When you think of identity management in an enterprise setting, you may think of your users first. But people are just one part of the equation, and growingly a small part of that equation. As cloud adoption accelerates, there’s been an explosion in non-people workforce identities over the last few years.
More than ever, enterprises are increasingly relying on automation and services — a trend that’s going to continue accelerating as more organizations move away from monolithic paradigms to the cloud, which includes microservices, containerization, and serverless paradigms.
Non-people Identities play an integral role in driving digital transformation, helping businesses scale their workloads and increase productivity at the speed of agile DevOps. However, the upsurge in non-person identities increases risk — a recent trend that requires new ways of managing risk.
A new information security risk management crisis is emerging. Traditional ways of adequately tracking, managing, and protecting workforce identities no longer work. Believe it or not, a study from the Identity Defined Security Alliance (IDSA) found 79% of organizations reported having an identity-related security breach in the last two years.
To avoid suffering the fate of a data breach, enterprises need to take proactive measures, dig deep and understand their identities’ effective (end-to-end) permissions to protect data and ensure operational stability. All organizations should prioritize protecting the new identity perimeter in their technology ecosystem in 2021, which will reduce risk to the business, increase security, and enforce compliance.
A non-people identity can take on many forms with your cloud but in general, they can act intelligently and make decisions on behalf of traditional people identity. Think bots, serverless functions, infrastructure of code, and compute resources. Every time you implement a new technology solution into your organization, you introduce a unique identity to the business, with its own set of risks. Due to digital transformation, nowadays, there are far more non-person identities than person identities which means that your risk profile is increasing, oftentimes in ways and areas that you are completely unaware of.
To give you a better idea of what non-person identities look like, let’s explore some more concrete examples.
Serverless functions are single-purpose, programmatic functions that are hosted on managed infrastructure. These functions, which are invoked through the Internet, are hosted and maintained by cloud service providers. Software developers are moving their product code to serverless functions services such as AWS Lambda and Microsoft Azure Functions.
Within IT administration, several account types that are not linked to any one person, but rather roles and groups within IT administration also need to be managed.
Databases and data stores are pieces of compute that can be accessed or misconfigured non-person identities. Cloud environments manage increasingly large volumes of heterogeneous data. This heterogeneity means that a single data store is usually not the best approach. Instead, it's often better to store different types of data in different data stores, each focused toward a specific workload or usage pattern. Selecting the right data store for your requirements is a key design decision. There are literally hundreds of implementations to choose from among cloud service provider databases. Data stores are often categorized by how they structure data and the types of operations they support.
Connected devices represent one of the most widely deployed groups of non-person identities. This category includes a range of items — from smartphones and tablets to industrial sensors, robots, and connected cameras, among other objects. Devices regularly interact with enterprise resources and can be owned by either employees or the company itself. With the emergence of the remote workforce as the new norm, the attack surface for connected devices has increased substantially.
Applications and scripts use privileged credentials — or secrets — to access private resources in cloud-native environments, containers, and other tools. These identities are often targeted by cybercriminals to access systems and databases and worm their way deeper into an enterprise’s architecture, increasing their likelihood of uncovering an organization’s crown jewels — their most critical assets.
SDI is a computing infrastructure that acts independently without any people oversight or management. Containers and networks are often software-defined and have their own identities. SDI may include storage, compute, or networking components.
A virtual machine (VM) is a resource that uses software to deploy apps and run programs. They are often used to test apps in sandboxed environments. VMs can be exploited by malicious actors and interact with a host operating system in a strategy called an escape attack. As such, you need to monitor these computing assets for changes and take steps to protect them.
Due to the sheer volume of non-person identities that proliferate across an organization, it’s tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines or more at a time in virtualized environments and public clouds. They may also have thousands of connected devices and multiple SDI components spread across a global footprint.
This is a lot to keep track of for a fast-moving enterprise, compounded with person identities and the potential for a data breach involved.
The good news is that identity management is fast taking precedent and getting more manageable with the right data and identity platform. In fact, the same IDSA study referenced above found that 99% of respondents believe their identity-related breaches were preventable. It’s simply a matter of prioritizing identity management and taking appropriate measures to clamp down on security and prevent identity sprawl.
Here are some tips that your business can use to protect non-person identities.
Oftentimes, identities have more permissions than they need. When this happens, identities can execute tasks that may cause a great deal of harm — like modifying systems or databases or granting access to a private area.
Identities with admin access can sometimes gain more and more permissions over time, for example, due to changes in responsibilities, where s/he must maintain previous privileges. Also known as privilege creep, some identities get to the point where they present a security vulnerability. It’s a good idea to keep an eye on privileged accounts to keep them from accumulating too much power. Nowadays, with so many identities, former manual efforts no longer fulfill this need to monitor, flag and adjust accounts. An automated tool that enables admins to discover identities and send them through the CI/CD pipeline to the team responsible for mitigating them is a more effective solution.
The separation of duties principle mandates that identities do not have conflicting responsibilities or the ability to open the organization to risk.
Oftentimes, pieces of compute will violate the separation of duties principle. Even worse, this can happen quietly in the background because non-person identities aren’t always audited.
To ensure that your organization is enforcing the separation of duties principle, it’s critical to map all identities across your environment.
Modern IT environments are highly dynamic. New identities are continually being introduced and deployed, making it very challenging for security teams to track what’s happening.
The only way to maintain control is to leverage identity and data security platform to monitor identities and report changes continuously.
Digital transformation has introduced a wide range of new identity types, which means that organizations need to change the way they approach governing identities and data access in the cloud. Identity security must include not only employees, partners, contractors, customers, and consumers, but all the above-mentioned non-person identities as well. This is necessary to meet security and privacy requirements, while at the same time enabling business growth and innovation.
Failure to ensure comprehensive identity management capabilities for all identities, people and non-people, exposes organizations to security and compliance risks. It is therefore important for organizations to recognize where and how non-person identities are used in their cloud environments and to ensure they have the necessary systems and processes in place to manage them properly.
At the very least, businesses need to be in control of all identities and their interaction with their environments. Therefore, enterprises must work to eliminate shared accounts so that all people or non-person identities interacting with systems have an identity that can be managed and used for applying the Principle of Least Privilege / Least Access, visibility, traceability, and accountability purposes.
It is also essential that organizations have a standard, policy-based way of managing privileged identities, which are common targets of compromise for malicious actors. Privileged non-person identities should not be overlooked. Privilege access platforms, therefore, must support privileged non-person identities. processes, microservices and containers in both production and development environments or DevOps, where this model is followed.
The success of digital transformation depends on the ability to manage the access of everyone and everything. This means having a complete understanding of all the identities at play (people and non-people), understanding their relationships, and having a consistent way to manage and secure them.