When you think of identity management in an enterprise setting, you may think of your users first. But humans are just one part of the equation, and growingly a small part of that equation As cloud adoption accelerates, there’s been an explosion in non-human workforce identities over the last few years.
More than ever, enterprises are increasingly relying on automation and services — a trend that’s going to continue accelerating as more organizations move away from monolithic paradigms to the cloud, which includes microservices, containerization, and serverless paradigms.
Non-human Identities play an integral role in driving digital transformation, helping businesses scale their workloads and increase productivity at the speed of agile DevOps. However, the upsurge in non-human identities increases risk — a recent trend that requires new ways of managing risk.
A new information security risk management crisis is emerging. Traditional ways of adequately tracking, managing, and protecting workforce identities no longer work. Believe it or not, a study from the Identity Defined Security Alliance (IDSA) found 79% of organizations reported having an identity-related security breach in the last two years.
To avoid suffering the fate of a data breach, enterprises need to take proactive measures, dig deep and understand their identities’ effective (end-to-end) permissions to protect data and ensure operational stability. All organizations should prioritize protecting the new identity perimeter in their technology ecosystem in 2021, which will reduce risk to the business, increase security, and enforce compliance.
What are Non-Human Identities?
A non-human identity can take on many forms with your cloud but in general they can act intelligently and make decisions on behalf of a traditional human identity. Think bots, serverless functions, infrastructure of code, and compute resources. Every time you implement a new technology solution into your organization, you introduce a unique identity to the business, with its own set of risks. Due to digital transformation, nowadays, there are far more non-human identities than human identities which means that your risk profile is increasing, often times in ways and areas that you are completely unwaware of.
To give you a better idea of what non-human identities look like, let’s explore some more concrete examples.
Serverless functions are single-purpose, programmatic functions that are hosted on managed infrastructure. These functions, which are invoked through the Internet, are hosted and maintained by cloud service providers. Software developers are moving their product code to serverless functions services such as AWS Lambda and Microsoft Azure Functions.
Within IT administration, several account types that are not linked to any one person, but rather roles and groups within IT administration also need to be managed.
Databases and Data Stores
Databases and data stores are pieces of compute that can be accessed or misconfigured non-human identities. Cloud environments manage increasingly large volumes of heterogeneous data. This heterogeneity means that a single data store is usually not the best approach. Instead, it’s often better to store different types of data in different data stores, each focused toward a specific workload or usage pattern. Selecting the right data store for your requirements is a key design decision. There are literally hundreds of implementations to choose from among cloud service provider databases. Data stores are often categorized by how they structure data and the types of operations they support.
Connected devices represent one of the most widely deployed groups of non-human identities. This category includes a range of items — from smartphones and tablets to industrial sensors, robots, and connected cameras, among other objects. Devices regularly interact with enterprise resources and can be owned by either employees or the company itself. With the emergence of the remote workforce as the new norm, the attack surface for connected devices has increased substantially.
Applications and Scripts
Applications and scripts use privileged credentials — or secrets — to access private resources in cloud-native environments, containers, and other tools. These identities are often targeted by cybercriminals to access systems and databases and worm their way deeper into an enterprise’s architecture, increasing their likelihood of uncovering an organization’s crown jewels — their most critical assets.
Software-Defined Infrastructure (SDI) and Containers
SDI is a computing infrastructure that acts independently without any human oversight or management. Containers and networks are often software-defined and have their own identities. SDI may include storage, compute, or networking components.
A virtual machine (VM) is a resource that uses software to deploy apps and run programs. They are often used to test apps in sandboxed environments. VMs can be exploited by malicious actors and interact with a host operating system in a strategy called an escape attack. As such, you need to monitor these computing assets for changes and take steps to protect them.
How to Protect Your Non-Human Identities
Due to the sheer volume of non-human identities that proliferate across an organization, it’s tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines or more at a time in virtualized environments and public clouds. They may also have thousands of connected devices and multiple SDI components spread across a global footprint.
This is a lot to keep track of for a fast-moving enterprise, compounded with human identities and the potential for a data breach involved.
The good news is that identity management is fast taking precedent and getting more manageable with the right data and identity platform. In fact, the same IDSA study referenced above found that 99% of respondents believe their identity-related breaches were preventable. It’s simply a matter of prioritizing identity management and taking appropriate measures to clamp down on security and prevent identity sprawl.
Here are some tips that your business can use to protect non-human identities.
- Identify all of your Identities and continuously inventory them
- Identify the effective permission for each and everyone of your identities and monitor continuously for changes
- Ensure identity security solutions are in place and configured to manage privileged non-human identities
1. Prevent Overly Permissive Identities
Oftentimes, identities have more permissions than they need. When this happens, identities can execute tasks that may cause a great deal of harm — like modifying systems or databases or granting access to a private area.
Identities with admin access can sometimes gain more and more permissions over time, for example, due to changes in responsibilities, where s/he must maintain previous privileges. Also known as privilege creep, some identities get to the point where they present a security vulnerability. It’s a good idea to keep an eye on privileged accounts to keep them from accumulating too much power. Nowadays, with so many identities, former manual efforts no longer fulfill this need to monitor, flag and adjust accounts. An automated tool that enables admins to discover identities and send them through the CI/CD pipeline to the team responsible for mitigating them is a more effective solution.
2. Maintain Separation of Duties
The separation of duties principle mandates that identities do not have conflicting responsibilities or the ability to open the organization to risk.
Oftentimes, pieces of compute will violate the separation of duties principle. Even worse, this can happen quietly in the background because non-human identities aren’t always audited.
To ensure that your organization is enforcing the separation of duties principle, it’s critical to map all identities across your environment.
3. Use Continuous Monitoring
Modern IT environments are highly dynamic. New identities are continually being introduced and deployed, making it very challenging for security teams to track what’s happening.
The only way to maintain control is to leverage identity and data security platform to monitor identities and report changes continuously.
Digital transformation has introduced a wide range of new identity types, which means that organizations need to change the way they approach governing identities and data access in the cloud. Identity security must include not only employees, partners, contractors, customers, and consumers, but all the above-mentioned non-human identities as well. This is necessary to meet security and privacy requirements, while at the same time enabling business growth and innovation.
Failure to ensure comprehensive identity management capabilities for all identities, human and non-human, exposes organizations to security and compliance risks. It is therefore important for organizations to recognize where and how non-human identities are used in their cloud environments and to ensure they have the necessary systems and processes in place to manage them properly.
At the very least, businesses need to be in control of all identities and their interaction with their environments. Therefore, enterprises must work to eliminate shared accounts so that all human or non-human identities interacting with systems have an identity that can be managed and used for applying the Principle of Least Privilege / Least Access, visibility, traceability, and accountability purposes.
It is also essential that organizations have a standard, policy-based way of managing privileged identities, which are common targets of compromise for malicious actors. Privileged non-human identities should not be overlooked. Privilege access platforms, therefore, must support privileged non-human identities. processes, microservices and containers in both production and development environments or DevOps, where this model is followed.
The success of digital transformation depends on the ability to manage the access of everyone and everything. This means having a complete understanding of all the identities at play (human and non-human), understanding their relationships, and having a consistent way to manage them and to secure them.
The post Cloud Security: The Rise of the Non-Human Identities appeared first on Sonrai Security.
*** This is a Security Bloggers Network syndicated blog from Blog - Sonrai Security authored by Eric Kedrosky. Read the original post at: https://sonraisecurity.com/blog/rise-non-human-identities/