The Challenge of Securing Non-People Identities

From SolarWinds to Ubiquiti, data breaches have stormed recent headlines, and they all have one risk in common: non-people identities. As affected enterprises recover, there's debate over why these breaches happen and how cloud security can improve. But one thing everyone can agree on is that traditional security is dead, and cloud is the killer. The paradigm has changed, and traditional security approaches no longer work. People and non-people are the new battlegrounds. As US Cybersecurity and Infrastructure Security Agency technical strategist Jay Gazlay said during the most recent Information Security and Privacy Advisory Board meeting, "Identity is everything now."

Enterprises have gone from monolithic applications to microservices; waterfall development to agile; IT control to DevOps control; data centers to cloud architectures; person-deployed infrastructure to code. With expectations for securing cloud environments at an all-time high, security teams are struggling to control non-people identities. Responsible teams must reimagine how they manage security.

Nearly every major data breach today involves an identity compromise and subsequent manipulation of people and non-people identity permissions to gain access. Non-people identities have rights to data, and these rights make breaches more impactful. If you aren't managing the non-people identities, your enterprise is losing the battle.

What Are Non-People Identities?
Non-people identities take many forms, but in general, they can act intelligently and make decisions on behalf of a person's identity. Common non-people identities include roles, service principles, serverless functions, infrastructure as code, containers, and compute resources.

The ephemeral nature, sheer volume, and lack of visibility make non-people identities challenging to manage. With container orchestration, the typical lifetime of a container is 12 hours. Serverless functions, already adopted by 22% of corporations, spin up and are gone in seconds.

Due to the sheer volume of non-people identities that proliferate across an organization, it's tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines (or more) at a time in virtualized environments and public clouds. They may have thousands of connected devices and multiple software-defined infrastructure components spread across a global footprint. There are far more non-people identities than people identities, and oftentimes they're in areas where security teams are completely unaware.

It is not unusual for enterprises to have over 10,000 roles defined across their cloud estate, many affecting non-human identities. Data is no longer in one centralized place. It is used by all these identities. To minimize risk, we need to continuously discover, classify, audit, and protect data while enforcing least privilege.

Non-People Identities Need to Maintain Least Privilege
Least privilege has always been a fundamental security principle that gives identities only the permissions required to get their work done; nothing more. Enforcing least-privilege security controls across all identities is a best practice and the most effective way to reduce overall risk to identities. Least-privilege access should be applied for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.

Effective permissions, or the full permission sets that are granted to an identity, paint a true picture of what an identity can do and access. Enterprise organizations must understand the end-to-end effective permissions of non-people identities to ensure data security.

Managing Effective Permissions Must Be A Priority
Identity is the new perimeter. Comprehensive identity management for all identities, people and non-people, is required. Enterprises' failure to implement these capabilities in the technology ecosystem will expose them to security and compliance risks. Key goals are increasing security, enforcing compliance, reducing business risk, and driving toward business growth and innovation.

To protect non-human identities, enterprises need to:

At the very least, enterprises need to be in control of all identities and their interactions within their environments. Therefore, enterprises must work to eliminate shared accounts so that all human or non-human identities interacting with systems have an identity that can be managed and used for applying the principles of least privilege, least access, and separation of duties, while working toward visibility, traceability, and accountability. It is also essential that organizations have a standard, policy-based way of managing identities, which are common targets of compromise for malicious actors.