Tackling Digital Identity Security: Non-People Identities
Did you miss our recent digital identity security, specifically, non-people identity webinar series? This three-part webinar highlighted crucial cloud security elements about managing non-people identities in the public cloud. In today’s post, learn the key takeaways from this webinar series.
For three months, the Sonrai Security experts hosted a three-part webinar with our Co-Founder and CTO, Sandy Bird, and our CISO and Director of Cloud Security Research, Eric Kedrosky. This webinar series sought to highlight everything about non-people identities and managing enterprise cloud security through identity governance.
Modern public cloud enterprises have innumerable non-people identities, critical to normal operations in the cloud environment. Today, more than before, it is crucial to understand non-people identities and manage the risks they present.
What Exactly Do We Mean by Non-People Identities?
In the first part of the webinar series, Securing Non-Human Identities in AWS and Azure, we covered what we mean by non-people identities, the problems identities can cause, and the best practices for managing them.
Non-people refers to any pieces of computer or digital identities that have control or access rights over other identities or resources within your public cloud. They do not require human monitoring. They exist to fulfill various functions with different abilities and permissions required to perform their roles.
Common types include:
- Compute processes – Virtual machines, EC2 instances, serverless functions, etc.
- IT Administration – Shared accounts, service accounts, technical accounts
- Automation – Deployment role IaaS, bots
- Cloud services – AWS Config, Azure Advisor, and other services empowered to undertake specific actions on your behalf
Unlike the enterprise management of on-premise, cloud providers apply completely novel concepts to create and manage non-people identities. They give you tools to govern and restrict the access of these non-people identities, but these must only serve as starting points. Deployed correctly, this system can work effectively to create a highly secure environment. However, if messed up, the complexity becomes a weapon, creating misconfigurations that can be exploited for nefarious purposes.
The first webinar provides essential background information, although subsequent webinars recap the definitions and functions of non-people identities if you wish to watch them separately.
What Problems Do Non-People Identities Present?
It is important to understand the challenges non-people identities present in enterprise cloud security. The first webinar gives some general challenges, but we expound on the details of these problems in the second part, Securing Non-Human Identities Part 2: AWS. In contrast, the third part discusses the challenges and best practices of Securing Non-Human Identities in Azure.
There are two key aspects to the challenges of cloud identity management that cannot be addressed by cloud service providers alone. It was essential to highlight how different public cloud systems present these challenges, given that AWS and Azure, for instance, work entirely differently from one another. Therefore, while the problems and patterns are similar, the difference lies in how these problems/patterns manifest on different public clouds.
Every enterprise cloud deployment has thousands, even tens of thousands of non-people identities. It is impossible to manually manage such a volume to ensure that each non-person identities have proper permissions and access. This creates the first challenge – the daily running and management of all non-people identities within an enterprise.
Even if that were possible, specific non-people identities could have overreaching permissions that allow them to change themselves as they assume different roles. This is the problem of privilege escalation, which often creates a web of more non-people identities with privileges beyond what their role requires.
But complexity doesn’t exempt any business from identifying risks, sealing gaps, and improving management. It’s all good assuming everyone that gains access to non-people identities has the right intentions, but nefarious access, even from within the organization, is always possible. “The complexity is your friend if you do it right, but if you get it wrong, the consequences could be catastrophic,” notes Sandy Bird.
Best Practices to Consider When Managing Non-People Identities?
The best practices when securing non-people identities, just like challenges, are much the same in concept, differing only in execution. In the second and third webinars, we highlight the essential ideas to implement regardless of the tools and solutions you use. Some of them include:
- Carefully create and manage “break glass” identities – super-privileged identities to be used in case of emergencies. They should be there and monitored to prevent misuse.
- Have a team (or process) that certifies identities regularly – someone should continuously go through the identities, understand, and adjust effective permissions.
- Avoid overpermissioning – develop an approach to get to and maintain the principle of least privilege – least privilege is not a fixed set, especially in the cloud where everything changes quickly.
- Kill dormant identities – old identities get left hanging all the time. Who else finds it, and how will they use/misuse it?
- Continuously monitor your identities for behavior and/or permission changes.
Of course, there is much more detail to these best practices, which is why you want to check out the complete webinar series.
Immediate Steps You Can Take to Secure Your Non-People Identities
At Sonrai Security, we can help you manage all your identities and bolster your enterprise cloud security by ensuring that all human and non-human identities work the way they should. If you wish to learn more, follow our blog to get more information on the various aspects of securing non-human identities. To learn about how we can help your business, request an assessment or book a demo with us today.