In the hit saga Star Wars, the series begins with Episode I: The Phantom Menace which introduces viewers to the two sides of the galaxy and sets the stage for the remaining films in the series. The epic battle between the Republic and the Empire, each with their own plans for the galaxy, plays out on a variety of diverse battlefields, employing both overt and covert tactics. In this first Episode, the phantom threat is a behind-the-scenes power struggle driven by greed and opportunity, and really doesn’t start to make itself known until it’s already too late.

In this blog, and the accompanying blog by Juan Asenjo, from Entrust Security, titled “Identity Wars Episode II: The Clone Wars,” we will take a look at some of the challenges organizations face when orchestrating machine identities within their infrastructure, and how proper tools can be used to mitigate the risks associated with those challenges.

Phantom threats

Today, enterprises across the globe are facing similar threats, which are mostly driven by those same factors—greed and opportunity. Often those threats are phantom in the sense that they are typically hiding just below the surface, pivoting silently throughout an infrastructure, and compromising the security of organization. When the threat is finally detected, the damage has already been done. Data has been exfiltrated. Usernames and passwords have been stolen. Machine identities have been compromised.

Add to this scenario the fact that the overwhelming majority of organizations have had to dramatically speed up their digital transformation to enable workforces to continue collaborating on projects, accessing shared company resources, and preventing interruptions to business processes, all while working remotely. It’s a daunting task that requires thorough planning from the beginning to ensure the security of the organization is just as strong, if not stronger than it was pre-pandemic.

Identities, both human and machine, play an extremely critical role inside an organization because identities establish trust. They identify an entity that is requesting access to something. This could be a systems administrator logging into a web server to perform maintenance, perhaps to manually install a renewed TLS certificate. This could be a service account using SSH to access a server in order to scale an application. This could be a developer initiating a build pipeline that will push an update to production. In all these scenarios, a compromised identity is a phantom menace that will continue to wreak havoc until it’s either discovered and remediated, or the damage becomes too great to recover from.

Both the attack vectors and the desired outcomes for these threat actors can vary greatly from incident to incident. Sometimes the goal is to locate and steal an SSH key that might be exposed and unprotected. At minimum, the attacker now has an invisible entry point to delve deeper into the organization looking for larger targets. Other times hackers target build servers looking for unprotected code signing certificates. Once obtained, it’s possible to use the code signing certificate to embed malware in code and then sign that code with a legitimate certificate. It’s easy to imagine the damage that can do, both to a company’s financial situation and public reputation.

By adopting industry-standard hardware and enforcing best-practice security policies, it’s possible to mitigate against these hidden threats and prevent them from happening in the first place.

Hardware security modules provide:

  • Greater entropy for cryptographic keys
  • A FIPS 140-2 secure boundary to store cryptographic material, making it exponentially harder to exfiltrate
  • Integrations to products and tooling that enable automating the delivery of machine identities to the devices, services and applications that are secured by them

A robust machine identity protection strategy provides:

  • Visibility into an organization’s machine identities—things like TLS certificates, SSH keys, code signing certificates, etc. And where those identities are being used?
  • Intelligence about those machine identities. Who is requesting them? Do they adhere to the policy set by the InfoSec team?
  • Automation capabilities gained from native integrations with technology partners can mitigate accidental human errors, provide crypto agility, and are able to scale as the organization grows

In closing, it’s important to reiterate that organizations today are under constant attack from these phantom menaces that hide inside encrypted traffic. These hidden threats increasingly target identities because of the inherent trust they provide. As nice as it would be to wave a forceful hand and say “these aren’t the identities you’re looking for,” it’s not quite that simple. Organizations must be aware of these threats and have plans in place to identify potential risks and prevent attacks before they begin.

To learn more about how Venafi and Entrust partner to provide greater security to the organization, while protecting against these phantom menaces, click here to download the solution brief.

To find out more about Machine Identity Protection, visit