Steven Sprague, the CEO of Rivetz Corp., a Director at Wave Systems Corp and an industry evangelist for the application of trusted computing technology, participates in Risk Roundup to discuss the “Need for a New Approach to Machine Identity.”
Is There A Need For A New Approach To Machine Identity?
Since we have created cyberspace and have connected machines of all different sizes and shapes through the internet, ensuring the integrity of its access became a priority a long time back. So, there is no surprise that, over the years, billions of dollars were spent on identity and access management for cyberspace. But surprisingly, almost all this money has been spent on protecting the digital identities of humans and not the digital identity of machines—when it is the machines that are connected to cyberspace. This is a cause of great concern since the security of the digital age; cyberspace relies on the security of a network of machines—both physical and digital machines.
Now, since the meaning and definition of a machine is undergoing radical changes, and now includes a wide-ranging physical and virtual device, hardware and software —smart computers to virtual servers, growing number of applications to algorithms, blockchain to an internet of things, and intelligent containers that run microservices and more—the number of connected physical and virtual machines is growing exponentially. As a result, there is a need to focus on the approach to machine identity and evaluate its effectiveness for machine authentication.
The Changing Definition of Machines
The definition and design of the machine are undergoing radical changes. Machines that give humans enhanced capability now include a wide range of physical and virtual hardware and software of all shapes and sizes. As a result, with the connected smart machines, software, virtual servers, applications, algorithms, blockchain, internet of things, and intelligent containers that run microservices, the changing definition, design, and nature of machines have begun to create complex security challenges.
Furthermore, organizations that were managing a limited number of machines over the years are now trying to manage millions of machines today. And these numbers are expected to grow further for not only organizations but also individuals when it comes to both physical and virtual machines in the coming years. So, as the number of machines increases for individuals and entities across nations: its government, industries, organizations, and academia, so does the need for a number of corresponding machine identities and authentication needs.
This exponential growth of machines and machine identity complicates the already complex challenge of maintaining effective, machine identity protection processes and protocols. As a result, it is crucial to understand what the key trends for machine identity complexities are, and where there is a need for innovation in tools, technology, and processes.
The Changing Network
Digital networks are evolving rapidly. The Internet of Things (IoT) is fundamentally changing the physical network of machines that are connected to the internet. Also, the exploding digital devices, machines that perform many different roles in the changing cyberspace is exploding as well. They no longer originate from within the nation; the connected machines—both physical and digital come from anywhere in the world. Since many of the machines are unknown to the network, it is no longer possible to know all the connected machines. This adds to the complexity of the rapidly changing digital networks.
It is not only the 5G devices or IoT devices that are a cause of concern, but any mobile device that is being used to connect to the social media or commercial sites to devices that come with diverse software and algorithms also adds to the growing complexity of machine identity. The reality is that when there is a broad range of machines that are already being deployed for homes and hospitals, and for both personal and professional use across cyberspace, aquaspace, geospace, and space, there is at the moment no way of knowing the identity of all those physical and virtual machines.
Beyond Human Identity
It is time to move beyond human identity. The reason is all these years, the focus has been mainly on human identity and authentication. While humans explore cyberspace, it is the network of machines that make cyberspace and needs to be the focus of authentication.
While we have moved from usernames to passwords to password-less biometric tools and more for human identity, substantial interest and investments are still being made for the digital identity and access management of humans when it comes to accessing cyberspace. It is essential to understand that when cyberspace has connected aquaspace, geospace, and space, and even though the global economy is now digital and depends on secure communication between connected machines, there is still not much focus on protecting machine identities to the necessary extent. This is especially a cause for concern when the machine could be from any part of the world.
The reality remains that when we are online, we still rely on human identity and authentication tools and not machine identity and authentication tools. Now, when online, connected machines also need to authenticate themselves to other connected machines for performing the tasks, we assign to the machines. The question is whether the process is effective in how we validate connected machines and how those machines authenticate to other connected machines. When the digital economy hinges on secure communications between machines, and our very survival and security depends on it, it is time we focus on machines.
It is crucial to understand that machines also have digital identities, and currently, they rely on cryptographic keys and digital certificates that serve as machine identities tools. The question is whether all the connected machines’ identity goes through proper identification and authentication protocols and whether the process works.
From what it seems, the journey of protecting machine identities that began decades ago needs to evolve further. It is, therefore, essential to evaluate:
- How are organizations keeping track of machine identities today?
- How are organizations ensuring the integrity of the machine identity?
- How should organizations build machine identity protection processes?
- What are the essential components to ensuring machine identity and securing the machine to machine communication?
- How are machines used to enable all kinds of digital communications, and how these machine identities are authenticated and managed?
- How do machine identities contribute to the encryption strategy?
- Do digital certificates work?
- What is essential to protect the growing number of machine identities that the cyberspace infrastructure requires?
- What is the purpose of machine identity?
- Where do we need to innovate?
- Is there a need for a new approach to machine identity?
Integrity Of Data From Unknown Devices
At the center of the growing machine identity complexities and concerns is the integrity of digital data that is being collected and processed. The reason is the quality of devices producing and processing data is crucial for its integrity and authenticity. Amidst the network of unknown devices connected to cyberspace growing exponentially, and the manual processes to manage the machine identity being proving ineffective, it is becoming difficult to know whether the data the digital age depends on comes from a device it was supposed to come from, or a device that was replicated, cloned or manipulated.
Since the purpose of machine identity is to establish the integrity of data, it is time to discuss the need for enhancing the machine identity.
For more, please watch the Risk Roundup Webcast or hear the Risk Roundup Podcast
About the Guest
Steven Sprague is the CEO of Rivetz Corp. He is also a director at Wave Systems Corp. and one of the principal industry evangelists for the application of trusted computing technology. Steven served as President and CEO for 14 years at Wave before transitioning to the board of directors. A popular speaker on cybersecurity and trusted computing, Steven has a strong technical foundation in the principles, capabilities, and business models of incorporating trusted hardware into everyday computing and is skilled at translating these concepts into layman’s terms. Steven has a passion for making trusted computing’s best-in-class security solutions accessible, understandable, and easy to use. Over the years, he has helped some of the world’s largest enterprises secure their data and digital networks. He was influential in the development and application of the self-encrypting drive industry standards, supporting the technology early and leading the commercialization of drive management and recovery capabilities. During his tenure at Wave, over 130 million copies of licensed software were delivered globally through multiple PC OEM partners, and the United States and European governments took clear strides to standardize the use of trusted computing. Steven holds several patents and continues to push for market adoption of industry standards-based security. Steven graduated from Cornell University with a B.S. in mechanical engineering. He enjoys farming in Western Massachusetts with his wife, two daughters, and a few too many horses.
About the Host of Risk Roundup
Jayshree Pandya (née Bhatt), Ph.D., is a leading expert at the intersection of science, technology, and security and is the Founder and Chief Executive Officer of Risk Group LLC. She has been involved in a wide range of research, spanning security of and from science and technology domains. Her work is currently focused on understanding how converging technologies and their interconnectivity across cyberspace, aquaspace, geospace, and space (CAGS), as well as individuals and entities across nations: their governments, industries, organizations, and academia (NGIOA), create survival, security, and sustainability risks. This research is pursued to provide strategic security solutions for the future of humanity. From the National Science Foundation to organizations from across the United States, Europe, and Asia, Dr. Pandya is an invited speaker on emerging technologies, technology transformation, digital disruption, and strategic security risks. Her work has contributed to more than 100 publications in the areas of science and commerce. She is the author of the books, Geopolitics of Cybersecurity and The Global Age.
About Risk Roundup
Through the Risk Roundup initiative, Risk Group is on a mission to talk with a billion people: innovators, scientists, entrepreneurs, futurists, technologists, policymakers, to decision-makers. The reason behind this effort through the Risk Roundup initiative is to research, review, rate, and report strategic security risks facing humanity. This collective intelligence effort is essential to understand where we need to focus on our collective security. And what destructive forces we need to be mindful about.
Risk Roundup is released in both audio (Podcast) and video (Webcast) format. It is available for subscription at (Risk Group Website, iTunes, Google Play, Stitcher Radio, Android, and Risk Group Professional Social Media).
About Risk Group
Risk Group is a Strategic Security Risk Research Platform and Community. Risk Group’s Strategic Security Community and Ecosystem is the first and only cross-disciplinary and collective community that is made of top scientists, security professionals, thought leaders, entrepreneurs, philanthropists, policymakers, and academic institutions from across nations collaborating to research, review, rate, and report strategic security risks to protect the future of humanity.
Copyright Risk Group LLC. All Rights Reserved
Universal Geometric Language 