The future of cybersecurity will depend on our ability to effectively manage the surge in non-human identities (NHIs).
Picture a massive and unseen force quietly breaching your organization’s digital defenses. This isn’t the storyline of a sci-fi movieāit’s the reality of non-human identities (NHIs) in cybersecurity today. As an experienced security architect, I’ve observed this covert presence expand from a controllable group to an extensive, often unchecked multitude that is causing chief information security officers (CISOs) sleepless nights.
Throughout my experience with both startups and Fortune 500 companies, I’ve seen the varied impacts of NHIs firsthand. They ensure our digital operations run seamlessly, yet also represent a potential goldmine for attackers aiming to exploit vulnerabilities. We must illuminate this hidden force and devise strategies to leverage its capabilities while minimizing associated risks.
The Magnitude of the Issue
Think about this: In your organization, for every 1,000 human users, there are probably around 10,000 non-human connections or credentials. Some estimates even indicate that the ratio might be as high as 45-to-1. These non-human identities encompass service accounts, system accounts, API keys, tokens, and other machine-based authentication forms essential for managing intricate interactions within our contemporary digital landscape.
The Importance of NHIs
- Expansion of the attack surface: Every NHI serves as a possible gateway for attackers. With their typically high-level privileges and absence of human supervision, compromised NHIs can be incredibly valuable to malicious actors.
- Challenges related to visibility: Unlike human users, Non-Human Identities (NHIs) frequently function behind the scenes. They are developed by programmers or systems without adequate governance. This invisibility presents a considerable blind spot for numerous security teams.
- Expansion of Privilege: Research indicates that merely 2% of permissions granted for NHIs are utilized, leading to a significant overprovisioning of access rights and creating an unnecessarily risky environment.
- Risk stemming from third-party involvement: NHIs frequently help establish connections to external services and partners. If these third parties encounter a breach, your organization’s NHIs could serve as potential pathways for lateral movement.
Practical Consequences
The significance of protecting NHIs extends beyond theory, as recent high-profile incidents highlight their crucial role in contemporary attacks.
Nation-state actors have shown expertise in exploiting OAuth applications to navigate laterally through cloud environments. Simultaneously, leading software companies such as Microsoft and Okta have been targeted by attacks utilizing compromised machine identities. In a recent filing with the Securities and Exchange Commission (SEC), Dropbox also revealed a significant incident involving a breached service account.
Steps for Effective Mitigation
- Exploration and cataloging: You cannot protect what you are unaware of. Deploy tools and processes that consistently identify and document NHIs in every environment, including software-as-a-service (SaaS) applications.
- Managing posture: Delve deeper than basic inventory by comprehending the permissions linked to each NHI, their usage patterns, and the potential risks they present.
A Request for Immediate Action
The surge in non-human identities (NHIs) presents a challenge and an opportunity for the cybersecurity community. Although the magnitude of this issue may appear intimidating, we are more advanced now than we were with human identity access management (IAM) several decades ago.
In my discussions with CISOs and security leaders, I’ve noticed a change in perspective. There’s an increasing acknowledgment that NHI security must be prioritized at the same level as traditional IAM and network security efforts.
Looking ahead, I’m cautiously optimistic. The technology and strategies to protect NHIs are rapidly advancing. By combining visibility, automation, and a security-first culture effectively, we can address this subtle yet significant risk challenge successfully.
The future of cybersecurity hinges on effectively managing the surge in non-human identities. As security experts, it’s our duty to spearhead this new era of identity protection. Are you prepared to embrace the challenge?