On Whose Account? Challenges in Securing Non-Human Identities

By Hananel Livneh, Head of Product Marketing, Adaptive Shield

As cyberattack methods evolve to target human-based identities in the software-as-a-service (SaaS) landscape, security teams are doubling down to educate teams on preventive measures.

However, SaaS security has a parallel world of highly sensitive accounts that are not covered by those best practices: non-human identities. This is a growing attack vector used by cyber-threat actors looking to steal access keys to penetrate organizations without being noticed.

Service accounts, API keys, and OAuth access tokens are all defined as non-human identities, and often have high permission levels. Largely ungoverned in app-to-app interconnectivity scenarios, these access paths can be more vulnerable than human accounts. They are also proving to be a growing challenge for security teams.

Pitfalls in Securing Non-Human Identities

Here are four features of non-human identities that can make them more difficult to secure than human identities.

1. No MFA or SSO Log On

Multifactor authentication (MFA) for all human users is becoming a non-negotiable security measure to help ensure a strong identity and access management (IAM) policy. Organizations should also integrate single sign-on (SSO) for human accounts whenever possible to minimize the identity attack surface. However, these measures are usually not feasible with non-human accounts because these users are not associated with any individual employee. This means there is no authentication safety net in the event stolen credentials are used to breach a system. That said, whenever possible, MFAs should be connected to service accounts.

2. Highly Privileged

Accounts used for integration purposes are usually set up as services accounts with high administrative privileges so that they can operate connections. In most cases, that privileged access extends all the way to the core SaaS stack through app interconnectivity. This makes these non-human accounts potentially very risky in the event of a breach, as they can take far-reaching actions including read, write, and delete. Unlike human accounts where permissions are regularly reviewed, permissions for non-human accounts are rarely reviewed or revoked.

3. Always-On, Always Active

Non-human API keys and tokens operate continuously with a constant rate of activity, making it more difficult to detect unusual activity. With a human account, a sudden burst of activity during off-work hours or holidays would be detected as suspicious and trigger an alert. Most data breaches that go unnoticed for months before any signs are detected have non-human elements involved.

4.  Broad Access

Businesses are connected to hundreds of apps containing sensitive corporate data. It's common to use the same non-human identity-integration user across many apps. But using one fixed non-human identity for service accounts across third-party apps is very risky. In the event a threat actor gains access to an app account, the breach could move laterally across apps in an organization.

Strategies for Controlling the Non-Human Identity Layer

Identity credentials are one of the only barriers against unauthorized access to SaaS applications, where nearly 70% of enterprises store sensitive data. Human identities with a known account name are less complex to monitor and control compared with non-human accounts.

For non-human identities, advanced methods such as automated security checks must be deployed to detect unusual activity. Non-human entities should be included in the user inventory that is monitored by security systems. Implementing the principle of least privilege is crucial: To mitigate risk, non-human accounts should be granted the fewest permissions possible, and using one "super account" for all integrations should be avoided. Introducing identity threat detection and response mechanisms (ITDR) to monitor suspicious activities of service accounts adds an additional layer of security.

As businesses expand their SaaS usage, they must monitor non-human identities, just as they monitor human identities. Using a SaaS security posture management solution enables security teams to continuously monitor misconfigurations, app-to-app interconnectivity, and the identity fabric, and helps detect identity-centric threats in the SaaS ecosystem.

About the Author

Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political science and Philosophy (PPE). Oh, and he loves mountain climbing.