Understanding Oasis

Understanding Oasis

In today’s digital landscape, the importance of managing non-human identities has become increasingly significant. From IoT devices to automated software processes, non-human identities play a crucial role in various operational and security contexts. Oasis emerges as a pivotal solution for addressing these needs, providing robust features to ensure the secure and efficient management of non-human identities.

Key Features of Oasis

Oasis offers a suite of features tailored to the unique requirements of non-human identity management. Here are some of the most notable capabilities:

1. Automated Identity Provisioning: Oasis automates the provisioning of non-human identities, ensuring that each device or process receives the appropriate credentials and permissions without manual intervention. This automation reduces the risk of human error and streamlines the onboarding process.

2. Dynamic Credential Management: One of the standout features of Oasis is its dynamic credential management. It continuously monitors and updates credentials for non-human entities, ensuring they remain secure and compliant with organizational policies. This feature is essential for maintaining the integrity of systems that rely on these identities.

3. Comprehensive Auditing and Reporting: Oasis provides detailed auditing and reporting capabilities. Organizations can track the activities and interactions of non-human identities, generating comprehensive reports that support security audits and compliance requirements. This visibility is crucial for identifying potential vulnerabilities and ensuring accountability.

The Importance of Non-Human Identity Management

As the number of non-human identities grows, so does the complexity of managing them. Effective non-human identity management is essential for several reasons:

1. Enhanced Security: By ensuring that non-human identities are properly managed, organizations can significantly reduce the risk of unauthorized access and potential breaches. Valance Security’s features help in maintaining a secure environment.

2. Operational Efficiency: Automating the management of non-human identities frees up valuable resources, allowing IT teams to focus on more strategic tasks. This efficiency can lead to cost savings and improved overall performance.

3. Compliance and Accountability: Regulatory requirements often mandate strict control over identity management. Valance Security’s auditing and reporting tools help organizations meet these requirements and demonstrate compliance effectively.

Conclusion

In conclusion, Oasis addresses a critical need in the modern digital ecosystem by providing comprehensive features for managing non-human identities. Its automated provisioning, dynamic credential management, and robust auditing capabilities make it an invaluable tool for enhancing security, improving operational efficiency, and ensuring compliance. As organizations continue to adopt and integrate more non-human identities, solutions like Oasis will play an increasingly vital role in their success.

Govern the Mix: Static and Federated Non-Human Identities

Govern the Mix: Static and Federated Non-Human Identities – Oasis Security

Static credentials constructs are increasingly misaligned with the needs of today’s cloud-first, rapidly evolving infrastructures, particularly as agentic AI (autonomous systems pursuing goals with limited supervision and tool-use) multiplies machine-to-machine exchanges and cross-service orchestration. But non-human identity isn’t binary. Most organizations will run a mix of static secrets and dynamic, federated identities for years. The real job is governance: pick the right method per use case, manage it well, and continually shrink standing privilege as your stack and maturity allow.

This article explores where static identity constructs struggle, where they still fit, and practical ways to manage both, along with a pragmatic path toward dynamic authentication. By addressing these issues, organizations can better safeguard their Non-Human Identities (NHIs) and reduce the risk of breaches in hybrid, multi-cloud, and AI environments.

Dynamic authentication is not just an advancement; it’s a direction of travel. Rotation, vaulting, and ownership still matter, but ephemeral, policy-driven access should be the default wherever it’s easy and supported.

‍

Why Static Credentials Are Risky in Modern Environments

Static credentials, such as long-lived passwords, access keys, and API tokens, represent a persistent threat in modern IT environments. Their unchanging nature makes them a predictable and exploitable target for attackers (you find one, and you are golden for the foreseeable future!)

In cloud and hybrid infrastructures, static credentials often go unrotated or unmanaged, remaining valid long after their original purpose has expired, for instance, credentials created for an abandoned vendor evaluation or for a completed backup project that were never revoked. This creates vulnerabilities that attackers can exploit to gain unauthorized access. For example, unrotated credentials can be found embedded in source code or stored in unsecured locations, providing an easy entry point for malicious actors. 

Data from security incidents highlights this risk. A 2024 survey by IBM revealed that static credentials contributed to over 60% of cloud-related breaches. Breaches involving static credentials cost organizations $4.81 million on average and require 292 days to contain, the longest remediation timeline of any attack vector, according to IBM’s 2024 Cost of a Data Breach. The McDonald’s breach, involving an AI hiring chatbot compromised by researchers utilizing the static credential “123456,” exemplifies the widespread issue of relying on static identity constructs. Such incidents underscore the inherent vulnerabilities when these unchanging identities are used in dynamic environments with rapidly evolving threats.

‍

What Attackers Exploit When Credentials Never Change

Static credentials create opportunities for attackers to exploit weaknesses and gain unauthorized access. These risks are amplified in environments where credentials are not regularly monitored or updated.

Privilege Escalation

Attackers often use orphaned or unused credentials to elevate permissions within a system. Static service accounts, in particular, can retain excessive privileges long after their intended use. These credentials, when compromised, allow attackers to bypass security controls and gain broad access to sensitive resources.

Continuous identity posture review is essential to mitigate this risk. Regularly assessing permissions and revoking unnecessary access (least-privilege by default, and time-boxed access) significantly reduces the attack surface. Without this vigilance, static credentials can serve as hidden entry points for malicious activity.

API Key Harvesting

Hardcoded API keys and unrotated secrets are another common target for attackers. These credentials, often embedded in source code repositories or shared in collaboration channels, are easily accessible to anyone with access to the code. Public repositories, like GitHub, are frequently scanned by attackers seeking exposed keys. According to recent findings, 61% of organizations have secrets, like cloud credentials, exposed in public repositories. Once obtained, these credentials can be used to extract data, modify configurations, or disrupt services.

Automated tools that scan repositories for hardcoded secrets are critical in preventing such exposures. Combined with secure development practices, these tools help organizations identify and mitigate risks during the development process.

Lateral Movement

Static credentials enable lateral movement across systems, particularly in multi-cloud environments where identity sprawl is common. Once attackers gain access to one set of credentials, they can pivot to other systems by exploiting trust relationships and overprivileged accounts.

Real-time anomaly detection can help identify lateral movement. Monitoring tools that flag unusual activity, such as credential use from unexpected locations or during irregular hours, are crucial for detecting and responding to these threats before they escalate.

‍

Practical Ways to Transition from Static to Dynamic credentials

Dynamic authentication provides a more secure alternative to static credentials by enabling flexible, time-bound, and context-aware access. Transitioning to dynamic methods requires (1) adopting strategies that prioritize security and automation, and (2) containing the legacy while you migrate. Lets focus on the strategies to move to dynamic credentials:

1. Dynamic Service Identities (Ephemeral Tokens)

Ephemeral tokens are a secure replacement for static credentials because they are valid only for short periods. They are generated dynamically and automatically refreshed, drastically reducing the window of opportunity in which attackers can abuse compromised credentials. 

Major clouds already mint short-lived tokens for workloads (AWS IAM roles, Azure Managed Identities, GCP Workload Identity Federation, etc.). A process hits the metadata endpoint, grabs a fresh JWT or cert, and uses it to reach only the resources its role allows.

2. Policy-Based Access

Dynamic policy engines allow organizations to grant permissions based on contextual factors, such as user roles, device health, or the sensitivity of the requested resource. This ensures that access is only provided when necessary and under predefined conditions.

Integrating policy-based access with zero-trust frameworks enhances security by continuously verifying identity and access requirements. This model prevents overprovisioning and ensures that permissions are tailored to specific tasks or sessions.

3. Just-in-Time Provisioning & Zero-standing privilege

Just-in-time provisioning eliminates the persistence of static credentials by issuing them only when required and revoking them shortly after use. This approach minimizes the risk associated with long-lived credentials while ensuring that access is both secure and efficient.

For DevOps and DevSecOps teams, just-in-time provisioning streamlines workflows by automating the issuance and removal of credentials. This reduces the administrative burden while maintaining strong security controls.

4. Federation & Mesh

Adopt open trust frameworks:

• SPIFFE/SPIRE for per-process X.509 or JWT SVIDs, enabling mTLS inside and across clusters
• Workload-to-workload mTLS enforced by service meshes (Istio, Consul, etc.) for authenticated east-west traffic.

‍

When Static Secrets Make Sense (and how to manage them well)

There are valid cases where static is the pragmatic fit: vendor APIs that only support keys, legacy/OT or air-gapped systems, certain cross-org workflows, or interim phases during migration.

Do this, every time:

1. Vault & reference: Store centrally; never in code/images/chat. Inject via references.
2. Assign ownership: Named owner and on-call. Track purpose, environment, blast radius, and renewal plan.
3. Scope tightly: Resource-level scopes, least privilege, network/source restrictions, environment isolation.
4. Automate rotation: Enforce max age; coordinate service-side change + client rollout; alert on failed/first use post-rotate.
5. Instrument usage: Detect unusual geos/hours/volumes/clients; flag reuse across services.
6. Right-size regularly: Remove unused scopes; disable stale keys; expire dormant service accounts.
7. Practice revocation: Rehearse kill switches; measure MTTR to disable and recover.

‍

Ensuring Continuous Threat Detection and Governance

Dynamic authentication and well-managed secrets both need continuous monitoring and governance to be effective. Real-time posture checks and anomaly detection play a critical role in identifying potential threats and ensuring compliance with security policies.

AI-driven analytics enhance detection by identifying deviations from normal behavior across systems. For example, AI can flag unusual credential usage patterns, such as access attempts from unexpected locations or devices, allowing security teams to respond proactively.

Governance frameworks must unify identity lifecycle management processes, enabling organizations to centralize functions like credential scanning, revocation, and periodic reviews. This ensures that all identities are effectively monitored and managed, reducing the risk of oversight or mismanagement.

‍

Oasis Security for Future-Proof Identity Management

At Oasis Security, we recognize the limitations that static identity constructs impose on modern infrastructure. That’s why we built the Oasis NHI Security Cloud, to transform the way organizations manage and secure Non-Human Identities (NHIs) in dynamic, hybrid environments. Our platform enables companies to embrace the future by accelerating their journey toward federation and zero trust architectures.

Our platform combines advanced capabilities to address the vulnerabilities of static credentials and empower organizations to adopt dynamic authentication. 

1. Provision securely, by default

We integrate into your CI/CD, cloud, and identity stacks to provision NHIs with the most secure option from day one:

• Prefer managed identities where supported, selecting the method based on the identity’s purpose and the environment it runs in. SPIFFE/SPIRE is excellent for identities and mTLS within your own environment (clusters/VMs/services); for external SaaS, third-party, or cross-org access, use OIDC/SAML federation to the provider, or, if federation isn’t available, broker scoped API keys with short TTLs and rotation.
• Enforce least privilege at creation with guardrails and policy packs that align permissions to intended use.

2. Federate & shorten lifetimes (dynamic auth)

We start with context & visibility: resolve ownership and map every consumer and usage path of each secret (services, pipelines, jobs, environments, third parties). Without this dependency map, migrating static creds to federation risks breakage.

We detect where static secrets are still used and, with that context, automatically recommend (if possible), and safely orchestrate, their migration to:

• Federated identities backed by your IdP/cloud provider.
• Ephemeral, auto-rotated credentials with minutes-to-hours TTLs.
• Policy-based issuance that adapts to context (workload, environment, identity posture).

Cutovers are dependency-aware (dual-issue/dual-validate), canaried, and include automatic rollback and post-cutover verification to ensure nothing breaks.

3. Operate & defend what can’t (yet) be migrated

Where static credentials must persist, we minimize the blast radius:

• Automated remediation for overprivileged credentials to enforce least privilege.
• Continuous rotation & expiry enforcement for remaining secrets.
• Rapid anomaly detection with Oasis Scout to spot misuse in real time and trigger policy-driven containment.

4. Lifecycle orchestration, end to end

Our policy-based lifecycle engine enforces consistent controls, from provisioning through decommissioning, across clouds, clusters, and runtimes.

‍

By adopting Oasis NHI Security Cloud, organizations can eliminate static credentials, implement dynamic authentication, and achieve a security posture that is both adaptive and resilient.

• Post-secret posture: Design for federation and short-lived auth first; treat static credentials as legacy you’re actively shrinking.
• Actionable AI, not dashboards: Ownership resolved, migration paths generated, fixes automated.
• Continuous reduction of attack surface: Every day, fewer long-lived secrets, smaller privilege sets, shorter lifetimes.

Request a demo to see how Oasis Security can transform your identity management strategy: https://oasis.security/demo

The OWASP Non-Human Identity Top 10

Oasis Security – The OWASP Non-Human Identity Top 10: A Strategic Imperative for 2025

Non-human identities (NHIs), such as service accounts, API keys, and IAM roles, have become fundamental to modern enterprise environments, enabling machine-to-machine access and authentication. However, as organizations embrace cloud-native architectures, microservices, third-party integrations, and, more recently, AI, the proliferation of NHIs has outpaced security controls, significantly expanding the attack surface that adversaries actively exploit.

Despite their importance, NHIs often lack the same level of governance, visibility, and protection as human identities. Mismanagement, overprivileged access, long-lived secrets, and improper offboarding have made them prime targets for breaches, ransomware attacks, and supply chain compromises.

To address this growing risk, the OWASP (Open Web Application Security Project) Non-Human Identity Top 10 provides a structured framework for organizations to identify, prioritize, and mitigate the most pressing security risks associated with NHIs. As we approach 2025, securing NHIs is no longer optional but a strategic imperative. This guide serves as a roadmap for security professionals, helping them implement proactive security measures to reduce risk and protect enterprise systems from evolving threats.

Understanding OWASP NHI Top 10

The OWASP NHI Top 10 is a curated list of the most prevalent and impactful security threats affecting non-human identities in modern applications. Cybercriminals increasingly target these identities due to their privileged access and lack of human oversight.

Built on extensive research, real-world threat intelligence, and attack data, this list serves as a critical reference for security leaders, developers, and IAM teams working to secure machine-to-machine access and authentication across hybrid environments.

Key Takeaways for Organizations

1. Enhanced Awareness: Educating teams on the risks of non-human identities fosters a proactive security culture.

2. Risk-Based Prioritization: Allocating resources effectively by first addressing the most critical threats improves defences.

3. Regulatory Compliance: Aligning with OWASP recommendations helps meet industry standards and legal requirements.

4. Proactive Defence Strategies: Implementing robust identity governance, access controls, and continuous monitoring reduces the risk of exploitation.

The OWASP NHI Top 10 Security Risks

The OWASP NHI Top 10 identifies the most critical security risks related to non-human identities. These include:

● NHI1:2025 – Improper Offboarding: NHIs not properly deactivated or removed remain active beyond their intended use, creating persistent security gaps. Attackers exploit these to compromise critical systems, exfiltrate data, and maintain long-term persistence.

● NHI2:2025 – Secret Leakage: When secrets containing high-impact credentials are leaked, they significantly increase the risk of a severe breach.

● NHI3:2025 – Vulnerable Third-Party NHI: Third-party applications that access sensitive data can be compromised, leading to supply chain attacks, data theft, and critical system failures.

● NHI4:2025 – Insecure Authentication: Insecure protocols used for sensitive, high-access processes can lead to account takeover or privilege escalation.

● NHI5:2025 – Overprivileged NHI: Due to their extensive range of associated privileges, overprivileged non-human identities can have a significant negative impact.

● NHI6:2025 – Insecure Cloud Deployment Configurations: CI/CD misconfigurations enable supply chain attacks and unauthorized access due to high pipeline privileges.

● NHI7:2025 – Long-Lived Secrets: Long-lived secrets are common due to rotation challenges and the lack of ephemeral solutions. Most secret managers track rotation time, making detection easy.

● NHI8:2025 – Environment Isolation: NHIs are often used during deployment and throughout an application’s lifecycle. However, reusing the same NHIs across multiple environments, especially between testing and production, can introduce significant security vulnerabilities.

● NHI9:2025 – NHI Reuse: NHIs are very commonly reused because tailor-fitting NHI for each workload is difficult.

● NHI10:2025 – Human Use of NHI: Most NHI providers do not provide tooling to differentiate between workloads assuming the NHI and humans assuming the NHI.

Solving the problem of NHIs

As organizations scale their digital ecosystems, they must gain comprehensive visibility into these NHIs across their infrastructure. Robust security measures are essential to protect sensitive data and systems, prevent unauthorized access, and minimize misuse. Additionally, governance capabilities ensure compliance with industry regulations and internal policies, helping safeguard digital assets while minimizing the risk of data breaches.

Automating Identity Discovery and Context

One of the biggest challenges organizations face is identifying, mapping, and contextualizing NHIs across their infrastructure. Businesses need a solution that continuously scans and correlates NHIs, including service accounts on-prem, IAM roles in AWS, and service principles in Azure. By reconstructing identity context, businesses gain actionable intelligence on ownership, usage patterns, and risk exposure.

Advanced Threat Detection and Response

Organizations should deploy AI-driven analytics and behavioural monitoring to detect anomalies in NHI activity. By continuously analysing machine identity behaviours, you can flag unusual patterns that may indicate compromised credentials, insider threats, or privilege abuse. With real-time alerts and automated response actions, organizations can contain incidents before they escalate.

Enforcing Least Privilege Access

A solution should enforce policy-driven, least-privilege access for NHIs through dynamic access controls and just-in-time privilege escalation. This ensures that non-human identities only have the minimum permissions required for their function, reducing the risk of malicious actors exploiting overprivileged NHIs.

Policy-Driven Governance

By automating security policies and compliance frameworks, you can ensure that only authorized NHIs have access to critical resources. This minimizes the risk of privilege escalation, credential misuse, and compliance violations, allowing organizations to enforce security at scale without relying on manual intervention.

Conclusion

Oasis Security is at the forefront of solving the challenges associated with non-human identities. It provides a purpose-built platform that automates the discovery, security, and governance of NHIs across enterprise environments. Unlike legacy identity solutions that struggle with NHI governance, Oasis Security provides continuous discovery, contextual understanding, and dynamic privilege enforcement, ensuring real-time protection.

2024 ESG Report: Managing Non-Human Identities

Oasis Security – 2024 ESG Report – Managing Non-human Identities for an Effective Cybersecurity Program

Research Objectives

Enterprise IT cybersecurity and operations teams are recognizing the risk associated with the large and growing volume of non-human identities (NHIs). Modern application architectures with complex relationships and ephemeral resources have resulted in a proliferation of non-human access to communicate and exchange data. NHI management is an emerging space with unique characteristics and lifecycle requirements when compared with the more established human identity and access management (IAM) domain. Inadequate security for non-human identities poses significant security risks given the significant access and privileges provided to non-human identity infrastructure. Specifically, poor security for NHIs can lead to data breaches, operational disruptions, and compliance violations. As cloud adoption and automation continue to grow, effective non-human identity management has become essential for maintaining security, facilitating business operations, and supporting digital transformation initiatives.

To gain further insight into these trends and issues, TechTarget’s Enterprise Strategy Group surveyed cybersecurity, and DevOps, platform, and cybersecurity engineering professionals at organizations in North America (US and Canada) involved with or responsible for the technologies and processes that secure non-human identities and machine workloads.

The Study Sought To :

• Assess the state of the market for locating, securing, and managing non-human identities.
• Understand the challenges in gaining visibility and lifecycle control over non-human identities.
• Explore the consequences of inadequate visibility and security for non-human identities.
• Determine how enterprises intend to invest to address risks associated with non-human identity management and security.

Key Findings

1. Non-human identity volume is large and increasing quickly
   • Non-human Identities Significantly Outnumber Human Identities and This Volume Is Expected to Increase – the average organisation estimated that number to be 20x larger and more than half the organisations expect the total number of NHIs to increase by more than 20% over the next 12 months.
   • Non-human Identities Are Perceived to Be Insufficiently Secured – the average organization believes that more than one in five of their non-human identities are insufficiently secured. Not only is the number of non-human identities growing, but organizations also recognize them as a vulnerable part of the attack surface.
     
2. Enterprises typically deploy multiple solutions for each NHI problem area
   • Most Enterprises Invest in Multiple Solutions for the Various Aspects of Non-human Identity Management – practically all organizations leverage at least one non-human identity management solution, and many have multiple solutions in place. While this does suggest a defense-in-depth approach, it also reveals a lack of motion toward platform unification at this point.
   • Avoiding Operational Interruptions and Visibility Are Leading Concerns – Operational risk and a lack of visibility are most commonly cited, but compliance and other security concerns, such as identity and zero-trust alignment and certificate rotation, are not far behind.
     
3. Enterprises typically endure multiple Non-human Identity compromise events
   • Nearly Three in Four Enterprises Suspect They Have Exposed NHIs
     • Nearly half (46%) of respondents know their organization has experienced a breach of non-human identities, and another 26% suspect that they have had NHI accounts or credentials compromised.
     • Enterprises that have experienced a compromised NHI have averaged 2.7 instances in the past 12 months.
   • Multiple Factors Lead to Non-human Identity Compromises
     • At least one-quarter of organizations cited weak encryption algorithms, exposed keys or secrets, and/or loosely managed service accounts.
   • Compromised NHI Accounts Frequently Lead to Successful Cyberattacks With Multiple Ripple Effects
     • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter of enterprises encountering multiple attacks.
     • Businesses suffer manifold impacts as a result of successful cyberattacks spawned from NHI compromises, from reputational damage through compliance fines to more expensive cyber insurance rates.
     • Security teams frequently see increased budgets and investment but can also encounter leadership changes as a result of successful cyberattacks.
       
4. Non-human identity management has diverse constituents and compromises get board level attention
   • Diverse Constituency of Decision-makers, but Security Is Well-represented as Budget Holder
     • Technology teams in DevOps, cloud security, SecOps, and cloud applications contribute to evaluating, recommending, and purchasing solutions, but the security personas (32%) are the most common budget holders.
     • Senior management and executive teams continue to be highly frequent influencers and budget holders since cybersecurity has gained more visibility in the C-suite and with boards of directors in the wake of high-profile incidents and their adverse impacts on business operations.
   • Non-human Identity Security: The Board Will See You Now
     • Non-human identity compromise has the potential to be significantly disruptive to business operations. Indeed, a majority (57%) of non-human identity compromises definitively got board-level attention, while 37% of respondents indicated their organization’s board may have delved into the details of the incident.
       
5. Enterprises are investing disproportionately to solve Non-human identity security
   • Non-human Identity Security Spending Is Primed to Increase
     • A notable 83% of organizations expect to spend relatively more on non-human identity security, with nearly one in five expecting to spend significantly more.
     • Enterprises invest in solutions to solve specific problems, and non-human identity management involves diverse problems. More than four in ten organizations expect to increase spending on identity threat detection and response solutions, while 39% will prioritize investments in technologies designed to address visibility, monitoring, and remediation for non-human identities.

Introducing Oasis Scout: Revolutionizing ITDR for Non-Human Identities

Written By: Alberto Farronato, Oasis Security

Oasis Security – Introducing Oasis Scout: Revolutionizing ITDR for Non-Human Identities

We’re thrilled to announce Oasis Scout, the first ITDR solution tailored for Non-Human Identities (NHIs), now available with our pioneering AuthPrint™ technology. This groundbreaking feature of Oasis NHI Security Cloud offers unparalleled threat intelligence and anomaly detection to protect your digital infrastructure from real and imminent threats.

Oasis Scout is a critical advancement in our roadmap for NHI security risk mitigation and breach prevention. We named it “Scout” because its primary goal is to help you detect (and prevent) real attacks on your NHI infrastructure before they escalate into breaches. Developing such a solution required a significant investment in Threat Intelligence Research, profiling numerous malicious attacker groups actively exploiting NHIs (learn more at our newly released NHI Threat Center).

Why Threat Detection for Non-Human Identities is needed?

NHIs generate an overwhelming number of anomalies, with studies showing that 90% of alerts triggered by general purpose are either false positives or lack sufficient context for action (Ponemon Institute, 2023). This noise significantly burdens security teams, with 68% of organizations reporting alert fatigue as a major challenge in their incident response workflows (Cybersecurity Insiders, 2023). The inability to effectively prioritize and respond to real threats results in an average MTTR (mean time to respond) of 258 days, leaving organizations vulnerable to breaches (IBM Cost of a Data Breach Report, 2024).

Existing detection solutions, however, often, either do not account for NHIs or rely on simplistic behavioral analytics algorithms, which contribute to high false-positive rates and inundate security teams with unclear threat signals.

With NHIs breaches are rapidly on the rise, we need a better solution.

Advanced Detection: How Oasis Scout Secures NHIs

Oasis Scout integrates seamlessly with the Oasis NHI Security Cloud. At its core is our innovative AuthPrint™ technology, a unique intelligent profiling capability that leverages our comprehensive threat intelligence. AuthPrint enhances detection accuracy and response accurately matching identified anomalies to known fingerprints of threat actors. This allows us to deliver high-fidelity detection, avoid alarm fatigue and provide security teams with crucial information about the attackers, their methods, and the necessary countermeasures.

Oasis Scout significantly reduces MTTR (Mean Time to Respond) and operational overhead by seamlessly integrating with the unique capabilities of our platform. These include the Context Reconstruction Engine, Dependency Graph, Ownership Attestation, and Remediation Workflow Automation. Together, they provide the most comprehensive context view in the industry, offering key insights that empower users to prioritize responses effectively, take the right actions, and fully understand the business impact of their decisions. This integration not only streamlines operations but also enhances collaboration across security teams.

By combining discovery, ownership tracking, posture management, and ITDR, Oasis provides full lifecycle security for NHIs, ensuring that every stage of identity security—from proactive defense to real-time remediation—is covered.

Scout’s Role in SOC and Incident Response Operations

Scout changes the game shifting left NHI anomaly detection and response. Security Operations Center (SOC) and Incident Response teams can now efficiently achieve several important outcomes that were previously out of reach for NHIs:

• Prevent Unauthorized Access by identifying abnormal behavior, such as NHIs accessing resources from unknown IPs, to stop unauthorized activities early.
• Protect Against Leaked Credentials by flagging compromised credentials and providing actionable steps for mitigation.
• Comply with Location Policies by enforcing location-specific restrictions to maintain regulatory compliance.
• Mitigate Account Takeovers by monitoring unregistered domains to prevent impersonation and unauthorized access.

Proven Success: Oasis Scout in Action

Scout has already achieved remarkable real-world results:

• Immediate Threat Identification: When “SpectreAvenger” targeted the Admin DB East, Oasis Scout swiftly detected and responded to the attack by providing comprehensive insights, tracing the attack’s origin, and formulating a clear remediation plan. This prompt action prevented any damage.
  
• Credential Protection: During the OperationEndgame breach campaign, Oasis Scout identified leaked credentials for a Finance Dept Admin, recommended immediate credential rotation, and enhanced monitoring, significantly reducing the risk window.Automated Responses: When CloudFact Info was accessed from an unrecognized IP, Oasis Scout not only flagged the anomaly but also guided the investigation, leading to revoking the associated secret, and blocking the unauthorized session, effectively preventing a potential breach.
  

• Breach Prevention: A global oil and gas equipment provider recently detected a targeted attack involving repeated access attempts against a critical service account. Rather than reacting after the account was compromised, Oasis Scout provided immediate visibility into the attack, allowing the security team to:
  • Disable the compromised account before attackers could escalate privileges.
  • Trace the origin of the attack and identify similar threats in progress.
  • Strengthen NHI security policies to prevent future attempts.

By eliminating manual guesswork and providing immediate, actionable intelligence, Oasis Scout helped prevent what could have been a catastrophic security breach.

Oasis Security – Non-Human Identity Management

Written by: Guy Feinberg, Oasis Security

Oasis Security – Non-Human Identity Management

Non-human identities, or NHIs, serve as digital gatekeepers, enabling secure machine-to-machine and human-to-machine access and authentication within modern enterprise systems. The push for innovation has led to the adoption of microservices, third-party solutions, and cloud-based platforms, creating a complex web of interconnected systems.

In this intricate network, NHIs are key players in facilitating secure communication and authentication. Their numbers surpass human identities by a factor of 10 to 50, highlighting their essential role in today’s digital ecosystems.

What is Non-Human Identity Management?

Non-Human Identity Management (NHIM) is the process of governing and automating the entire lifecycle of non-human identities. This process includes:

• Discovery and classification
• Provisioning
• Ownership Assignment
• Posture Monitoring and Detection
• Vaulting and Secure Storage
• Rotation of Credentials
• Compliance
• Decommissioning

Why do we need non-human identity management?

Effective NHIM is essential for several reasons:

1. Identity-based breaches have grown significantly, according to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was USD 4.45 million, marking a 15% increase over three years. Moreover, credentials remain the primary target for attackers. The 2024 Data Breach Investigations Report by Verizon states that stolen credentials account for 77% of basic web application attacks.
   The threat is real, even for the most security-aware organizations. Below is an illustrative list of compromised organizations in the last 12 months:‍
   • Cloudflare
   • Microsoft
   • Github
   • Mercedes-Benz
   • Change Healthcare
     
2. Traditional Identity Governance and Administration (IGA) tools are designed with human identities in mind, relying on authoritative sources such as human resources (HR) or Active Directory. However, these tools fall short when applied to non-human identities, which are decentralized and distributed across various environments (in the cloud(s), on-premises system,…).
   
3. Modern enterprise systems are characterized by a network of interconnected devices, applications, and automated processes. The scale and growth of NHIs, combined with the lack of a centralized repository and clear ownership, makes operationalizing security policies and best practices for NHIs extremely hard without purpose-built automation.

Unmanaged NHIs can expose organizations to security violations

Referring to the MITRE ATT&CK Matrix for Enterprise, NHIs are involved in various adversary tactics and techniques, including:

• Initial access: The adversary tries to enter your network.
  • Supply Chain Compromise (T1195)
  • Trusted Relationship (T1199)
  • Valid Accounts (T1078)
    
• Persistence: The adversary aims to maintain access.
  • Account Manipulation (T1098)
  • Create Account (T1136)
  • Valid Accounts (T1078)
    
• Credential Access: The adversary tries to steal credentials aiming to escalate privileges and move laterally within the network.
  • Credentials from Password Stores (T1555)
  • Unsecured Credentials (T1552)
  • Steal Application Access Token (T1528)

Attackers gain access via NHI using the following threat vectors:

• Stale privileged unrotated NHIs: Despite their privileged access, stale or orphaned accounts remain unchanged and susceptible to exploitation due to the lack of ownership and accountability and lack of credential rotation.
  
• Unrotated secrets exposed to off-boarded employees: Secrets left unrotated and exposed to a former employee pose a significant risk, especially when they can be accessed on the internet and have privileged access.
  
• Stale storage accounts: Stagnant storage accounts present a potential security loophole, outdated configurations might leave sensitive data vulnerable to unauthorized access or compromise.
  
• Active secrets with 50+ year expiration data: Secrets with excessively long expiration dates pose a security risk, they provide an extended window of opportunity for malicious actors to exploit vulnerabilities.
  
• Vaults with unused access policies: Vaults containing unused access policies represent an overlooked security gap, they may inadvertently grant unauthorized access to sensitive resources or data.

Being able to find and highlight these vulnerabilities is the first step to proactively managing and securing non-human identities to mitigate security risks and safeguard organizational assets.

How to choose the right NHIM platform

NHIM represents a significant shift in Identity and access management (IAM). While identity has become the new security perimeter, focusing only on human identities is no longer enough. Organizations need specialized solutions designed specifically for the unique requirements of non-human entities These solutions should address fundamental requirements, including:

• Holistic Contextual Visibility: Complete visibility into the non-human identity landscape is indispensable. An NHIM platform should offer holistic contextual visibility, providing insights into usage patterns, dependencies, and relationships within the ecosystem.
  
• Work across the hybrid cloud: the NHIM platform must go beyond the boundaries of traditional infrastructure and must operate seamlessly across hybrid cloud environments. From leading Infrastructure as a Service (IaaS) providers like AWS, Azure, and GCP to Platform as a Service (PaaS) and Software as a Service (SaaS) offerings, the platform should cover the full range of cloud technologies as well as on-premise services.
  
• Active Posture Management: Proactive posture management is indispensable in the face of evolving threats. An NHIM platform should enable organizations to assess the security posture of non-human identities in real-time and take proactive measures to mitigate risks.
  
• Lifecycle Management & Automation: From provisioning to rotation and decommissioning, lifecycle management of non-human identities must be automated. An NHIM platform should offer robust capabilities for automating key lifecycle management tasks, enhancing operational efficiency and security.
  
• Work across secret managers and PAMs: An NHI platform should integrate with popular secret management solutions such as HashiCorp Vault, Azure Key Vault, and CyberArk. Moreover, seamless interoperability with Privileged Access Management (PAM) solutions like CyberArk and Delinea so that secrets found by the NHI platform can be properly secured and vaulted in the PAM solution.
  
• Developer-ready: The NHIM platform should feature robust APIs for easy integration with applications and services, supporting automation and customization. It should also integrate seamlessly with the operational stack, including Infrastructure as Code (IaC) tools, IT Service Management (ITSM) systems, logging frameworks, and development tools.

By implementing a robust NHIM platform, equipped with the integration to the necessary ecosystem and capabilities, organizations can effectively manage non-human identities, strengthen their security posture, and fully leverage the benefits of automation and interconnected systems.

Introducing Oasis: The Non-Human Identity Management Platform

Oasis is designed for NHIs from the ground up. Our approach ensures comprehensive management and security of non-human assets across different environments. Oasis combines powerful Discovery & Inventory, Posture & Remediation, and Lifecycle Management capabilities in a single integrated and easy-to-use solution.

Here’s how Oasis unlocks real, effective NHIM:

1. Non-Human Identity Centric: Identities are the key starting point of our platform, not infrastructure or secrets. This allows us to create a complete and actionable view of the operational context of how systems are interconnected allowing us to create a high fidelity view of dependencies, usage and entitlements.
   
2. Cross-System Insights: Oasis is engineered to work without pre-existing knowledge of an environment and doesn’t depend on a single authoritative source. The Oasis platform connects, aggregates and analyzes data across various systems (IDPs, event logs, secret managers, ASPMs, DSPMs) providing a holistic inventory with rich contextual information on each identity and its posture
   
3. Lifecycle Orchestration: We offer powerful lifecycle management capabilities, automating key processes from creation to decommissioning. This ensures that all identities are properly managed throughout their entire lifecycle, reducing the risk of security breaches.
   
4. Support the Hybrid Cloud: Oasis supports hybrid cloud environments, allowing organizations to manage non-human identities across both on-premises and cloud infrastructures. This flexibility ensures consistent security and compliance in diverse IT landscapes.
   
5. Fast Time to Value: Our platform delivers quick and tangible benefits, enabling organizations to see value rapidly. Oasis customers have been able to identify and resolve the first issues in as little as a few days since starting to use the platform. With streamlined implementation and intuitive features, Oasis helps businesses enhance their security posture without lengthy deployment times.
   

Contact us today to start your journey towards robust Non-Human Identity Management. Let’s work together to secure your digital landscape and embrace the future with confidence.

Oasis Security Discovers Microsoft Azure MFA Bypass

Written by: Tal Hason, Oasis Security

Oasis Security – Oasis Security Research Team Discovers Microsoft Azure MFA Bypass

Oasis Security’s research team uncovered a critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching.

The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble.

Upon discovery, Oasis reported the flaw to Microsoft and collaborated with them to resolve it. Below are details of the vulnerability, its resolution, and lessons learned. You can read the Oasis Security Research team’s full report here.

The Vulnerability

When users first arrive at the login page they are assigned with a session identifier.

After typing a valid email and password, users are asked to further verify their identity, Microsoft supports a variety of MFA methods, including a verification code from an application. Using such an application, users type in the 6-digit code to complete their authentication.

Up to 10 consequent failed attempts were allowed for a single session.

Lack of rate limit

By rapidly creating new sessions and enumerating codes, the Oasis research team demonstrated a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code (1M). Simply put – one could execute many attempts simultaneously.

During this period, account owners did not receive any alert about the massive number of consequent failed attempts, making this vulnerability and attack technique dangerously low profile.

Timeframe to Guess a Single Code

Authenticator app codes are time-limited. The next question? The available timeframe attackers had to guess a single code.

RFC-6238 is the TOTP guideline for implementing Authenticator apps. RFC-6238 suggests a different code be generated for each timeframe of 30 seconds, and most apps and validators use this setting. However, due to potential time differences and delays between the validator and the user, the validator is encouraged to accept a larger time window for the code, again, per RFC-6238 guidelines.

In short, this means that a single TOTP code may be valid for more than 30 seconds. The Oasis Security Research team’s testing with Microsoft sign-in showed a tolerance of around 3 minutes for a single code, extending 2.5 minutes past its expiry, allowing 6x more attempts to be sent.

Given the allowed rate we had a 3% chance of correctly guessing the code within the extended timeframe. A malicious actor would have been likely to proceed and run further sessions until they hit a valid guess. The Oasis Security Research team did not encounter any issues or limitations doing that.

After 24 such sessions (~70 minutes) a malicious actor would already pass the 50% chance of hitting a valid code. This is before considering the additional codes generated within the timeframe that would make a few more guessed codes valid.

After 70 minutes we are already past 50% chance of hitting a valid code.

The Oasis Security Research team successfully attempted this method several times. Below is a screen recording of one of the successful attempts where the researchers guessed the code early on.

The Resolution

While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks-in after a number of failed attempts; the strict limit lasts around half a day.

Vulnerability timeline and Microsoft response:

• 24/06/2024 – Microsoft Acknowledgment of the issue
• 04/07/2024 – Microsoft Deployed a temporary fix
• 09/10/2024 – Microsoft Deployed Permanent Fix

Guidelines For Organizations Using MFA

• Enable MFA – The flaw discussed in this article belongs to a specific implementation that has been fixed prior to releasing this text. Enabling MFA remains a critical cybersecurity best practice. Use either Authenticator apps or stronger passwordless methods.
• Stay vigilant by monitoring for leaked credentials, and change your password regularly – While MFA can protect a user if their credentials are compromised, as shown here, an implementation flaw in the validation process can quickly render it ineffective.
• Add a mail alert for failed MFA attempts – In general, monitoring for wrong password sign-ins is likely to create a lot of noise, especially on targeted accounts. However, filtering this specifically to failed second factor codes reduces the noise to only those cases where the actor holds a correct password, which are much more important. In addition, the alerts should be sent to the account owner, who can verify whether the login attempts were made by them or not, allowing them to take immediate action if necessary.

Oasis Research Team

The Oasis Security Research Team is a global group of experts specializing in identity and cloud-native security. With deep experience in offensive and defensive operations, vulnerability research, and threat analysis, we focus on protecting hybrid cloud ecosystems and securing non-human identities. Our mission is to uncover vulnerabilities, analyze emerging threats, and collaborate with vendors to strengthen security across the industry, providing actionable insights that drive resilience and innovation.

The Importance of Secret Rotation in Ensuring Security and Compliance

Written by: Yonit Glozshtein, Oasis Security

Oasis Security – The Importance of Secret Rotation in Ensuring Security and Compliance

Secret rotation might not be the first thing that comes to mind when thinking about cybersecurity, but it is a critical practice for any organization. Whether it is a response to a breach, a compliance requirement, or simply a matter of operational efficiency, it is indispensable. But, if secret rotation is so important, why is it often overlooked and why current solutions in the market are not enough to keep your data secure?

Let’s first explore why rotating secrets is important in the first place

‍Respond to an attack or potential exposure: One primary reason for rotating secrets is to respond to security breaches. Consider Cloudflare, for example. When they discovered that Okta had been compromised, their immediate priority was to rotate all exposed credentials to prevent further exposure. When an attack happens to you or to a third party, you do not want to leave your digital keys out in the open.

‍Meet regulatory compliance and audits: Another reason for secret rotation is compliance with regulatory frameworks and laws. Auditors need proof that your organization manages its identities securely and adheres to the necessary standards. While the primary focus is often on privileged identities, it’s important to manage all secrets to ensure comprehensive compliance and prevent issues such as lateral movement within the organization. This approach not only helps in passing audits but also in maintaining overall security hygiene across the organization.

Keep up with organizational changes: Changes in a company’s organizational structure require a review to determine if secret rotation is needed. When employees join, move within, or leave the company, their permissions must be reassessed and reassigned. This review should not only focus on users and roles within specific applications but also consider any privileged information and secrets the employee had access to.

For instance, if an employee who had access to sensitive information leaves, you must ensure they no longer have access, it is important to note that simply decommissioning their identity in your Identity Governance and Administration (IGA) system or source of truth is not enough. Similarly, when employees move to different roles, their permissions need to be adjusted to prevent excessive access. This ongoing reassessment is crucial for maintaining security integrity and ensuring that only authorized individuals have access to any company assets, including non-human accounts and secrets.

Maintain business continuity: Operational issues also drive the need for secret rotation. Expired secrets can cause applications to break or fall out of sync, necessitating the creation of new secrets and updating configurations to maintain functionality.

‍

‍Common pitfalls, misconceptions, and challenges of secret rotation

• “If we properly offboard employees when they leave my company, they no longer have access to any company assets, including non-human accounts and secrets.”

A common misconception is that closing an employee’s account upon offboarding is sufficient to secure secrets and non-human identities (NHI). However, decommissioning or even deleting the employee’s account in the authoritative source or IGA may not stop the former employee’s access to an NHI. Non-human identities represent resources, which can be on-premises within your perimeter or cloud services accessible directly from the internet. In the case of resources in the cloud, NHI is the perimeter, and you only need the NHI to authenticate to the cloud or SaaS. This means that if the employee knows the resource and its secret, they could still gain access from their home.

• “If we have robust monitoring tools in place, we can detect and prevent unauthorized access to all sensitive information.”

Another misconception is that monitoring tools alone can detect and prevent unauthorized access to all sensitive information. Some organizations believe that having tools like CSPM (Cloud Security Posture Management) or ITDR (Identity Threat Detection and Response) is enough to alert them of any security issues. While these tools are helpful, they do not eliminate the need for secret rotation. They might detect anomalies, but the response to these alerts often requires rotating and managing secrets to mitigate the risks. This process needs to be addressed manually, making the task time-consuming and labor-intensive.

• “If our secrets are stored securely in a vault, we don’t need to worry about regular rotation.”

Storing secrets in a vault provides a layer of security, but it does not eliminate the need for regular secret rotation. Secrets can still be exposed or compromised through various means, such as phishing attacks or insider threats. Without a proper discovery tool, it is challenging to identify if there are any secrets used directly and not stored in a vault. Even though most organizations implement processes to ensure that everyone uses vaults, it’s not enforceable. Therefore, you need a tool that shows all the secrets, how they’re being used, and by whom. In addition, regular rotation ensures that even if a secret is compromised, its usability is limited, maintaining the overall security of your systems.

• “If we use secret scanners, we can identify and secure all shared secrets.”

Detection tools like secret scanners can identify shared secrets on platforms like Slack, but they can’t cover all possible avenues, such as WhatsApp or email. It’s unrealistic to assume that all environments can be scanned completely. Hence, rotating and managing secrets remains essential, regardless of the detection tools in place. Regular rotation and proactive management ensure that secrets remain secure and minimize the risk of exposure through unmonitored channels.

‍

Automation is key. Stop the scream test

In many cases, secret rotation is performed only as a measure of last resort and brute force rather than programmatically operationalized. We are all familiar with the notion of the “scream test,” which generally consists of removing the item and waiting for the screams because something broke. If someone screams, put it back; in this particular case, secrets are disabled to see who complains (indicating the secret’s active use). In addition to being dangerous for business continuity, this manual process is tedious, not comprehensive, not repeatable and leads to oversight, inefficiency, and increased risk of exposure.

Automated tools and processes are essential for ensuring comprehensive, efficient, and repeatable secret management across the organization. Only with reliable automation, we can make secret rotation a programmatic seamless process that just works in the background without causing unnecessary operation and business continuity background.

Oasis Security – Stop Worrying. Start Rotating.

Written by: Amir Shaked, Oasis Security

Oasis Security – Stop Worrying. Start Rotating.

As a cybersecurity practitioner, few things have caused me more headaches than rotating a critical secret. The process is always tricky: first, tracking down where the secret is being used, then identifying who owns it to facilitate the change, and finally, dealing with the fear of breaking something or disrupting critical service.

Over the years, I’ve noticed there are three types of companies when it comes to secret rotation. A significant number of companies, like in my case, try to manage it themselves, constantly fearing the chaos that might ensue if something goes wrong. Some companies have thrown in the towel, accepting the risks and not addressing the issue at all. For them, the fear of disrupting a service outweighs the potential risk of a security breach from not rotating passwords. Then there are those who enforce rotation only on specific identities (usually break-glass service accounts) through PAM solutions.

Which category does your company fall into, and more importantly, is there a better way?

Let’s start from the beginning: why is it so important to rotate secrets?

The Importance of Secret Rotation

Rotation is the process of periodically updating a secret. The secret can be an API key, security credential, encryption key, or any other sensitive value. According to best practices, secrets should be rotated regularly—at least every 60 days. But, Why?

• Non-human identities (NHIs) do not have additional measures such as multi-factor authentication (MFA) or privilege management, making regular secret rotation even more critical.
• Regularly rotating secrets reduces the window of opportunity for attackers. If they gain access to credentials—which is not that uncommon —Uber, Datadog, and OneLogin have had AWS Key breaches, just to name a few—those credentials quickly become obsolete, limiting potential damage.
• Frequent rotation of secrets helps mitigate risks posed by insiders or former employees who might retain access to old credentials.
• Old, forgotten, or unused secrets can become security vulnerabilities. Regular rotation ensures that only current, necessary credentials are in use.

The Challenges of Secret Rotation

Despite its importance, rotating secrets is very complex:

• Manually updating secrets across multiple applications and services can be labor-intensive and time-consuming, especially as the number of non-human identities grows.
  
• The potential for errors is significant. Mistakes such as forgetting to update a secret in one location or misconfiguring a service can lead to downtime and even production disruption.
  
• Tracking the owner of each secret and determining which secrets need rotation, and ensuring all instances are updated correctly is challenging without the right tools. As demonstrated by the CloudFlare breach, failing to rotate just four non-human identities (NHIs) allowed hackers to gain access to the organization.
  
• Legacy or older systems may not support modern secret rotation practices, making the process more complex and risky. Updating or replacing these systems to facilitate secret rotation can be costly and disruptive.

How Oasis Automates Secret Rotation

At Oasis, we understand the complexities of secret rotation and recognize that there are several scenarios to be accounted for. That’s why we’ve developed a range of capabilities to help you rotate secrets safely and efficiently depending on the use case you want to resolve and the level of automation you want to leverage. Let’s explore the options available to you and how Oasis can help your company get from 0 to 5.

• Manual Rotation: For those who prefer to have complete control, Oasis notifies the user that the NHI is unrotated and how to solve it, providing a manual step-by-step process. The user needs to navigate to the 3rd party vendor to rotate the secret.
  

• On-demand Rotation: This on-demand option simplifies the process with a one-click integration. Oasis Posture Engine identifies a policy violation on the life of a secret, reports a posture risk, and provides a rapid response solution to remediate, in this case, by rotating the secret. Once Oasis notifies the user that the secret is unrotated, and after the user initiates the workflow, Oasis interacts with the third-party vendor to rotate the secret. This is a very common remediation scenario.

• Policy-based Automatic Rotation: For those who want to take automation to the next level, Oasis offers a fully automatic mode. This type of action is configured by the user via policy and executed by Oasis autonomously, either for a single cycle or on a scheduled, permanent basis. Real lifecycle automation!

What Makes Oasis’s Safe Secret Rotation Automation Special?
It’s easy to get wowed by the automation capabilities that the Oasis platform provides when it comes to secret rotation orchestration, but there are other important unique aspects to consider:

1. Oasis is an identity-centric solution. This means that when we rotate a secret, we do it with a complete understanding of the non-human identity that uses it. This is crucial because it allows Oasis to complete knowledge of the context – consumer, resources, and owners – in which the secret is used. As a result, we can actually realize the goal of SAFE rotation that doesn’t break things.
   

2. Oasis is Vault agnostic. This means we can integrate with various secret management systems, providing flexibility and compatibility with different vault solutions. This flexibility allows organizations to leverage Oasis’s capabilities without being tied to a single vault provider.
   
3. Oasis supports automated rotation across clouds. This cross-cloud functionality is a game changer for organizations operating in multi-cloud environments, ensuring consistent and secure secret management.
   
4. Policy-driven controls. This means that rotations are governed by predefined policies, ensuring consistency, compliance, and security across the organization. Policies can be tailored to meet specific organizational requirements, providing a high level of control and customization.

Ready to enhance your secret management strategy? Contact us today to learn more about our secret rotation capabilities and how they can benefit your organization.

To learn more, read the importance of Secret Rotation in ensuring security and compliance

Solving Non human Identity Ownership with Oasis. Part 2: Attestation

Written by: Guy Feinberg, Oasis Security

Oasis Security – Non-Human Identity Management

In last week’s blog, we took a close look at our new ownership discovery capabilities. Today, we want to complete the picture by digging deeper in the second part of the product release: ownership attestation and attestation campaigns. While discovery is the first step, attestation is critical to maintain accuracy, accountability, and compliance over time. In this blog, we’ll explore how Oasis attestation capabilities build on the Oasis Ownership Discovery Engine to strengthen identity governance and fortify your overall security posture.

What is Non Human Identity Attestation?

Non-Human Identity attestation is the systematic review and verification of human ownership and usage of non-human identities (NHI). This ongoing verification is vital to ensure that these NHIs remain secure, compliant, and properly managed throughout their lifecycle.

Why is NHI ownership attestation challenging?

Many organizations often struggle with attestation due to:

Lack of Assigned Owners: The first, and probably the biggest, barrier is simply knowing who is responsible for each NHI. Without a clear owner, there’s no one to verify or manage an identity’s permissions. This lack of accountability often leaves IT and security teams scrambling to identify the right contact for each attestation. The result? Delays, gaps in security, and identities with unchecked permissions.

Cyclical, Inflexible Attestation Cycles: Most attestation processes follow a rigid, campaign-based model, where permissions are reviewed at set intervals—usually once or twice a year. While this periodic approach is meant to keep identities in check, it often amplifies the problem. For each cycle, IT and security teams must locate and reconfirm ownership of hundreds or thousands of identities, only to repeat the same process next time. This inflexible cycle drains resources and leads to administrative fatigue.

Manual, Time-Consuming Efforts: traditional attestation processes are still highly manual, involving spreadsheets, emails, and endless follow-ups. With minimal automation and no centralized ownership structure, IT and security teams are left to handle each attestation by hand. This approach is not only resource-intensive but also prone to human error, making it challenging to maintain accuracy and compliance.

How Oasis simplifies ownership attestation

As we discussed in Part 1, automated Ownership Discovery is the essential first step in reducing the burden of identifying the correct owner for each non-human identity. By automating this process, Oasis makes it easy to centralize NHI ownership information. If the data is not readily available Oasis AI applies a variety of techniques to suggest the most probable owner. This eliminates the need for IT and security teams to chase down contacts and cut out time-consuming manual efforts.

With automated ownership in place, Oasis enables designated owners to regularly attest to their NHIs, verifying both ownership and usage. Owners are notified via email or Slack, ensuring timely and efficient attestation of NHI usage and ownership. This automation keeps NHIs secure, relevant, and compliant throughout their lifecycle, while providing a streamlined way to report to auditors.

By reducing communication cycles, Oasis helps security teams quickly gather critical feedback from owners, enabling faster identification and remediation of risky access. This not only strengthens the security posture of the organization but also ensures that business processes remain uninterrupted while compliance requirements are met with minimal effort.

‍

Oasis’s attestation workflow allows owners to review each identity with just a few clicks, using intuitive status options:

• Approved: Confirms that the identity is still needed and authorized for use.
• Not Needed: Indicates that the identity is no longer required and can be deactivated or removed.
• Not the Owner: Flags that the assigned owner is incorrect, signaling the need for reassignment.
  

Attestation campaigns aligned to business and compliance cycles

With Oasis, organizations can go beyond simple ownership verification by creating targeted attestation campaigns that align with specific compliance requirements, project needs, or business cycles. Campaigns allow IT and security teams to run scoped initiatives that prompt designated owners to review their assigned NHIs on a scheduled or ad-hoc basis.

Attestation campaigns in Oasis are designed for flexibility and control. You can tailor campaigns to cover specific departments, identity types, or high-risk NHIs that require closer oversight. Oasis sends automated notifications to assigned owners, guiding them through the review process. This structured approach not only simplifies ownership review but also ensures that attestation is done consistently across the organization.

Oasis attestation unlocks massive benefits

1. Maintain Accurate Access Control: Regular attestation ensures that each identity’s roles and permissions are appropriate and align with operational needs and organizational policies​.
   
2. Enhanced Security and Compliance: Automated attestation helps prevent unauthorized access and supports adherence to regulatory standards by keeping permissions accurate and reducing the risk of security breaches​.
   
3. Automated Governance Processes: Automated attestation reduces manual oversight, minimizes human error, and ensures a consistent review process, making identity governance more efficient​.
   
4. Support for Audit and Reporting Requirements: With built-in tracking and reporting, Oasis’s NHI Attestation provides a comprehensive audit trail that demonstrates compliance during security audits. This ensures that organizations are always ready for regulatory reviews​.
   
5. Improved Operational Efficiency: Automating the attestation workflow frees up resources by reducing the time and effort required for manual identity reviews, allowing teams to focus on more strategic tasks​.

Conclusion

Ready to see how automated attestation can streamline your identity governance and enhance security? Watch our demo to explore how Oasis’ Attestation for Non-Human Identities can simplify your attestation process, improve compliance, and reduce risks—all with just a few clicks.

Don’t miss out—watch the demo now and discover how Oasis can transform your identity management strategy!