Exclusive: Securing Identities Amid AI
Tech Revolt spoke with Rich Turner, President, EMEA Sales at CyberArk, to unpack a growing cybersecurity concern across the Middle East: the explosion of machine identities.
As businesses in the region accelerate digital transformation, embracing automation, AI, and cloud-first strategies, a silent yet growing risk is emerging, machine identities. These digital credentials, often used by bots, software, and connected devices to perform tasks autonomously, are multiplying at pace. While essential for innovation and operational efficiency, if not properly managed, they represent a major vulnerability in an organisation’s security posture.
“Every machine, from a microservice to an AI model, needs an identity,” Turner explained. “If that identity is compromised, attackers can move through systems unnoticed.” Despite increased cybersecurity investments, many organisations still overlook identity security as a critical control point, especially for non-human users.
In this exclusive, Turner outlines the urgent need for a Zero Trust approach, the evolving threat of AI-powered attacks, and why privilege controls must extend beyond human users. He also offers insights into CyberArk’s recent innovations and future roadmap in the Gulf, where rapid digital growth demands equally agile and proactive security strategies.
How is the rapid growth of machine identities increasing cybersecurity risks for organisations in the Middle East?
The rise of machine identities is a global challenge, and it is something we are seeing across the Middle East too. At the heart of it, businesses are trying to be more efficient and effective through automating processes, collaborating with new partners, and using technology to achieve their goals. To do this, machines need credentials or identities to communicate and automate tasks, and as AI continues to grow, it will only add more machines that need to be secured.
The explosion of these machine identities is tied to how businesses are evolving. But if those credentials are not effectively managed – if they are not issued, updated, revoked, and secured – it creates this huge, almost invisible threat surface. Hackers can target these weak points to gain access and do harm. The surprising thing is, even though businesses are spending more than ever on cybersecurity, the costs of cybercrime are still growing. It is like we are investing more, but things are getting worse. A big part of the problem is that identities remain an under invested security expenditure and it often fails to get the attention it needs.
This issue is growing because businesses are trying to be more efficient, but without securing their identities, they leave themselves vulnerable to major risks that often go unnoticed.
One way to address this identity issue is through Zero Trust, which challenges the idea that just because someone has an identity, they are who they say they are. For example, I have an identity at CyberArk, which is my work email address, and I have certain access rights based on my role. As long as I have the right password or authentication, I can access what I need. But if someone else were to steal my credentials, they’d have the same access.
Zero Trust solves this by assuming nothing is trustworthy by default. It means reducing or removing standing privileges such as unused access rights and only giving people what they need, when they need it in a highly dynamic and automated way. This makes the environment far more secure because it reduces the risks of dormant or unused credentials being exploited.
What are the key security challenges posed by AI-powered cyberattacks and machine identities?
So, there are a few key areas to consider here. On a basic level, people can now use AI to write much more convincing phishing emails. Despite all the warnings we give about not clicking on links, people still click. And the thing is, because AI allows these attacks to be carried out at such a large scale, they’ve become surprisingly effective. We are also seeing AI being used in other types of attacks, like deepfakes. For example, there have been cases where attackers impersonate a CFO or financial controller to trick someone into transferring money. The quality of attacks is seriously improving, and AI is definitely making these more sophisticated.
That said, there’s a flip side to this. AI, from a cybersecurity perspective, also has the potential to help us identify risks faster, automate aspects of our response, and even reduce the number and impact of successful attacks. However, it does get concerning when cybersecurity systems can’t protect the AI models themselves. These models are often automated and contain a lot of proprietary business information. If you think about it from a nation-state level, AI becomes a huge point of influence. If someone can infiltrate these models, they could use them to spread propaganda or manipulate information based on prompts in ways that we haven’t really seen before.
How can organisations secure privileged and sensitive access for both human and machine identities?
The first thing organisations need to do is rethink the types of identities that need protecting. A lot of past security spending has focused on protecting the infrastructure – like the identities of Windows admins or those managing network equipment. But if you’re a hacker, you might not care about taking over the network. Instead, you could target the CFO’s emails to get insider information for stock trading. So, what we really need to do is think more like an attacker when considering which identities are most valuable to protect.
We used to worry about things like laptops getting stolen because of the value of the hardware. But now, our concern is about the data on those devices. We need to make the same shift when it comes to identities and recognize that business leaders and other non-technical roles have valuable access, too. This means we need to apply a Zero Trust approach and take away standing privileges, so those identities aren’t just sitting there waiting to be compromised.
We need to make sure the identities used by bots, apps, or other systems are properly managed. That means ensuring these identities are securely stored, rotated, and not hardcoded into software. It is interesting because many security tools, like security scanners, also require identities to run their scans. Those identities become a significant vulnerability if they aren’t managed properly.
So, it is critical to manage non-human identities in the same way that we manage human identities. This is where our recent acquisition of Verify comes in. Verify is critical for securely managing machine identities, especially digital certificates. It ensures they’re issued, managed, and revoked frequently. If these certificates or identities get compromised and aren’t updated, attackers can exploit them. That is why companies like Google have shortened certificate lifetimes to just 40 days: Certificates need to be rotated often because they can easily be compromised, which creates both a security and efficiency challenge for businesses.
What role do AI-powered solutions play in defending against evolving cyber threats?
In May 2024, CyberArk launched Cora AI. This solution is designed to help automate key tasks and best practices, bringing the knowledge of thousands of CyberArk experts right to the customer’s console. For example, in industries that deal with heavy regulations, Cora AI can help apply the right technology to support compliance. It can also identify unusual activity and take corrective actions to mitigate the risk right away.
One of the big challenges security teams faces is dealing with the flood of alerts from so many devices. They’re getting information from everywhere, and identifying a real threat is like trying to find a needle in a haystack. Security teams often get millions of alerts a day, so it is tough to triage them all and figure out which are the most important. AI can help identify those key issues quickly, and in many cases, even remediate them without a team needing to jump in and do it manually.
What are the key takeaways from CyberArk’s recent Identity Security Threat Landscape report?
The main takeaway for me is the continued explosion of identities as a key area of the threat surface. From a cybersecurity standpoint, we have tried to protect people with this invisible “force field,” but that approach isn’t working anymore. We need to rethink how we are operating and start making real changes in the way we protect people and businesses. Relying on just education and hoping behaviour will change on its own has not worked so far, so it is time to take a new approach.
Another takeaway is the exponential growth of non-human identities. For every human identity, there are about 45 non-human identities in a business, and that number will keep growing as companies become more efficient, faster, and more integrated with technology.
The rise of the cloud is also a key factor here. Most companies have been moving to the cloud over the past decade. I remember talking to customers around 10 years ago, and many of them were hesitant about the cloud. Fast forward to today, and most businesses are leveraging the cloud, and most are using a mix of different cloud providers. The challenge is that each cloud platform can feel like an isolated island. The key to improving security is to integrate all these islands into a cohesive security architecture, which is where CyberArk comes in. We are focused on connecting all of these disparate security islands and applying the right level of privileged access controls to each identity accessing these platforms. The goal is to reduce the risks tied to identities, while still allowing businesses to innovate, collaborate, automate, and leverage technology to drive the digital transformation that is shaping today’s economy.
