Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/29/2021
11:55 AM
Eric Kedrosky
Eric Kedrosky
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Challenge of Securing Non-People Identities

Non-people identities, which can act intelligently and make decisions on behalf of a person's identity, are a growing cybersecurity risk.

From SolarWinds to Ubiquiti, data breaches have stormed recent headlines, and they all have one risk in common: non-people identities. As affected enterprises recover, there's debate over why these breaches happen and how cloud security can improve. But one thing everyone can agree on is that traditional security is dead, and cloud is the killer. The paradigm has changed, and traditional security approaches no longer work. People and non-people are the new battlegrounds. As US Cybersecurity and Infrastructure Security Agency technical strategist Jay Gazlay said during the most recent Information Security and Privacy Advisory Board meeting, "Identity is everything now."

Enterprises have gone from monolithic applications to microservices; waterfall development to agile; IT control to DevOps control; data centers to cloud architectures; person-deployed infrastructure to code. With expectations for securing cloud environments at an all-time high, security teams are struggling to control non-people identities. Responsible teams must reimagine how they manage security.

Related Content:

2020 Changed Identity Forever; What's Next?

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Nearly every major data breach today involves an identity compromise and subsequent manipulation of people and non-people identity permissions to gain access. Non-people identities have rights to data, and these rights make breaches more impactful. If you aren't managing the non-people identities, your enterprise is losing the battle.

What Are Non-People Identities?
Non-people identities take many forms, but in general, they can act intelligently and make decisions on behalf of a person's identity. Common non-people identities include roles, service principles, serverless functions, infrastructure as code, containers, and compute resources.

The ephemeral nature, sheer volume, and lack of visibility make non-people identities challenging to manage. With container orchestration, the typical lifetime of a container is 12 hours. Serverless functions, already adopted by 22% of corporations, spin up and are gone in seconds.

Due to the sheer volume of non-people identities that proliferate across an organization, it's tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines (or more) at a time in virtualized environments and public clouds. They may have thousands of connected devices and multiple software-defined infrastructure components spread across a global footprint. There are far more non-people identities than people identities, and oftentimes they're in areas where security teams are completely unaware.

It is not unusual for enterprises to have over 10,000 roles defined across their cloud estate, many affecting non-human identities. Data is no longer in one centralized place. It is used by all these identities. To minimize risk, we need to continuously discover, classify, audit, and protect data while enforcing least privilege.

Non-People Identities Need to Maintain Least Privilege
Least privilege has always been a fundamental security principle that gives identities only the permissions required to get their work done; nothing more. Enforcing least-privilege security controls across all identities is a best practice and the most effective way to reduce overall risk to identities. Least-privilege access should be applied for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.

Effective permissions, or the full permission sets that are granted to an identity, paint a true picture of what an identity can do and access. Enterprise organizations must understand the end-to-end effective permissions of non-people identities to ensure data security.

Managing Effective Permissions Must Be A Priority
Identity is the new perimeter. Comprehensive identity management for all identities, people and non-people, is required. Enterprises' failure to implement these capabilities in the technology ecosystem will expose them to security and compliance risks. Key goals are increasing security, enforcing compliance, reducing business risk, and driving toward business growth and innovation.

To protect non-human identities, enterprises need to:

  1. Continuously inventory all identities
  2. Continuously evaluate their effective permissions and monitor them continuously for changes
  3. Ensure identity security solutions are in place and configured to manage privileged non-human identities

At the very least, enterprises need to be in control of all identities and their interactions within their environments. Therefore, enterprises must work to eliminate shared accounts so that all human or non-human identities interacting with systems have an identity that can be managed and used for applying the principles of least privilege, least access, and separation of duties, while working toward visibility, traceability, and accountability. It is also essential that organizations have a standard, policy-based way of managing identities, which are common targets of compromise for malicious actors.

Eric Kedrosky is CISO at Sonrai Security. He joined the cloud security software company in February 2020 after 16 years of working in the industry. Highlights from his career include working as Director of Security & IT at Verafin, Directory of Information Services & Security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-46026
PUBLISHED: 2022-01-20
mysiteforme, as of 19-12-2022, is vulnerable to Cross Site Scripting (XSS) via the add blog tag function in the blog tag in the background blog management.
CVE-2021-46028
PUBLISHED: 2022-01-20
In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, the article will be deleted.
CVE-2021-4143
PUBLISHED: 2022-01-19
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
CVE-2021-46025
PUBLISHED: 2022-01-19
A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2.8. via the add function in the operation tab list in the background.
CVE-2021-46027
PUBLISHED: 2022-01-19
mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, a blog tag will be added