Report examines how to apply IAM “Zero Trust” principles to non-human workers
Earlier this month, Forrester, one of the most influential research and advisory firms in the world, released a new report, How To Secure And Govern Non-Human Identities, which was subtitled with the soundful advice to, “Apply Zero Trust IAM Principles To Secure Software Bots, Physical Robots, and IoT Devices”. The report is very timely due to the accelerated pace in utilization of non-human workers being adopted by organizations and governments globally. The report poses the question “Do you know how many software bots, physical robots, or IoT devices are connected to your network? How many of these devices store or interact with critical data?”. While non-human workers increase efficiency and productivity and can eliminate human mistakes, it is also true that they expand an organization’s attack surface. Especially given the fact that orphaned or unmanaged accounts are particularly susceptible to compromise by hackers.
Since using non-human workers, such as RPAs (robotic process accounts), service accounts, Bots, and IoT devices, is relatively new to organizations, almost none have adopted identity lifecycle management processes to manage these workers and many don’t even know how many non-human workers are connected to their network. SecZetta, has been at the forefront of managing the identities for non-human workers (The Lifecycle of Non-Human Workers / Minimizing Cyberattacks by Managing Non-human Workers) and was interviewed to provide our insight on this growing issue, particularly including providing background on the types of non-human workers and best identity practices to manage them. One of the key tenets of our thinking is that if the proper approach of monitoring and managing the lifecycle of non-human workers is taken, organizations can stop cyberattacks, data breaches, and compliance issues associated with these entities and their access.
SecZetta Strategy for Non-human workers
One of the major issues that organizations need to address is the ownership of a non-human account. In short, CISO, IAM, Identity, Risk, and Dev teams should manage non-human workers with the same identity and lifecycle processes as a human worker. Presently organizations configure their identity programs so that non-human workers belong to a human worker. However, when the human worker changes roles or leaves the organization, the most common identity process dictates that the accounts belonging to that human worker are disabled which includes any non-human accounts that role up to it. The non-human worker account may also be orphaned and left vulnerable to hackers. The account should not belong to a person but should be managed as its own identity similar to the human identity lifecycle management processes. This shift results in the management of that entity being transferred or addressed when the owner is terminated, as opposed to the account being disabled or orphaned.
SecZetta enables organizations to assign an identity to a non-human worker and solves the maintenance issue of important information about non-human entities. Authoritative entity details like device status or ownership that will allow for the proper governance of the access the bot, device, service account or application has which will mitigate for any risk it presents. SecZetta enables the collection of relevant details when a bot, IoT device, service account, or RPA is put into service, so organizations can make well-informed decisions about what access is needed to allow the bot or device to function. It also places protocols in place which will periodically determine whether its access is still appropriate or necessary.
Read the entire Forrester report here- How to Secure And Govern Non-Human Identities: Apply Zero Trust IAM Principles To Secure Software Bots, Physical Robots, and IoT Devices
*** This is a Security Bloggers Network syndicated blog from Industry Blog | SecZetta authored by Keith Durand. Read the original post at: https://www.seczetta.com/seczetta-forrestor-report-on-non-human-identities/