Managing Non-Human Identity Risks - White Paper

Lalit Choda, NHI Mgmt Group

Non-Human Identities (also known as Machine Identities / Workload Identities) pose one the biggest Cyber and Insider threat risks to any organisation. If you look at most of the biggest cyber incidents, they all have one thing in common i.e. the discovery and use of highly privileged Non-Human Identity Credentials to access and compromise systems/data.

Regulators and Auditors around the world are now very focussed on this significant exposure that exists in most organisations. A number of years ago their primary focus was on Privileged Access Management, Segregation of Duties and Access to Production controls, but are now raising significant audit points against numerous financial institutions on Non-Human Identity Risks from hardcoded credentials in source code repositories to a lack of password cycling etc.

Organisations cannot ignore or underestimate this risk and Sheer Scale and Effort required to get these risks under control, to avoid being the next company facing a major cyber or internal threat incident.

This white paper will focus on core foundational principles organisations will need to establish to understand the risks around Non-Human Identities and the key things they will need to consider from a core capability standpoint to manage the risks in an effective and sustainable way.

The following sections of this article will explain in detail the key areas highlighted above (full details can be found in the White Paper).

Understanding Inventory, Controls & Risks around Non-Human identities :

  • Account Inventory and Ownership - foundational to any program is to establish an inventory of all technical accounts and identifying ownership.

  • Authentication Method - does the credential use passwords for authentication or other forms of authentication e.g. Certificates, Kerberos, Tokens

  • Levels of Privilege - what access does the account provide, is it full administrative access on the domain/asset or specific read or write privileges

  • Breadth of Access - is the account entitled to just one asset/component or is it entitled to hundreds/thousands of assets/components

  • Interactive Accounts - interactive accounts allow humans to effectively impersonate and become the technical account and gain access to highly privileged accounts

  • Environment Segregation - a lack of environment segregation increase the risk of lateral movement

  • Password Discovery - a huge challenge faced by the industry is that application credentials/passwords are not always secure, and in many cases, are held unencrypted in plain-text, within source code repositories and other places

  • Password Complexity - accounts that have non-complex passwords, as these will be prone to brute-force attacks

  • Password Cycling - industry best practice is to cycle technical account passwords on a regular basis. There are many benefits to passwords being cycled as it reduces risks around transfers, leavers, mitigates/removes credential exposure in legacy code/scripts, helps uncover unknown dependencies and sharing of credentials etc. Password cycling however, is incredibly challenging given the above risks

  • Account Usage - if an organisation can determine whether the account is in use, this can drive hygiene activities to remove legacy/inactive accounts and achieve quick wins in removing driving down the surface area of risk

  • Account Sharing - unfortunately, we have seen in many organisations, application credentials being shared across teams/applications, which breaks the need-to-have/need-to-know and segregation principles

  • Humans using Non-Human Identities - the biggest risk around weak Non-Human Identity controls, is the discovery and ability to compromise the credentials by both external and internal threat actors

A key part of any Non-Human Identity risk remediation program is to understand the above control gaps, to help assess the overall size and scale of the risk exposure and define a risk-based approach.

So how does an organisation start to tackle this huge ‘Elephant in the room’ ? :

I was once asked by a CISO at a leading investment bank, why we cannot fix this risk in 1-2 years and explained fixing both the current exposure as well as preventing future risks from repeating, touches on the whole technology stack and processes in any organisation from IAM / JML, SLDC / SecDevOps, Application Security, Secrets Vaulting, Credential Scanning etc.

Unfortunately, there is no ‘magic bullet’ here, you cannot just buy a product that will take care of this for an organisation (it will be many products/processes), you cannot hire a few key SMEs/Consultants to quickly fix this – for most large global organisations this will be upwards of a $20-50M spend/investment.

Organisations will need to consider several things as they embark on their journey in tackling one of the biggest and most complex security risks, around Non-Human Identities:

  • High Level Platform Read-Across - try to determine where the biggest risks exist, by performing a high-level control effectiveness assessment for each platform

  • Account Inventory/Claiming - investment in an identity management capability, to manage an inventory of all technical accounts including the ability to claim ownership of the account is foundational to any program to measure and drive remediation

  • Red-Teaming - we would recommend that you establish regular red-team testing of your environment, to see if technical account credential exposures can be discovered.

  • Policies/Standards/Controls - organisations will need to ensure that their policies/standards and controls are robustly defined and clearly highlight what is expected around management of technical account credentials

  • Training/Awareness/Education - there needs to be a robust training, awareness and education campaigns so the organisation is aware of the risks around technical accounts

  • Control Effectiveness - it is critical to be able to measure the controls in place against technical accounts, but this can be quite challenging given the vast array of platforms, each with their own custom meta data.

  • Attestation - given some organisations may not have mature account inventories and may not be able to measure control effectiveness, they may need to consider some level of self-attestation processes, to initially establish control effectiveness, until this data can be sourced via authoritative sources

  • JML Processes - these are key to dealing with implementing controls in a sustainable manner and in part are the root cause for technical account issues with an organisation

  • Secrets Vault - a core part of any remediation strategy will involve delivery of a Secrets Vault capability. This is no small undertaking and will need to handle global scale, high volumes, and provide a resilient/fault tolerant capability.

  • Naming Conventions / Environment Segregation - an organisation will need to consider naming conventions for accounts e.g. separate accounts for each environment

  • Automated Password Cycling Capabilities - automated cycling capabilities is not something you typically get out the box from most Secrets Vault solutions and will require significant investment in delivering this capability per platform/accountType

  • DevSecOps - organisations will need to take a security first led DevOps strategy i.e. automating the integration of security at every phase of the SDLC from development, testing and deployment

  • Credential Scanning - an organisation will need the ability to scan and identify credential leaks e.g. unencrypted plain-text passwords in source code or other repositories.

  • Preventing Credential Check-In of Credentials in Source-Code - to create a sustainable set of controls, you will need to stop new credentials from being checked into source code repositories.

  • Passwordless vs Password Strategy - to stop the bleeding you need to consider moving away from passwords to passwordless credentials e.g. certificates, tokens etc.

  • Account Hygiene - one of the quickest and most effective forms of risk reduction is to drive a global hygiene program, to remove legacy/inactive accounts.

  • Legacy Authentication Protocols - remove the use of legacy protocols in key applications, particularly any internet facing applications, as they do not support conditional access or multi-factor authentication and can easily be compromised.

  • Account centric driven remediation vs Scanning centric driven remediation - we would advise organisations to use a hybrid approach of account centric led assessment / remediation alongside credential scanning-based assessment and remediation.

  • Monitoring Controls to Detect Human use of Technical Accounts - this is one of the most challenging areas to deliver a strong and effective control, but one of the most critical, given an external/internal threat actor will always find a way to discover and misuse a technical account credential.

Closing Remarks

In closing, addressing risks around Non-Human Identities is likely to be one of the most complex and challenging security vulnerabilities to address in any organisation. It touches on all aspects of IT processes and controls, from IAM (Identity Management, JML), SDLC/DevSecOps, Secrets Vaulting, Scanning, Monitoring etc, many of which will require significant strategic investments to deliver the required infrastructure capabilities to support risk reduction and sustainable controls to “stop-the-bleeding".

Unless an organisation already has mature controls and capabilities for managing technical account credentials, they are likely to uncover that thousands of unencrypted plain-text credentials exist in the environment (that can be easily discovered or already known). There are likely to be many passwords that have not been cycled and a sizeable percentage of legacy/inactive accounts, increasing the surface area of risk. It highly likely that these credentials are being used by humans and therefore could pose risks around the integrity of a firm's books and records. Monitoring controls will need to be established, to reduce and identify any inappropriate activity.

The effort to remediate these risks will be significant, as teams will need to migrate unencrypted credentials onto a Secrets Vault solution or passwordless credentials. This will introduce significant change into the environment and operational risk, where applications could break due to unknown dependencies e.g. when passwords are cycled.

With the adoption of Cloud and SaaS based services, this has created a huge Secrets Sprawl problem, further exposing organisations to 3rd Party Supply Chain risks and creating further complexity in managing NHI risks.

If you are an organisation that would like to understand more about the risks around Non-Human Identities and how to go about establishing a risk program to manage and remediate the risks, please contact us at info@nhimg.org

As an organisation embarks on establishing a risk program around Non-Human Identities there are several core foundational control principles that will need to be established to understand the size and scale of the risk exposure that exists.

There are also several things an organisation will need to consider from a core capability standpoint to manage the risks in an effective and sustainable way.

The below high-level diagram attempts to summarise the key areas that an organisation will need to factor into any risk program they establish.

Download Full White Paper

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024