A recent Forrester report showed that as few as 20% of network identities are human with the remainder falling into the domain of M2M (machine to machine) network nodes. Commonly referred to as the internet of things, the massive growth in M2M connections is driving increased requirements for encrypting network traffic and authenticating non-human identities.
Machine transactions can include industrial automation, telematics, banking and financial systems, retail systems and many other applications, all of which are continuing to grow at a pace that outstrips the number of human identities that are accessing computer networks.
According to the Forrester report, whilst the majority of organisations recognise the importance of securing M2M networks, as many as 65% have inadequate controls over key management, preferring to share this responsibility amongst several individuals. To understand how much of a threat this represents, why controls are so inadequate and how things can be improved, we spoke to industry expert, Jason Thompson of SSH Communications.
According to Jason, M2M transactions are now increasingly being targeted by hackers because of the vulnerabilities caused by poor key management, the most recent example being an Advanced Persistent Threat (APT) called "The Mask". Despite having been discovered only recently, this APT had been active for as long as 7 years, targeting VPN configurations and encryptions.
It's clear that unless the issue of good key management is tackled, cyber criminals will continue to exploit the easy vulnerabilities of data on the move in M2M networks. So given that encryption key management is so important, why are companies not meeting the requirements?
Jason explained that there are two main issues at hand. One is that often the focus isn't on the right issues. Secure shell is mainly in the domain of IT administration and the focus is often on compliance. If the encryption process is seen to work, then this is deemed enough. The number of keys can quickly become out of hand and unmanageable, often with more keys remaining in an organisation than people.
In such case, compromises are costly. With the time required for re-provisioning a single key being equal to around 15 minutes, a breach compromising tens of thousands of keys becomes a major impact on resources.
There is also the perception of certain M2M sectors not being sensitive enough to require access control and encryption, particularly industrial control systems. In these cases, encrypting and securing the data improves the overall security posture of the company and therefore less of a target. This is important since hackers use easy targets to infiltrate organisations through vulnerable parts of the network and get behind the perimeter to attack more valuable resources.
As Jason explained, M2M data security goes beyond simple encryption, which is why SSH Communications provides a vertical stack of management applications to perform three main functions: Encryption, Key Management and access control as well as privileged access management.
Only by combining this critical combination of encrypting, controlling access and auditing the use of privileged accounts can companies achieve the posture necessary to safeguard M2M data.
Read more on this topic from SSH Communications here: "Security not keeping up with the pace of M2M usage"
Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan