Non-human users pose a serious identity management challenge

Identity and access management (IAM) programs put a lot of emphasis on users, for the obvious reason that compromising user identities is the prime attack vector for ransomware and other threat actors. But while strengthening access and permission controls for employees, third parties and other stakeholders, too many organizations overlook a vast trove of network identities that can be equally vulnerable to attack -- the non-human identities (NHIs) that are proliferating in the cloud.

The number of non-human identities, ranging from API keys and cloud services to DevOps tools and software bots, has exploded in recent years. By some estimates they are now outnumbering human users on the network by 45-1. The tools and services that comprise non-human identities can significantly increase efficiency and productivity, but they greatly expand an organization’s attack surface if they’re not properly protected. And too many of them aren’t protected.

Getting control of non-human identities in the cloud is a sizable challenge for organizations, particularly if they are trying to apply traditional IAM approaches. Visibility, for example, is important but insufficient on its own. Following IAM best practices is helpful, but easier said than done. And while automation adds speed and capability, its results in this case can’t always be trusted.

To get a tight grip on non-human identities, organizations need to turn the job over to service owners. If done right, that approach allows them to maintain effective control over a dynamic, constantly evolving source of network identities.

The Risks of Non-human Identities

Non-human identities, as the name suggests, are entities that are not humans, and that can take any kind of actions on critical infrastructure, on behalf of humans or workloads. They usually represent services, applications and automated processes in the infrastructure. They facilitate machine-to-machine interactions and perform other tasks without the need for human intervention.

They are granted access and authenticated via access keys, certificates, tokens and other secrets, which can create serious risks if compromised. And the risks are compounded as more developers use keys and other secrets from GitHub, BitBucket and other open-source repositories.

Types of non-human identities include API keys, which allow applications to interact securely, and service accounts, which allow applications and services to connect with network computer systems. In the cloud, service accounts allow virtual machines and workloads to interact with their APIs.

Both also present security risks. API keys, for example, could be compromised by attackers to gain access. And service accounts could allow for lateral movement through the network, potentially putting sensitive data at risk.

The same holds true for other non-human identities. In containerized environments such as Docker and Kubernetes, containers can have excessive permissions or insecure settings, and images may contain outdated software or known vulnerabilities.

Cloud services, where non-human identities facilitate interaction with cloud resources, can have vulnerabilities such as poor security configurations, configuration drift that create vulnerabilities, over-privileged identities, or orphaned identities that could be compromised.

Other potential sources of risk include DevOps tools and Robotic Process Automation (RPA) bots, as well as software supplied by third parties.

The Right Tools for Managing Identities

Gaining control of non-human identities in the cloud involves several key steps. Visibility into the cloud infrastructure is essential, as it is with any attack vector in the cloud, but it alone isn’t enough for effective cloud governance. Organizations need to make use of Cloud Infrastructure Entitlement Management (CIEM) or Cloud Native Application Protection Platform (CNAPP) reports, implementing recommendations and following best practices.

That approach, however, involves a lot of developer time and effort, and can result in errors, such as revoking the wrong key or removing the wrong permissions from a user’s role.

Automated processes have clear advantages as well, but it can be hard to entirely trust a black-box system operating on its own to manage large swaths of the organization’s mission-critical identity stack.

Each of those approaches is an important part of identity access control. But who should be in charge? Ultimately, the most effective step for managing identities at scale in the cloud is giving the job to service owners, while making sure they understand the context of how non-human identities operate and have the ability to easily make changes and revert changes when necessary.

When managing identities in the cloud, it’s always wise to follow a few critical best practices:

• Discovery and ownership: Create and refer back to a full inventory of all identities (NHIs and humans), as well as their human owners
• Risk posture: Identify risks associated with each NHI, such as unused service accounts, stale keys, and over privileged access
• Governance and Lifecycle Management: Delegate the governance to the service owners, with workflows for secrets rotation, onboarding/offboarding NHIs, as well as remediation of risks

Conclusion

The non-human identities that abound in cloud infrastructures are potentially critical vulnerabilities that many organizations overlook. But a thorough approach to IAM handled at the service-owner level can help bring those applications, services and automated processes under control, reducing the risk of costly and damaging data breaches.

Image credit: titima157/depositphotos.com

Shashwat Sehgal is Co-Founder and CEO of P0 Security.