDK Software cost 15,000
dealerships in North America over a billion in losses. And you all heard the story about
how MGM in Las Vegas went to pen and paper and guests were lined up down Las
Vegas Boulevard trying to check in…
What’s different about these enterprise attacks is the volume and velocity they are
occurring and the impact not only on the organizations in the form of revenue loss,
business disruption, and data theft but also on the consumers in the form of identity
theft impacting personal wealth and health.
While the pattern of attack seems similar and repeatable, enterprises appear
defenseless to prevent them from happening; a human identity gets compromised
through phishware, impersonation, and/or malware daily. That in itself is not the
business problem. It’s when the bad actors move laterally on average for 200 days,
according to IBM, searching and seizing machine credentials to mission-critical
applications, servers, databases, containers, Kubernetes, and Service Accounts that
they do their harm.
These machine credentials secure the keys, passwords, certificates, and tokens that
manage mission-critical applications and the underlying infrastructure. Cyberark claims
that there are now 45x more machine than human identities, but less than five percent of CISO (Security and Risk
Management End-User Spending for All Segments, WW 2022-2024 (Millions of U.S.
Dollars) spend is on machine identity security or ‘secrets’, according to Gartner. So the
black hats persist!
As machine-to-machine credentials or secrets explode within environments, most
machine identities still sit within code, configuration files, and/or Github repositories. For
those that rolled out with on-premise Vaults, static, singular encryption keys are no
longer good enough. Is it a coincidence that the recent TicketMaster, Disney, Change
Healthcare and Microsoft breaches also happened to be with traditional Vault
customers?
And for those customers that are trying to solve the problem with Privilege and Access
Management (PAM) software, PAM has difficulty supporting multi-cloud environments
where a machine credential can unlock the infrastructure to more than one
application/microservice across multiple clouds; And despite the call for better multi-
factor authentication (MFA), MFA doesn’t apply in these scenarios because machine to
machine access and controls don’t have human beings to verify.
And so why aren’t enterprises investing more in machine credentials?
Part of the reason is that as cyber budgets get pinched, there is less ability to invest in
new areas. Most organizations are still focused on the status quo renewing their
vulnerability and risk management, orchestration and remediation, end-point and
firewall software, and human-to-machine security software.
Also, as security still sits siloed from IT infrastructure in many organizations, you have
the challenge of getting the right attention to evaluate and procure DevSecOps
solutions.
However, if organizations want to protect their ‘crown jewels’, it’s time that they look
beyond the AI hype, pretty dashboards, and reactionary software and put a padlock on
their mission-critical machine-to-machine access and controls. This includes securing
application and microservice connections to servers, databases, containers, and
Kubernetes driven by automation and speed.
Akeyless is one of the few DevSecOps solutions proactively focused on securing
mission-critical applications and the underlying infrastructure through a unique approach
to key management. Akeyless takes a singular, logical encryption key and creates a
‘virtual’ encryption key with four equal but separate keys dispersed across all three
hyperscalers (AWS, Amazon, and GCP) managed within the Akeyless SAAS
environment and the fourth key sitting in a stateless Docker container within the
customer environment. These keys never touch, which we call ‘zero knowledge’, and
more importantly, make it next to impossible to compromise keys, credentials,
certificates, passwords, and tokens. Consider that a bad actor would have to find all four
keys, all the while Akeyless also provides auto-rotation and JIT, ephemeral credentials
adding to its stout security posture.
Akeyless is also ‘Vaultless®’ because the vaults are managed within the Akeyless SAAS
environment. This eliminates the cost and complexity of managing Vaults and speeds
deployment time.
Akeyless also has extensive interoperability with DevOps, CI/CD, Observability,
Automation, and Virtualization tools in multiple cloud environments. It can also serve as
a manager of managers to all the existing cloud-native and on-premise ‘Secrets’
Managers combining the security with ease of use in centralizing your machine
credentials.
As more and more workloads shift to multi-cloud environments driven by machine-to-
machine automation, it’s time enterprises adapt and invest in solutions that effectively
secure mission-critical applications and the underlying infrastructure. Let’s give
customers’ peace of mind that their data is safe.
Email me for more information on Akeyless or see the Akeyless platform in action and get a demo today.
Marc Heimlich