How to secure non-human identities? with Andrew Wilder and Amir Shaked

As enterprises increasingly rely on APIs, microservices, IoT devices, and automated processes, the number of non-human identities within networks has surged. Properly managing and securing these identities not only improves your organization's security but also enhances operational efficiency and compliance. Experts Andrew Wilder and Amir Shaked share invaluable insights from their extensive research and experience in non-human identity security. This article describes the best practices and strategies for securing non-human identities, ensuring that your enterprise remains resilient against cybersecurity attacks and streamlined in its digital operations.

💡
This article is based on the conversation with Amir and Andrew on the Elephant in AppSec - the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

In February, the Cloudflare breach highlighted the critical risks of managing non-human identities. Today, we’ll explore this fascinating topic with Andrew and Amir, discussing why these breaches occur, the main risks involved, and the anticipated proliferation of non-human accounts. We’ll also delve into the challenges of understanding the context around non-human identities.

Amir and Andrew's background

Andrew Wilder is the Retained Chief Security Officer at Community Veterinary Partners and the former Regional CISO for Nestle, where he spent 18 years shaping cybersecurity across the Americas, Asia, and Europe.

Amir Shaked is the VP of Research and Development at Oasis Security, specializing in Non-Human Identity Management. With a background in software development, Amir transitioned to cybersecurity, contributing to companies like PerimeterX and Human in R&D and Engineering.

Both Andrew and Amir are passionate about sharing their expertise. Andrew teaches cybersecurity at Washington University in St. Louis and serves on its Board, while Amir coaches engineering managers at GrowthSpace. They frequently speak at conferences and on podcasts, helping others learn from their extensive experience.

Watch the full interview below:

How to secure non-human identities?

Non-human identity management is a critical aspect of cybersecurity, especially for modern enterprises facing new challenges such as API sprawl. This topic has gained significant attention due to the increasing number of breaches and the complexity involved in managing these identities. It is an especially concerning topic as breaches can lead to serious sensitive data leaks, and strong repercussions for breaking certain regulations. The discussion with experts Andrew Wilder and Amir Shaked sheds light on the challenges and solutions in this domain.

What are non-human identities?

Non-human identities, also known as machine or workload identities, are crucial components in modern IT environments. These identities encompass a variety of digital credentials and accounts that enable automated processes and communications between machines, services, or applications. Unlike human identities, which are tied to individual users, non-human identities are designed to facilitate the seamless operation of systems without direct human intervention. Key examples of non-human identities include API keys, shared secrets, service accounts, and test accounts.

Contextual understanding

One of the primary challenges in managing non-human identities is understanding the context in which they are used. This includes knowing what the identity is used for, who is responsible for it, and how changes to it might impact production.

“One of the challenges around non-human identity is understanding that context, understanding what that identity is used for, who would be ultimately responsible for it. So you can figure out when and how you can make changes to it without impacting production." - Andrew Wilder

Through this, Andrew emphasizes the multifaceted nature of non-human identity management. Knowing what an identity is used for involves understanding the specific function or service it facilitates. For instance, an API key might be used for communication between different microservices within a cloud environment. Identifying who is responsible for these identities is equally important; it requires clear ownership and accountability within the organization. Without this understanding, making changes to identities can disrupt services, leading to potential downtime or security vulnerabilities.

“It's very hard to get the context. It's part of the challenge with non-human identities to understand the context of how they're used." - Amir Shaked

Emphasizing the difficulty of this task, Amir highlights that the complexity of modern IT environments can obscure the usage patterns of non-human identities, making it difficult to manage them effectively. The dynamic nature of applications and services, especially in a DevOps or microservices architecture, means that non-human identities are constantly being created, modified, and deprecated. Keeping track of these changes is a significant challenge.

Ensuring security of non-human identities

Security is a paramount concern when managing non-human identities. These identities can be as powerful as, or even more powerful than, human identities because they often have broad access to systems and data. Some security challenges include: credential management, access controls, as well as monitoring and auditing. These non-human identites are at the centre of security as they are often given broad access to systems and data, in fact APIs are often used for automating certain tasks, sometimes even critical processes that are essential for the day-to-day operations of an organization.

API keys might enable communication between different microservices in a cloud environment. These communications can include sensitive operations such as processing transactions, transferring data, and managing resources. If an API key is compromised, it can disrupt these critical processes, leading to data breaches or operational failures.

Also, due to their high volume and density non-human identities increase the attack surface. Large enterprises may have thousands of non-human identities, each serving different purposes. This includes API keys for external services, shared secrets for inter-service communication, and service accounts for running applications. Managing and securing each of these identities is challenging due to their volume and the different contexts in which they operate.

These non-human identities are also often dynamically created - like is the case for GraphQL APIs - and used, especially in environments that employ DevOps and continuous integration/continuous deployment (CI/CD) practices.

Hence, the security of non-human identities is of paramount importance because they play a critical role in the operation and security of modern IT environments. Their broad access to systems and data, combined with the high volume and dynamic nature of these identities, significantly increases the attack surface and potential impact of any security breaches.

Automation and prioritization

In large enterprises, manual management of non-human identities is impractical. Automation is essential for handling the vast number of identities and ensuring they are managed effectively. Automated solutions can help prioritize which identities pose the highest risk and need immediate attention. This prioritization is crucial as cybersecurity teams often have limited resources and need to focus on the most significant threats first.

“When you're talking about a large enterprise, the only way to do it is in an automated way. There's no way to do that in a manual way." - Andrew Wilder

This underscores the scale at which large enterprises operate. With potentially thousands or even millions of non-human identities in use, manual management is not feasible. Automation tools can continuously monitor and manage these identities, ensuring they are rotated, updated, and decommissioned as needed without human intervention.

“The better you get it, the less risk you're creating." - Amir Shaked

This shows the direct correlation between the effectiveness of automation and risk reduction. By improving automated processes, organizations can reduce the chances of vulnerabilities associated with unmanaged or poorly managed non-human identities. For instance, automating the rotation of API keys and service account passwords can prevent their compromise, significantly reducing security risks.

The role of research and regulations

Research and regulations play pivotal roles in driving the management of non-human identities. Reports highlighting the magnitude of the problem and the associated risks increase awareness and push organizations to take action. Additionally, regulations and compliance requirements, such as those from PCI-DSS, mandate specific controls, further emphasizing the need for robust identity management practices.

“Any such report is good for increasing the understanding of the scope of the problem and the risks." - Amir Shaked

Amir points out the importance of industry research in bringing attention to the issue of non-human identity management. Such reports can provide valuable insights into the latest threats, best practices, and technological advancements. They can also help organizations benchmark their own practices against industry standards and identify areas for improvement.

Industry collaboration

Collaboration within the industry and with government bodies is essential for developing effective regulations and practices. As the industry matures, regulations will catch up, and organizations will adopt better practices for managing non-human identities.

Organizational and process changes

Organizational and process changes are also necessary to address non-human identity management. Cybersecurity practitioners often focus on tools, but the success of managing non-human identities also depends on making organizational changes. This includes integrating application security, identity management, and other related areas to create a cohesive approach.

“There's a big part of organizational change rather and especially when you talk about non-human identity. It touches application security, touches all other types of identity, and so making those organizational changes in the process changes around how to manage it. That's a key part of making this a success." - Andrew Wilder

Stressing the importance of organizational change, this quote emphasizes that technology alone cannot solve the problem. Organizational culture, processes, and practices must evolve to support effective identity management. This might involve training staff, redesigning workflows, and fostering a security-first mindset across the organization.

Steps to achieve maturity

  1. Understanding the Scope: Identify the number of non-human identities, their sources, and associated risks. This foundational step requires a comprehensive inventory of all machine identities within the organization. Without a clear understanding of what identities exist and how they are used, it is impossible to manage them effectively.
  2. Automating Management: Implement automated solutions to manage and prioritize identities. Automation is critical for handling the scale and complexity of modern IT environments. Automated tools can enforce policies consistently, reduce human error, and respond quickly to threats.
  3. Organizational Change: Drive top-down initiatives to address the risks and integrate identity management across teams, introduce the idea of security governance. Leadership must champion identity management efforts, allocating resources and setting policies that prioritize security. Cross-functional collaboration is essential, since identity management impacts multiple areas of the organization.
  4. Continuous Improvement: Regularly update processes and controls to adapt to new challenges and technologies. Threats are constantly evolving, and so must the strategies for managing non-human identities. Continuous monitoring, regular security audits, and staying informed about the latest developments in cybersecurity are crucial.

The future of non-human Identity management

The future, much like the present, will see an increase in non-human identities due to the proliferation of applications and automation tools. AI and other advanced technologies will contribute to both the challenges and solutions in this field. Organizations must stay ahead by continuously improving their identity management practices and adopting new tools and processes.

As applications become more complex and interconnected, the number of non-human identities will continue to grow. This expansion will be driven by trends such as the Internet of Things (IoT), cloud computing, and microservices architecture. Each of these trends introduces new types of machine identities that must be managed securely.

AI and machine learning technologies offer promising solutions for non-human identity management. These technologies can analyze vast amounts of data to identify patterns, detect anomalies, and predict potential security threats. For example, machine learning algorithms can be used to monitor the behavior of non-human identities, flagging any unusual activity that might indicate a security breach.

Conclusion

Non-human identity management is a complex but essential aspect of cybersecurity. By understanding the context, automating processes, and driving organizational changes, companies can mitigate the risks associated with these identities. Continuous research, regulation, and industry collaboration will further enhance the maturity and effectiveness of identity management practices.

Organizations must recognize the importance of non-human identity management and take proactive steps to address these challenges. This involves not only implementing the right technologies but also fostering a culture of security awareness and collaboration. By doing so, they can protect their systems, data, and, ultimately, their business from the growing threat of cyberattacks targeting non-human identities.

"The better you get at managing non-human identities, the less risk you're creating." – Amir Shaked

These resources provide valuable insights into both the technical and organizational aspects of cybersecurity and identity management.


💡Want to learn more? Discover the following articles: