Given the growing importance of automation and integration to most organizations, non-human identities have quickly become a foundational element of cybersecurity strategy. According to recent reports, over 80% of enterprises plan to boost their investments in non-human identity security. Unfortunately, this trend will likely continue into the next fiscal year. This creative shift reflects broader movements to center the difficult work of practice that supports non-human identities. For operational efficiency, these identities are imperative yet frequently exempted from security policies and controls.
Non-human identities, which are commonly service accounts and application programming interfaces (APIs), enable critical automated processes like development and testing in the enterprise. Most organizations aren’t aware of the trillions upon trillions of non-human identities they own. Some even control thousands, maps developers built to address temporary market conditions. These identities are rarely monitored or retired properly, creating major security gaps.
A worrisome trend has emerged: 46% of organizations reported compromises of non-human identity accounts or credentials in the past year, while another 26% suspect similar breaches. As attackers continue to focus on these accounts, organizations should make protecting them a top security priority.
The Importance of Visibility
One of the biggest hurdles Chief Information Security Officers (CISOs) encounter is getting visibility into those non-human identities. As Mark Sutton, CISO at Bain Capital, notes, “Non-human identities have become a focus for teams based on the maturity of their identity and access management programs.” Further, he emphasizes why it is critical for organizations to decide who creates these identities. They have to understand how and why these identities are created.
Protocol for protecting human identities are a natural first step before any thoughts go to non-human identities. To reduce the risk organizations need to deploy complete identity and access management solutions that address the entirety of the identity spectrum—human and non-human. Sutton advises that it’s crucial to understand the risks associated with each non-human identity, stating, “It’s about understanding the blast radius associated with each non-human identity and asking ‘what’s the risk?’ Not all NHIs carry the same threat.”
They tend to be configured with weak, static passwords which have never been rotated. This has possibly been the case for decades. Such negligence has caused catastrophic consequences, as demonstrated by the recent Internet Archive breaches related to unrotated tokens. As these incidents demonstrate, there is a pressing need for clear and accountable governance over non-human identities.
The Need for Comprehensive Management
Third, organizations should adopt a holistic, end-to-end approach to significantly reduce their security risks. This strategy needs to account for all identities, prior to authentication, during authentication, and post-authentication. By consolidating management efforts into a unified system, organizations can reduce risk and complexity associated with handling both human and non-human identities.
Navigating the complexities of non-human identity management is not just a technical task, but a strategic necessity. It is time for organizations to reconsider their authentication and password strategies so that they can protect these assets that are becoming more and more essential.
A Strategic Shift in Cybersecurity Focus
This shift towards non-human identity security is part of an overall progression towards increased cybersecurity maturity. While organizations aren’t ready to tackle their service account and machine-to-machine interaction problems until they’ve solved their user identity challenges, it’s a logical progression for many to make. This new strategic focus marks an important shift in the Cybersecurity Teams playbook.
Mark Sutton emphasizes this point: “We have to think about what our authentication and password policies are.” Organizations should invest in identity intelligence and proactive identity management solutions as early mitigation steps to provide visibility and control over non-human identities.
We know that the landscape is rapidly evolving. Time and again we’ve seen that businesses need to be proactive and put their non-human identity programs first. We cannot afford to keep ignoring the hazards associated with these identities. They do represent serious vulnerabilities that malicious actors could easily exploit.
