From the Log4J vulnerability to the Colonial Pipeline to SolarWinds, data breaches monopolize the headlines and often have one thing in common – non-person identities. In fact, over the last two years, 79% of companies experienced a data breach while 94% of companies have experienced an identity-related breach at some point over time. That jarring statistic alone is enough of a reason to dedicate 2022 to the year of identity.
As affected enterprises recover, there’s plenty of debate over why these breaches happen and how they could have been prevented. One thing everyone can agree on is that traditional security isn’t working, and the cloud is the killer, but it’s a crime we’re not mad about.
The security paradigm has totally changed. Traditional security approaches cannot apply to the cloud. Person and non-person identities are the new battleground. To put a number to a seemingly intangible concept, respondents to a Sonrai Security-sponsored survey reported on average 7,750 identities existing in their cloud – a number that can easily overwhelm you.
To summarize this transformation – enterprises have gone from monolithic applications to microservices, waterfall development to agile, IT control to DevOps control, data centers to cloud architectures, and person-deployed infrastructure to code. Now, nearly every major data breach in headlines today involves the compromise of an identity and subsequent manipulation of people and non-person identity permissions to gain access. Non-person identities have rights to data, and these rights make breaches more impactful.
If you aren’t managing the non-person identities, your enterprise is losing the battle. With expectations for securing cloud environments at an all-time high, security teams are struggling to control non-person identities. Responsible teams must reimagine how they manage security.
Non-person identity challenges defined
A non-person identity takes on many forms. This can include roles, service principles, serverless functions, connected devices, and more.
The ephemeral nature, high volume, and lack of oversight make non-person identities challenging to manage. Due to the sheer volume of non-person identities that proliferate across an organization, it’s tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines or more at a time in virtualized environments and public clouds. They may have thousands of connected devices and multiple SDI components spread across a global footprint. Non-person identities can far outnumber person ones, and security teams are often completely blind to them. On top of all that, Microsoft research found most non-person identities are over-permissioned, and 40% of non-person identities are dormant… these overprivileged identities are sitting ducks.
It is not unusual for enterprises to have over 10,000 roles defined across their cloud estate, many impacting non-person identities. Data is no longer in one centralized place. It is being accessed across the environment. To minimize risk, we must continuously discover, classify, audit, and protect data while enforcing the least privilege.
Actionable advice for securing non-person identities:
Enforce Least Privilege
Least privilege has always been a fundamental security principle, now, we must apply it to non-persons as well. This means only giving them the permissions necessary to complete their task. Nothing more. Enforcing least privilege security controls across all identities is a best practice and the most effective way to reduce overall identity risk. Least privileged access should be applied for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.
Effective permissions, or the complete list of permissions an identity owns, must be understood. Effective permissions reveal everything your identity can access and do. Enterprise organizations must understand the end-to-end effective permissions of non-person identities to understand the full scope of what could happen if a bad actor finds their way in.
Prioritize Effective Permissions
Identity is the new perimeter. Failure to focus your resources on securing identities in your technology ecosystem will expose your enterprise to security and compliance risks. It should truly be one of the greatest priorities of modern cloud security. Key goals are increasing security, enforcing compliance, reducing business risk, and driving toward business growth and innovation.
Here are some tips that enterprises can use to protect non-person identities.
- Continuously inventory all Identities
- Continuously evaluate their effective permissions and monitor continuously for changes
- Ensure identity security solutions are in place and configured to manage privileged non-person identities
At the very least, enterprises must be in control of their identities and their interactions within their environments. It is so easy for dormant identities to appear as employees move on, and for new ones to emerge as intelligent machines replace human responsibility. Be guided by the Principle of Least Privilege, Least Access, and Separation of Duties, while working towards visibility, traceability, and accountability.
This thought leadership blog is in acknowledgement of Identity Management Day 2022 & in sponsorship of the Identity Defined Security Alliance championship program.