Securing non-human identities: Why fragmented strategies fail
In this Help Net Security interview, John Yeoh, Global VP of Research at CSA, discusses the growing security challenges posed by non-human identities (NHIs). With NHIs now outnumbering human identities by 20 to 1, organizations are struggling to secure these digital entities effectively.
Yeoh shares insights on addressing this issue, including the need for better visibility, lifecycle management, and cohesive security strategies.
Only 15% of organizations feel highly confident in preventing attacks through non-human identities. What factors do you believe contribute to this low level of confidence?
The scope of non-human identities (NHIs) has grown immensely as systems have become more digital and complex. NHIs include digital profiles and credentials that enable machines, applications, and devices to interact with systems, services, or other machines. We typically haven’t tracked these well as it is beyond the human and machine identities we’re used to having to understand.
The most significant factor boils down to the sheer number of NHIs that exist in a modern environment. These NHIs — which include bots, service accounts, API and secret keys, as well as OAuth tokens — often outnumber human identities by a factor of 20 to 1 and should only grow with the implementation of AI models.
Unsurprisingly, the high volume of NHIs significantly increases the number of security challenges organizations face. Each NHI carries out tasks with their own permissions and roles and can potentially access sensitive data and critical systems, increasing the attack surface exponentially.
Many organizations rely on a mix of tools not designed explicitly for NHIs, leading to fragmented security strategies. What would a more cohesive and effective NHI security strategy look like?
Including NHIs in your identity strategies is a start. A cohesive strategy starts with meeting the top challenges with NHIs such as what is highlighted in the survey report CSA issued with Astrix Security. This includes full discovery and visibility into what NHIs are in your environment, their roles and responsibilities, the internal and external systems they are touching, their access and privileges, and the lifecycle of each NHI.
In addition to visibility, a security strategy includes the ability to monitor, manage, and automate unique features of NHIs such as their creation, expiry, and renewal as well as their access, privileges, and authorization mechanisms. It must also include the ability to detect, isolate, and initiate a response mechanism when there are security violations. Ideally, having a unified and centralized view reduces fragmented efforts and allows organizations to view and prioritize their NHI environment for security.
With NHIs outnumbering human identities by a factor of 20 to 1 in some environments, what unique challenges do they present regarding security management?
It starts with the number of NHIs. NHIs will continue to outnumber human identities as we rely on more complex systems, including the rise of cloud and AI. Discovering and monitoring them will become a critical part of protecting them.
The lifecycle of NHIs is also unique in that they can be provisioned short term for single tasks or long term for continuous operations of a system. The pace of creation, expiration, and renewal, and provisioning of NHIs will be a unique challenge from human identities.
NHIs will also have different authorization mechanisms than human identities. Human identities will practice Multi-Factor Authentication and Single-Sign-On operations using authorization techniques such as passwords and biometrics which do not apply to NHIs that use techniques such as tokens and certificates. Managing these types of authentication methods with the ability to rotate or change credentials, and to then monitor and adjust access and privileges is a unique aspect of NHI authentication.
NHI’s behavior patterns are also more predictable than humans’ meaning that humans are active at certain times and will have a range of behaviors. Meanwhile, NHIs can be active around the clock and will be very deterministic with their access and roles. Because of these deterministic principles, if provisioned incorrectly, NHIs will run within parameters that can violate security policies and expose environments.
Monitoring and automating these unique aspects of NHIs and additional characteristics outlined in the NHI Security Report will be vital to securing NHI environments.
Less than 20% of organizations have formal processes for offboarding and rotating API keys. What best practices would you recommend to streamline these processes and reduce security risks?
Implementing formal processes should be an important part of the lifecycle management of NHIs. Provisioning NHIs includes specifying tasks or responsibilities, allowing proper access and permissions, and the authorization or assigning of credentials for the NHI. Continuous monitoring and regular audits, including credential rotation, during this process helps in evaluating the performance of the NHI or finding anomalies, ensuring that the NHI is operating within its intended scope. Usage patterns can be analyzed to identify and reduce potential security risks.
What are the top three recommendations you would make to organizations struggling with NHI security?
First, use automated tools to discover and categorize NHIs in your environment. This is a unique aspect of shadow IT that needs to be visible to security teams in order to assess threats, vulnerabilities, and risk in your environment.
Second, monitor how these NHIs are connecting and interacting in your environment so you can identify sensitive systems, machines, applications, and services that can expose your environment.
Finally, prioritize and rank any vulnerabilities, risks, and exposures so that your security teams can begin remediation and mitigation factors.