Trendy enterprise networks are extremely advanced environments that depend on lots of of apps and infrastructure providers. These programs have to work together securely and effectively with out fixed human oversight, which is the place non-human identities (NHIs) are available. NHIs — together with utility secrets and techniques, API keys, service accounts, and OAuth tokens — have exploded lately, due to an ever-expanding array of apps and providers that should work collectively and determine each other on the fly. In some enterprises, NHIs now outnumber human identities by as a lot as 50-to-1.
Nonetheless, NHIs introduce distinctive dangers and administration challenges which have safety leaders on excessive alert. Forty-six p.c of organizations have skilled compromises of NHI accounts or credentials over the previous 12 months, and one other 26% suspect they’ve, in line with a current report from Enterprise Technique Group.
It is no surprise NHIs — and the difficulties they current with oversight, threat discount, and governance — have been a recurring subject at Okta’s CISO Discussion board. Right here, we’ll discover their rise, dangers, and the way CISOs and safety leaders are managing them at the moment.
The spectacular rise of NHIs
The rise in NHIs might be traced to the rising use of cloud providers, AI and automation, and digital workflows. It is a development that is more likely to proceed, as increasingly duties are automated and people are much less of part of the equation.
NHIs enable apps to authenticate to at least one one other, each inside a particular area and with third-party functions like cloud providers. These secrets and techniques, keys, and tokens are simply as delicate because the credentials utilized by people, and in some circumstances, much more so, as they’ll present adversaries with highly effective entry to particular functions and providers in the event that they’re leaked.
CISOs are taking discover. The truth is, over 80% of organizations count on to extend spending on non-human identification safety.
Based on Mark Sutton, CISO at Bain Capital, “Non-human identities have turn into a spotlight for groups primarily based on the maturity of their identification and entry administration applications. It is shortly turning into the following hottest hearth as a result of folks have considerably solved consumer identities. The pure development is then to begin taking a look at service accounts and machine-to-machine non-human identities, together with APIs.”
Merely put, as soon as organizations set up robust protocols for securing human identities, the logical subsequent step is tackling NHIs. “That, and non-human identities are part of the risk panorama, and it is the place attackers are going subsequent.”
Secret leakage and different dangers of NHIs
Like every other set of credentials, NHIs are delicate and must be protected. However whereas people can make use of sturdy safety measures equivalent to MFA or biometrics to guard delicate credentials, NHIs usually depend on much less safe measures for authentication. That may make them simple targets for attackers.
Leakage of NHI secrets and techniques can be a critical concern. This may occur in quite a few methods, whether or not it is by way of hard-coding them into an utility’s supply code or by chance copying and pasting them right into a public doc. Secret leakage is a major drawback, and secrets and techniques usually present up in public GitHub repositories. The truth is, safety agency GitGuardian discovered greater than 27 million new secrets and techniques in public repositories final 12 months. This poses an excellent bigger drawback when you think about that NHI secrets and techniques are usually not rotated fairly often in most environments, so the helpful lifetime of a leaked secret may very well be fairly lengthy.
And, as a result of they usually require broad and chronic permissions to carry out duties, NHIs can accumulate extreme permissions, additional rising the assault floor. All of this makes NHIs a first-rate goal for attackers and a significant problem for CISOs and their safety groups.
Three challenges CISOs face in securing NHIs
Whereas NHIs are actually on CISOs’ radar, securing them is one other story. Listed below are three challenges we’re listening to from CISOs, and the way they’re managing them:
Gaining visibility. The largest hurdle in attempting to safe and handle NHIs is definitely discovering them. Visibility into the place NHIs lie in an surroundings might be restricted, and discovering all and even most of them is a tough job. Many organizations have 1000’s of NHIs that they did not even know existed. The outdated adage “you possibly can’t safe what you do not know about” holds true right here. Which means discovering and inventorying NHIs is essential. Implementing an identification safety posture administration resolution may also help admins and safety professionals determine NHIs throughout their group.
Danger prioritization and discount. The following problem is prioritizing the dangers related to the NHIs within the surroundings. Not all NHIs are created equal. Discovering essentially the most highly effective NHIs and figuring out over-privileged NHIs is a key step in securing these identities. Many service accounts and different NHIs have way more privileges than they really want, which might create dangers for the group. Figuring out high-value NHIs and adjusting privileges and permissions may also help cut back that threat. “It is about understanding the blast radius related to every non-human identification and asking ‘what is the threat?’ Not all NHIs carry the identical risk,” Sutton harassed.
Establishing governance. With so many NHIs being created at the moment, governance has turn into an actual thorn within the aspect for CISOs. However once they’re not correctly ruled, dangerous issues can occur — take, as an example, the sequence of Web Archive breaches tied to unrotated tokens in October 2024. Typically, NHIs are created by builders to serve short-term wants, however they’re not often tracked or decommissioned correctly. Understanding who’s creating NHIs, how they’re creating them, and for what goal is an effective first step. Then, safety groups should set up a transparent course of for managing them so non-human identities cannot be created arbitrarily. “We’ve to consider what our authentication and password insurance policies are,” says Sutton. “As an illustration, there are seemingly many service accounts with weak, static passwords that have not been rotated for years. How will we ensure that we’re managing these?”
Ultimate ideas
Non-human identities are important to companies at the moment, serving to them automate processes, allow integrations, and guarantee easy operations. The problem: They’re tough to safe and are an attractive goal for risk actors as a result of they’re usually non-federated, lack MFA, use static credentials, and have extreme privileges.
On the finish of the day, non-human identities and human identities could have totally different traits and desires, however each require an end-to-end strategy that protects them earlier than, throughout, and after authentication. NHIs is probably not folks, however they’re more and more highly effective actors in your surroundings. That makes securing them not non-obligatory, however pressing.
Be a part of our webcast on August 18th to find out how organizations are lowering threat and complexity by managing all identities — human or not — beneath one unified system.
Discovered this text fascinating? This text is a contributed piece from certainly one of our valued companions. Observe us on Twitter and LinkedIn to learn extra unique content material we put up.
