The New Security BattleGround: Non-People Identities
This is a guest blog post on behalf of Sonrai Security, one of our 2022 Secure360 Gold sponsors! Thanks for sharing this content with us.
From the Sega to the CapitalOne and SolarWinds, data breaches monopolize the headlines and often have one thing in common – non-person identities – non-people, machine identities. As impacted enterprises recover, there’s debate over why these breaches happen and how cloud security can improve. But one thing everyone can agree on is that traditional security is dead, and the cloud is the killer. The paradigm has changed. Traditional security approaches no longer work. People and non-people are the new battleground. As Cybersecurity and Infrastructure Security Agency technical strategist Jay Gazlay clearly said during the most recent Information Security and Privacy Advisory Board meeting, “Identity is everything now.”
Enterprises have gone from monolithic applications to microservices; waterfall development to agile; IT control to DevOps control; data centers to cloud architectures; person-deployed infrastructure to code. With expectations for securing cloud environments at an all-time high, security teams are struggling to control non-people identities. Responsible teams must reimagine how they manage security.
According to a benchmark study from Dimensional Research and the Identity Defined Security Alliance, 94% of companies have experienced an identity-related breach while 74% have already had an identity breach. Nearly every major data breach in headlines today involves the compromise of an identity and subsequent manipulation of people and non-people identity permissions to gain access. Non-people identities have rights to data and these rights make breaches more impactful. If you aren’t managing the non-people identities, your enterprise is losing the battle.
Non-people Identities Defined
A non-people identity takes on many forms, but in general, they can act intelligently and make decisions on behalf of a people’s identity. Common non-people identities include roles, service principles, serverless functions, IaaC, containers, VM, applications, scripts, and compute resources.
The ephemeral nature, sheer volume, and lack of visibility make non-people identities challenging to manage. With container orchestration, the typical lifetime of a container is 12 hours (1). Serverless functions, already adopted by 22% of corporations (2), spin up and are gone in seconds.
Due to the sheer volume of non-people identities that proliferate across an organization, it’s tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines or more at a time in virtualized environments and public clouds. They may have thousands of connected devices and multiple SDI components spread across a global footprint. There are far more non-people identities than people identities and oftentimes in areas of which security teams are completely unaware.
It is not unusual for enterprises to have over 10,000 roles defined across their cloud estate (2), many impacting non-human identities. Data is no longer in one centralized place. It is being used by all these identities. To minimize risk, we need to continuously discover, classify, audit, and protect data, while enforcing least privilege.
Non-people Identities Need to Maintain Least Privilege
Least privilege has always been a fundamental security principle, giving identities only the permissions required to get their work done. Nothing more. Enforcing least privilege security controls across all identities is a best practice and the most effective way to reduce overall risk to identities. Least privileged access should be applied for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.
Effective permissions, or the full permission sets that are granted to an identity, must be understood. Effective permissions paint a true picture of what your Identity can do and what it can access. Enterprise organizations must understand the end-to-end effective permissions of non-people identities to ensure data security.
Effective Permissions Must Be A Priority
Identity is the new perimeter. Comprehensive identity management for all identities, people and non-people is required. Failure to implement these capabilities in their technology ecosystem will expose enterprises to security and compliance risks. Key goals are increasing security, enforcing compliance, reducing business risk, and driving towards business growth and innovation.
Here are some tips that enterprises can use to protect non-human identities.
- Continuously inventory all Identities
- Continuously evaluate their effective permissions and monitor continuously for changes
- Ensure identity security solutions are in place and configured to manage privileged non-human identities
At the very least, enterprises need to be in control of all identities and their interactions within their environments. Therefore, enterprises must work to eliminate shared accounts so that all human or non-human identities interacting with systems have an identity that can be managed and used for applying the Principle of Least Privilege, Least Access, and Separation of Duties, while working towards visibility, traceability, and accountability. It is also essential that organizations have a standard, policy-based way of managing identities, which are common targets of compromise for malicious actors.
If you want to learn more about how exactly Sonrai is positioned to help you secure, configure, constantly monitor and remediate your cloud – we are always here to help. Contact us today to start a conversation, or request a demo at www.sonraisecurity.com.