Cloud Security: The Rise of the Non-People Identities

6 mins to read

When you think of identity management in an enterprise setting, you may think of your users first. But people are just one part of the equation and growingly a tiny part of that equation. As cloud adoption accelerates, there’s been an explosion in non-people workforce identities over the last few years. 

More than ever, enterprises are increasingly relying on automation and services — a trend that will continue accelerating as more organizations move away from monolithic paradigms to the cloud, including microservices, containerization, and serverless paradigms.

Non-people Identities play an integral role in driving digital transformation, helping businesses scale their workloads and increase productivity at the speed of agile DevOps. However, the upsurge in non-person identities increases risk — a recent trend that requires new ways of managing risk.

A new information security risk management crisis is emerging. Traditional ways of adequately tracking, managing, and protecting workforce identities no longer work. Believe it or not, a study from the Identity Defined Security Alliance (IDSA) found 79% of organizations reported having an identity-related security breach in the last two years.

To avoid suffering the fate of a data breach, enterprises need to take proactive measures, dig deep and understand their identities’ effective (end-to-end) permissions to protect data and ensure operational stability. All organizations should prioritize protecting the new identity perimeter in their technology ecosystem in 2021, reducing risk to the business, increasing security, and enforcing compliance.

What are Non-People Identities?

A non-people identity can take on many forms with your cloud, but they can generally act intelligently and make decisions on behalf of traditional people identity. Think bots, serverless functions, the infrastructure of code, and compute resources. Every time you implement a new technology solution into your organization, you introduce a unique identity to the business, with its own set of risks. Due to digital transformation, there are far more non-person identities than person identities, which means your risk profile is increasing, often in ways and areas unknown to you.

To give you a better idea of what non-person identities look like, let’s explore some more concrete examples.

Serverless Functions

Serverless functions are single-purpose, programmatic functions that are hosted on managed infrastructure. These functions, invoked through the Internet, are hosted and maintained by cloud service providers. Software developers are moving their product code to serverless functions services such as AWS Lambda and Microsoft Azure Functions.

Roles

Within IT administration, several account types that are not linked to any one person, but rather roles and groups within IT administration also need to be managed.

Databases and Data Stores

Databases and data stores are pieces of compute that can be accessed or misconfigured by non-person identities. Cloud environments manage increasingly large volumes of heterogeneous data. This heterogeneity means that a single data store is usually not the best approach. Instead, it’s often better to store different types of data in other data stores, each focused on a specific workload or usage pattern. Selecting the right data store for your requirements is a crucial design decision. There are literally hundreds of implementations to choose from among cloud service provider databases. Datastores are often categorized by structure data and the types of operations they support.

Connected Devices

Connected devices represent one of the most widely deployed groups of non-person identities. This category includes a range of items — from smartphones and tablets to industrial sensors, robots, and connected cameras, among other objects. Devices regularly interact with enterprise resources and can be owned by employees or the company itself. With the emergence of the remote workforce as the new norm, the attack surface for connected devices has increased substantially. 

Applications and Scripts 

Applications and scripts use privileged credentials — or secrets — to access private resources in cloud-native environments, containers, and other tools. Cybercriminals often target these identities to access systems and databases and worm their way deeper into an enterprise’s architecture, increasing their likelihood of uncovering an organization’s crown jewels — their most critical assets.

Software-Defined Infrastructure (SDI) and Containers

SDI is a computing infrastructure that acts independently without any people oversight or management. Containers and networks are often software-defined and have their own identities, and SDI may include storage, compute, or networking components. 

Virtual Machines 

A virtual machine (VM) is a resource that uses software to deploy apps and run programs. They are often used to test apps in sandboxed environments. VMs can be exploited by malicious actors and interact with a host operating system in a strategy called an escape attack. As such, you need to monitor these computing assets for changes and take steps to protect them.

How to Protect Your Non-Person Identities 

Due to the sheer volume of non-person identities that proliferate across an organization, managing related risk at scale is tough. An average enterprise may run 1,000 virtual machines or more at a time in virtualized environments and public clouds. They may also have thousands of connected devices and multiple SDI components spread across a global footprint. 

This is a lot to keep track of for a fast-moving enterprise, compounded with person identities and the potential for a data breach involved. 

The good news is that identity management is fast taking precedent and getting more manageable with the right data and identity platform. In fact, the same IDSA study referenced above found that 99% of respondents believe their identity-related breaches were preventable. It’s simply a matter of prioritizing identity management and taking appropriate measures to clamp down on security and prevent identity sprawl. 

Here are some tips that your business can use to protect non-person identities.

  1. Identify all of your Identities and continuously inventory them
  2. Identify the effective permission for each and every one of your identities and monitor continuously for changes
  3. Ensure identity security solutions are in place and configured to manage privileged non-person identities

1. Prevent Overly Permissive Identities 

Oftentimes, identities have more permissions than they need. When this happens, identities can execute tasks that may cause a great deal of harm — like modifying systems or databases or granting access to a private area. 

Identities with admin access can sometimes gain more and more permissions over time, for example, due to changes in responsibilities, where s/he must maintain previous privileges. Also known as privilege creep, some identities get to the point where they present a security vulnerability. It’s a good idea to keep an eye on privileged accounts to keep them from accumulating too much power. Nowadays, with so many identities, former manual efforts no longer fulfill this need to monitor, flag and adjust accounts. An more effective solution is an automated tool that enables admins to discover identities and send them through the CI/CD pipeline to the team responsible for mitigating them.

2. Maintain Separation of Duties 

The separation of duties principle mandates that identities do not have conflicting responsibilities or the ability to open the organization to risk. 

Often, pieces of compute will violate the separation of duties principle. Even worse, this can happen quietly in the background because non-person identities aren’t always audited. 

To ensure that your organization enforces the separation of duties principle, it’s critical to map all identities across your environment.

3. Use Continuous Monitoring

Modern IT environments are highly dynamic. New identities are continually being introduced and deployed, making it very challenging for security teams to track what’s happening. 

The only way to maintain control is to leverage identity and data security platforms to continuously monitor identities and report changes. 

Non-People or Non-Human Identities Necessity

Digital transformation has introduced a wide range of new identity types, which means that organizations need to change how they approach governing identities and data access in the cloud. Identity security must include not only employees, partners, contractors, customers, and consumers, but all the non-person mentioned above identities as well. This is necessary to meet security and privacy requirements while at the same time enabling business growth and innovation.

Failure to ensure comprehensive identity management capabilities for all identities, people and non-people, exposes organizations to security and compliance risks. Therefore, it is essential for organizations to recognize where and how non-person identities are used in their cloud environments and ensure they have the necessary systems and processes to manage them properly.

At the very least, businesses need to control all identities and their interaction with their environments. Therefore, enterprises must eliminate shared accounts so that all people or non-person identities interacting with systems have an identity that can be managed and used for applying the Principle of Least Privilege / Least Access, visibility, traceability, and accountability purposes. 

It is also essential that organizations have a standard, policy-based way of managing privileged identities, which are common compromise targets for malicious actors. Privileged non-person identities should not be overlooked. Privilege access platforms, therefore, must support privileged non-person identities. Processes, microservices, and containers in production and development environments or DevOps follow this model.

The success of digital transformation depends on the ability to manage the access of everyone and everything. This means having a complete understanding of all the identities at play (people and non-people), understanding their relationships, and having a consistent way to manage and secure them.