3 key strategies for mitigating non-human identity risks
The exponential growth of non-human identities (NHI) — service accounts, system accounts, IAM roles, API keys, tokens, secrets, and other forms of credentials not associated with human users — has created a surge in their inclusion in security incidents and data breaches.
Here are three key areas to focus on when you’re building out your approach to securing NHI’s.
1. Discovery and posture
For every 1,000 human users in an organization there are typically around 10,000 non-human connections or credentials. This means the fundamental activity of discovery, inventory, and monitoring in a continuous fashion is key.
This activity must occur across all environments, whether internally hosted and managed enterprise IT systems or external environments such as SaaS applications, the latter of which pose additional challenges for organizations when it comes to visibility and monitoring.
This is why organizations need to have robust SaaS governance programs and can lean into resources such as the Cloud Security Alliance (CSA)’s SaaS Governance Best Practices for Cloud Customers guide.
It’s one thing to have a program and plan in place for governance, but organizations also must have innovative modern security tooling capable of maintaining visibility across the NHI footprint regardless of the environment in which those credentials and connections exist.
While visibility is a great first step, and is in line with longstanding best practices such as asset inventory, you also need tooling capable of providing rich context to help prioritize risks associated with NHI’s accordingly. Having visualizations such as connectivity maps can demonstrate the connections taking place, the systems, products and vendors involved and the associated risks.
This includes insights into what permissions each NHI has, such as what it can read and write, the level of privileges of those NHIs (such as administrative level access) and more. To aid in the broader push for zero trust, you also need to be able to determine, based on the level of access the NHIs have, what level of permissions are being actively used. This can help right-size permissions and facilitate zero-trust principles such as least-permissive access control.
We know from reports that only 2% of applied permissions are actually being used, meaning a whopping 98% of applied permissions to accounts are not actually needed and are overly permissive. These credentials continue to be prime targets for attackers and one of the leading vectors in data breaches, per sources such as the latest Verizon data breach report.
That means these NHIs are just sitting around waiting to be compromised by an attacker, and when they do, the attackers are able to leverage the permission sprawl to move laterally, access sensitive data and take other harmful actions impacting an organization, its systems and its data.
The ability to effectively monitor and manage the posture associated with your organization’s NHI needs to account for a broad range of factors. This includes aspects such as issues associated with assigned and utilized privileges, reputations of the vendors and their products involved, real-time runtime context such as suspicious behavior as well as threat intelligence such as a vendor being recently breached or involved in a security incident. All these insights and context can be used to comprehensively mitigate organizational risk associated with NHIs.
2. Third-party breach response and credential rotation
NHIs often facilitate connections to third parties, such as business partners, customers, external SaaS providers, and more. When those third parties experience a security incident, it demands a strong third-party breach response and credential rotation for any NHIs impacted as part of an incident.
The first step of any breach response activity is to understand if you’re actually impacted; the ability to quickly identify any impacted credentials associated with the third-party experiencing the incident is key. You need to be able to determine what the NHIs are connected to, who is utilizing them, and how to go about rotating them without disrupting critical business processes, or at least understand those implications prior to rotation.
We know that in a security incident, speed is king. Being able to outpace attackers and cut down on response time through documented processes, visibility, and automation can be the difference between mitigating direct impact from a third-party breach, or being swept up in a list of organizations impacted due to their third-party relationships.
3. Anomaly detection – going beyond posture
While we know that posture management is a foundational security activity, it isn’t a silver bullet. Being able to actively detect anomalous activity associated with your organization’s NHIs is important in determining what behavior is normal and what should be a cause for concern, such as potential threats or malicious activity.
Determining suspicious behavior can be done by leveraging a variety of factors, such as IPs, geolocations, internet service providers (ISP), and API activity. When these factors change from baseline activity associated with NHIs they may be indicative of nefarious activity and warrant further investigation, or even remediation, if an attack or compromise is confirmed.
Security teams are not only regularly stretched thin, but they also often lack a deep understanding across the organization’s entire application and third-party ecosystem as well as insights into what assigned permissions and associated usage is appropriate.
This is why modern security tools aimed at protecting NHIs often provide automated guardrails capable of automating remediation workflows such as rotating secrets or reducing assigned permissions to mitigate threats. They also should provide the ability to integrate with existing security stacks to help empower SOC and Security teams to respond quickly and effectively.
Bringing it all together
By bringing together these of discovery and posture management, third-party breach response and anomaly detection, organizations are able to get ahead of risks associated with their NHI footprint.
Knowing the scale of the problem with modern organizations having tens of thousands of NHIs distributed and operating across both internal and external systems, the idea of tackling these risks manually is simply impractical. Organizations must lean into modern identity and access management (IAM) and identity threat detection and response (ITDR) tooling to facilitate these activities at scale.