Kevin Bocek, Chief Innovation Officer at Venafi talks about post-quantum cryptography, cloud-native environments, and more about the future of AI in cybersecurity in the following CIO Interview:Â
————–
Hi Kevin, tell us about yourself and your role as Chief Innovation Officer at Venafi.
With over 25 years of experience in cybersecurity, I’ve worked with industry leaders like RSA Security, PGP Corporation, IronKey, CipherCloud, and Xcert. I’ve authored several books, hold a B.S. in chemistry from the College of William and Mary and an MBA from Wake Forest University. I’m also a member of The Forbes Technology Council and an advisor to cybersecurity startups. As the Chief Innovation Officer at Venafi, I head up machine identity management for workload identity, Kubernetes, and artificial intelligence. I also lead Venafi’s technology ecosystem and developer community, ensuring we future-proof our customers’ success.
Also Read: CIO Influence Interview with Anuj Jaiswal, Vice President of Products at Fortanix
Venafi’s recent study reveals that companies are unprepared for 90-day TLS certificates and post-quantum cryptography. How is Venafi helping organizations address these challenges and avoid outages?
Even though the shift to 90-day certificate validity is only a proposal right now, it is only a matter of time before it becomes a requirement. Given the time it takes to overhaul manual processes, it is important that organizations begin embracing automation now. To effectively transition to this looming 90-day TLS certificate standard, organizations need complete TLS certificate visibility, thorough process and policy reviews, and clearly defined roles and responsibilities.
Venafi helps organizations implement an effective certificate management process at both the technical and organizational levels. Powered by Venafi’s Control Plane for Machine Identities, the Venafi 90-Day TLS Readiness Solution leverages Venafi’s TLS Protect to proactively identify and map TLS certificates into a comprehensive certificate inventory and renewal schedule for an organization. By delivering full visibility and control over TLS certificates—coupled with Venafi’s expert guidance to review policies, align processes, and design advanced automation workflows—this solution helps reduce the time and risk associated with automating the entire lifecycle process.
Kubernetes is vital in modern IT. Can you talk about Venafi’s machine identity management’s role in securing Kubernetes environments and workloads?
Kubernetes environments are dynamic, with services that are frequently scaling up or down. Therefore, managing traditional access controls for these environments is impractical. The answer to doing this effectively lies in what we call workload identity. Workload identity provides a more flexible and secure mechanism to verify the identity of each workload, allowing for the enforcement of fine-grained security policies and ensuring that only authorized services can communicate with each other.
Venafi’s TLS Protect for Kubernetes provides complete automation, discovery, and control of machine identities across all of an organization’s Kubernetes environments. TLS Protect for Kubernetes is built on cert-manager, the leading open source machine identity management and automation software for Kubernetes and OpenShift cloud native platforms. It not only helps manage cloud native machine identities but also monitors the health, status, and configuration of cert-manager across all Kubernetes clusters, regardless of cloud platform configuration used. This enables security teams to easily and reliably manage their machine identity management infrastructure in complex multi-cloud and multi-cluster cloud native environments.
What key areas should CIOs prioritize as compliance frameworks evolve with machine identities?
One of the biggest areas that CIOs should prioritize as compliance frameworks evolve alongside machine identities is automation. Recent data shows that 45 machine identities are created for each human identity, and managing this ever-growing number of identities will create an impossible task for security teams–especially as TLS certificate lifecycles continue to shrink. As the volume of machine identities explodes in today’s cloud native, multi-cloud world, organizations need to be able to make rapid, intelligent, and informed management decisions.
Threat actors are continuously adapting their tactics by leveraging new technologies to navigate an increasingly complex cyber threat landscape. As generative AI advances, malicious actors will increasingly exploit these tools. Consequently, it is crucial for organizations to be aware of these technologies and have access to ‘AI-for-good’ systems that can combat AI-powered attacks.
What best practices do you recommend for encryption and key management in cloud-native environments?
As enterprises advance in their digital transformation, ensuring the secure transfer and access of information is crucial. While humans use usernames and passwords for identity verification, machines depend on keys and certificates for authentication. With the rise of remote work and the rapid growth of IoT devices, bring your own devices (BYODs), virtual machines, containers, cloud workloads, and microservices, the need for robust encryption key management practices has never been more critical. To keep data safe, it has to be encrypted and decrypted using encryption keys. Key management is important because it helps you keep track of the myriad number of keys floating around your environment. Some best practices for maintaining compliance include:
- Avoid hard-coding keys
- Practice the principle of least privilege
- Use an HSM as part of your routine
- Find solutions that use automation to manage your keys at scale
- Create and enforce policies surrounding key management
- Split keys into different parts and store them separately to prevent compromise
If you had to share three thoughts on the future of AI in cybersecurity and machine identity management, what would they be?
-
- Identity is the ultimate kill switch for any AI or AI-based attack – like if a government takes away a human’s passport, it becomes very difficult for that person to operate. Machine identity works in a similar way, and could render rogue or infected AI models useless. Without AI having an identity, CIOs will be blind to these attacks.
- AI developers should focus on implementing stronger identity controls paired with automatic “kill switches” and fostering more open-source innovation to prevent AI systems from being compromised or exploited for malicious purposes. By using robust identity controls linked to a kill switch, businesses could authenticate each API call made to an AI model and immediately terminate any connections that appear illegitimate.
- We should not race to create new regulation that slows down innovation and requires official certification – treating AIs today like weapons or pharmaceuticals. We need to promote research and innovation to achieve outcomes of standards, security, and safety instead of racing to apply rules and regulations from the last century. Technologies today from modern identity management to code signing can be used to operate AI safely and promote innovation.
Also Read: CIO Influence Interview with Rafee Tarafdar, EVP and Chief Technology Officer, Infosys
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
As the Chief Innovation Officer at Venafi, Kevin Bocek is at the forefront of the company’s cutting-edge machine identity management for workload identity, Kubernetes and artificial intelligence. He also drives Venafi’s award-winning technology ecosystem and developer community to future-proof customer success and is responsible for the company’s Machine Identity Management Development Fund, which has sponsored innovations with more than 50 developers globally. Kevin brings more than 25 years of experience in cybersecurity with industry leaders including RSA Security, PGP Corporation, IronKey, CipherCloud, Thales, nCipher and Xcert. He has authored several books and is often sought after for comment by the world’s leading media, such as The Wall Street Journal, The New York Times, CNN, BBC, Reuters, Süddeutsche Zeitung, and Handelsblatt, along with security press including SC Magazine, Dark Reading and Heise. Kevin holds a B.S. in chemistry from the College of William and Mary and an MBA from Wake Forest University. He is a member of The Forbes Technology Council and an advisor to cybersecurity startups.
Venafi, a CyberArk company, offers the most comprehensive solutions to address critical challenges in PKI, certificate management and workload identity management. Through centralized visibility and automation, we help customers monitor and secure any machine identity, anywhere, across extended enterprise networks. As an innovative leader, we solve today’s greatest machine identity challenges while anticipating those of tomorrow.
By combining Venafi’s best-in-class machine identity management with CyberArk’s leading identity security capabilities, these two category creators together establish the world’s first platform for end-to-end machine identity security at enterprise scale.
