Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/29/2021
11:55 AM
Eric Kedrosky
Eric Kedrosky
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Challenge of Securing Non-People Identities

Non-people identities, which can act intelligently and make decisions on behalf of a person's identity, are a growing cybersecurity risk.

From SolarWinds to Ubiquiti, data breaches have stormed recent headlines, and they all have one risk in common: non-people identities. As affected enterprises recover, there's debate over why these breaches happen and how cloud security can improve. But one thing everyone can agree on is that traditional security is dead, and cloud is the killer. The paradigm has changed, and traditional security approaches no longer work. People and non-people are the new battlegrounds. As US Cybersecurity and Infrastructure Security Agency technical strategist Jay Gazlay said during the most recent Information Security and Privacy Advisory Board meeting, "Identity is everything now."

Enterprises have gone from monolithic applications to microservices; waterfall development to agile; IT control to DevOps control; data centers to cloud architectures; person-deployed infrastructure to code. With expectations for securing cloud environments at an all-time high, security teams are struggling to control non-people identities. Responsible teams must reimagine how they manage security.

Related Content:

2020 Changed Identity Forever; What's Next?

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Nearly every major data breach today involves an identity compromise and subsequent manipulation of people and non-people identity permissions to gain access. Non-people identities have rights to data, and these rights make breaches more impactful. If you aren't managing the non-people identities, your enterprise is losing the battle.

What Are Non-People Identities?
Non-people identities take many forms, but in general, they can act intelligently and make decisions on behalf of a person's identity. Common non-people identities include roles, service principles, serverless functions, infrastructure as code, containers, and compute resources.

The ephemeral nature, sheer volume, and lack of visibility make non-people identities challenging to manage. With container orchestration, the typical lifetime of a container is 12 hours. Serverless functions, already adopted by 22% of corporations, spin up and are gone in seconds.

Due to the sheer volume of non-people identities that proliferate across an organization, it's tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines (or more) at a time in virtualized environments and public clouds. They may have thousands of connected devices and multiple software-defined infrastructure components spread across a global footprint. There are far more non-people identities than people identities, and oftentimes they're in areas where security teams are completely unaware.

It is not unusual for enterprises to have over 10,000 roles defined across their cloud estate, many affecting non-human identities. Data is no longer in one centralized place. It is used by all these identities. To minimize risk, we need to continuously discover, classify, audit, and protect data while enforcing least privilege.

Non-People Identities Need to Maintain Least Privilege
Least privilege has always been a fundamental security principle that gives identities only the permissions required to get their work done; nothing more. Enforcing least-privilege security controls across all identities is a best practice and the most effective way to reduce overall risk to identities. Least-privilege access should be applied for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.

Effective permissions, or the full permission sets that are granted to an identity, paint a true picture of what an identity can do and access. Enterprise organizations must understand the end-to-end effective permissions of non-people identities to ensure data security.

Managing Effective Permissions Must Be A Priority
Identity is the new perimeter. Comprehensive identity management for all identities, people and non-people, is required. Enterprises' failure to implement these capabilities in the technology ecosystem will expose them to security and compliance risks. Key goals are increasing security, enforcing compliance, reducing business risk, and driving toward business growth and innovation.

To protect non-human identities, enterprises need to:

  1. Continuously inventory all identities
  2. Continuously evaluate their effective permissions and monitor them continuously for changes
  3. Ensure identity security solutions are in place and configured to manage privileged non-human identities

At the very least, enterprises need to be in control of all identities and their interactions within their environments. Therefore, enterprises must work to eliminate shared accounts so that all human or non-human identities interacting with systems have an identity that can be managed and used for applying the principles of least privilege, least access, and separation of duties, while working toward visibility, traceability, and accountability. It is also essential that organizations have a standard, policy-based way of managing identities, which are common targets of compromise for malicious actors.

Eric Kedrosky is CISO at Sonrai Security. He joined the cloud security software company in February 2020 after 16 years of working in the industry. Highlights from his career include working as Director of Security & IT at Verafin, Directory of Information Services & Security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19915
PUBLISHED: 2021-09-20
Cross Site Scripting (XSS vulnerability exists in WUZHI CMS 4.1.0 via the [mailbox username in index.php.
CVE-2021-32838
PUBLISHED: 2021-09-20
Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS (Regular Expression Denial of Service) in email_regex. This is fixed in version 0.5.1.
CVE-2021-29856
PUBLISHED: 2021-09-20
IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 could allow an authenticated usre to cause a denial of service through the WebGUI Map Creation page. IBM X-Force ID: 205685.
CVE-2021-32839
PUBLISHED: 2021-09-20
sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only ...
CVE-2021-38899
PUBLISHED: 2021-09-20
IBM Cloud Pak for Data 2.5 could allow a local user with special privileges to obtain highly sensitive information. IBM X-Force ID: 209575.