Risks of Non–Human Identity Misconfiguration and Poor Management

Iztik Alvas, Entro Security

Entro Security - Risks of NHI Misconfiguration and Poor Management Report

Data from this report has been collected from millions of secrets and NHIs from companies across industries, and from startups to Fortune 100

Summary

The management of Non-human identities and secrets is critical to maintaining organizations’ security.

Entro Security’s recent research reveals alarming trends in the handling of both human and non-human identities, with significant misconfigurations and risks prevalent across organizations. The following report highlights key findings, emphasizing the need for improved security practices in Non- human identity and secrets management.

Key Findings

1. Proliferation of Non-Human Identities

  • Human vs. Non-Human Identities: For each human identity, there are an average of 92 non-human identities. This overwhelming number of non-human identities significantly increases the complexity of identity management and the potential for security vulnerabilities.

2. Misconfiguration of Vaults

  • Vault Misconfigurations: 73% of vaults are misconfigured, leading to serious security risks. Misconfigurations can result in unauthorized access, exposure of sensitive data, and compromised systems.

3. Idle Non-Human Identities

  • Unused Secrets: 40% of all secrets within an organization are idle. These are real, valid secrets that are not currently being used by any application workloads, representing an unnecessary huge risk exposure. No one is using them, but anyone can. Needless to say, Idle secrets can be exploited by malicious actors if not properly managed and decommissioned

4. Excessive Permissions and Access

  • Over-Permissioned Non-Human Identities: 100% of environments audited have non-human identities that have been given more permissions and access than necessary. This over-provisioning of permissions increases the attack surface and the risk of unauthorized access.

  • Excessive Privileges for Non-Human Identities: 97% of non-human identities have excessive privileges, which can lead to unauthorized actions being performed within the system.

5. Failure to Revoke Access

  • Former Employee Tokens: 91% of former employee tokens are never revoked, leaving organizations vulnerable to potential security breaches. This oversight in de-provisioning is a critical gap in the security posture of organizations and a serious regulation breach.

6. Overuse and Duplication of Non-Human Identities

  • Overused Non-Human Identities: 60% of non-human identities are being overused, with the same non-human identity being utilized by more than one application. This practice increases the risk of a single point of failure and can lead to widespread compromise if the non-human identity is exposed.

  • Duplicated Secrets: 62% of all secrets are duplicated and stored in multiple locations, leading to unnecessary redundancy and increasing the risk of accidental exposure.

7. Insecure Onboarding and Exposure of Secrets

  • Onboarding Without Security Approval: 50% of organizations are onboarding new vaults without proper security approval. This lack of oversight can lead to the introduction of vulnerabilities and misconfigurations from the outset.

  • Secrets Exposed in the Wild: 44% of tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, code commits, etc. Such practices put sensitive information at risk of being intercepted and exploited. Exposure of secrets is the main root cause of all secrets and non-human identities breaches.

8. Diverse Vault Solutions

  • Multiple Vault Solutions: On average, organizations are using at least five different vault solutions (e.g., HashiCorp Vault, Azure KeyVault, AWS Secrets Manager, Kubernetes Secrets, GitHub Secrets). While diverse solutions offer flexibility, they also complicate management and increase the likelihood of misconfigurations.

9. Third-Party Exposure

  • Exposure to Third Parties: 92% of organizations are exposing non-human identities to third parties. This exposure can lead to unauthorized access if third-party security practices are not aligned with organizational standards.

10. Poor Identity Rotation Practices

  • Average Rotation of Non-Human Identities: The average rotation period for non-human identities is 627 days, far longer than recommended or required by different regulations.

  • Failure to rotate in time:: 71% of non-human identities are not rotated within the recommended time frames, increasing the risk of compromise over time.

11. Non-Human Identity Attacks

  • Prevalence of Non-Human Identity Attacks: Non-human identity attacks are the second most frequent type of attack and the most devastating to organizations, as reported by IBM in 2023. This highlights the growing threat posed by the mismanagement of non-human identities.

Conclusion

The findings of this research reveal a critical need for organizations to reassess their non-human identities and secrets management practices. The proliferation of non-human identities, misconfigurations, and excessive permissions create significant security risks. Additionally, the failure to revoke access, overuse, and duplication of secrets, and insecure onboarding practices further exacerbate these risks.

To mitigate these risks, organizations must:

  • Implement stricter controls and regular audits of non-human identities and secrets management practices.

  • Ensure timely rotation of identities and revocation of access for former employees.

  • Reduce the overuse and duplication of secrets, and avoid exposing them in insecure environments.

  • Ensure that vault onboarding is conducted with proper security approval.

  • Continuously monitor and manage non-human identities to prevent excessive privileges and unauthorized access.

By addressing these issues, organizations can significantly reduce their attack surface and strengthen their overall security posture.

Click here to get the full report