Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:55 AM
Eric Kedrosky
Eric Kedrosky
Connect Directly
E-Mail vvv

The Challenge of Securing Non-People Identities

Non-people identities, which can act intelligently and make decisions on behalf of a person's identity, are a growing cybersecurity risk.

From SolarWinds to Ubiquiti, data breaches have stormed recent headlines, and they all have one risk in common: non-people identities. As affected enterprises recover, there's debate over why these breaches happen and how cloud security can improve. But one thing everyone can agree on is that traditional security is dead, and cloud is the killer. The paradigm has changed, and traditional security approaches no longer work. People and non-people are the new battlegrounds. As US Cybersecurity and Infrastructure Security Agency technical strategist Jay Gazlay said during the most recent Information Security and Privacy Advisory Board meeting, "Identity is everything now."

Enterprises have gone from monolithic applications to microservices; waterfall development to agile; IT control to DevOps control; data centers to cloud architectures; person-deployed infrastructure to code. With expectations for securing cloud environments at an all-time high, security teams are struggling to control non-people identities. Responsible teams must reimagine how they manage security.

Related Content:

2020 Changed Identity Forever; What's Next?

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Nearly every major data breach today involves an identity compromise and subsequent manipulation of people and non-people identity permissions to gain access. Non-people identities have rights to data, and these rights make breaches more impactful. If you aren't managing the non-people identities, your enterprise is losing the battle.

What Are Non-People Identities?
Non-people identities take many forms, but in general, they can act intelligently and make decisions on behalf of a person's identity. Common non-people identities include roles, service principles, serverless functions, infrastructure as code, containers, and compute resources.

The ephemeral nature, sheer volume, and lack of visibility make non-people identities challenging to manage. With container orchestration, the typical lifetime of a container is 12 hours. Serverless functions, already adopted by 22% of corporations, spin up and are gone in seconds.

Due to the sheer volume of non-people identities that proliferate across an organization, it's tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines (or more) at a time in virtualized environments and public clouds. They may have thousands of connected devices and multiple software-defined infrastructure components spread across a global footprint. There are far more non-people identities than people identities, and oftentimes they're in areas where security teams are completely unaware.

It is not unusual for enterprises to have over 10,000 roles defined across their cloud estate, many affecting non-human identities. Data is no longer in one centralized place. It is used by all these identities. To minimize risk, we need to continuously discover, classify, audit, and protect data while enforcing least privilege.

Non-People Identities Need to Maintain Least Privilege
Least privilege has always been a fundamental security principle that gives identities only the permissions required to get their work done; nothing more. Enforcing least-privilege security controls across all identities is a best practice and the most effective way to reduce overall risk to identities. Least-privilege access should be applied for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.

Effective permissions, or the full permission sets that are granted to an identity, paint a true picture of what an identity can do and access. Enterprise organizations must understand the end-to-end effective permissions of non-people identities to ensure data security.

Managing Effective Permissions Must Be A Priority
Identity is the new perimeter. Comprehensive identity management for all identities, people and non-people, is required. Enterprises' failure to implement these capabilities in the technology ecosystem will expose them to security and compliance risks. Key goals are increasing security, enforcing compliance, reducing business risk, and driving toward business growth and innovation.

To protect non-human identities, enterprises need to:

  1. Continuously inventory all identities
  2. Continuously evaluate their effective permissions and monitor them continuously for changes
  3. Ensure identity security solutions are in place and configured to manage privileged non-human identities

At the very least, enterprises need to be in control of all identities and their interactions within their environments. Therefore, enterprises must work to eliminate shared accounts so that all human or non-human identities interacting with systems have an identity that can be managed and used for applying the principles of least privilege, least access, and separation of duties, while working toward visibility, traceability, and accountability. It is also essential that organizations have a standard, policy-based way of managing identities, which are common targets of compromise for malicious actors.

Eric Kedrosky is CISO at Sonrai Security. He joined the cloud security software company in February 2020 after 16 years of working in the industry. Highlights from his career include working as Director of Security & IT at Verafin, Directory of Information Services & Security ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.