Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/29/2021
11:55 AM
Eric Kedrosky
Eric Kedrosky
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Challenge of Securing Non-People Identities

Non-people identities, which can act intelligently and make decisions on behalf of a person's identity, are a growing cybersecurity risk.

From SolarWinds to Ubiquiti, data breaches have stormed recent headlines, and they all have one risk in common: non-people identities. As affected enterprises recover, there's debate over why these breaches happen and how cloud security can improve. But one thing everyone can agree on is that traditional security is dead, and cloud is the killer. The paradigm has changed, and traditional security approaches no longer work. People and non-people are the new battlegrounds. As US Cybersecurity and Infrastructure Security Agency technical strategist Jay Gazlay said during the most recent Information Security and Privacy Advisory Board meeting, "Identity is everything now."

Enterprises have gone from monolithic applications to microservices; waterfall development to agile; IT control to DevOps control; data centers to cloud architectures; person-deployed infrastructure to code. With expectations for securing cloud environments at an all-time high, security teams are struggling to control non-people identities. Responsible teams must reimagine how they manage security.

Related Content:

2020 Changed Identity Forever; What's Next?

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Nearly every major data breach today involves an identity compromise and subsequent manipulation of people and non-people identity permissions to gain access. Non-people identities have rights to data, and these rights make breaches more impactful. If you aren't managing the non-people identities, your enterprise is losing the battle.

What Are Non-People Identities?
Non-people identities take many forms, but in general, they can act intelligently and make decisions on behalf of a person's identity. Common non-people identities include roles, service principles, serverless functions, infrastructure as code, containers, and compute resources.

The ephemeral nature, sheer volume, and lack of visibility make non-people identities challenging to manage. With container orchestration, the typical lifetime of a container is 12 hours. Serverless functions, already adopted by 22% of corporations, spin up and are gone in seconds.

Due to the sheer volume of non-people identities that proliferate across an organization, it's tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines (or more) at a time in virtualized environments and public clouds. They may have thousands of connected devices and multiple software-defined infrastructure components spread across a global footprint. There are far more non-people identities than people identities, and oftentimes they're in areas where security teams are completely unaware.

It is not unusual for enterprises to have over 10,000 roles defined across their cloud estate, many affecting non-human identities. Data is no longer in one centralized place. It is used by all these identities. To minimize risk, we need to continuously discover, classify, audit, and protect data while enforcing least privilege.

Non-People Identities Need to Maintain Least Privilege
Least privilege has always been a fundamental security principle that gives identities only the permissions required to get their work done; nothing more. Enforcing least-privilege security controls across all identities is a best practice and the most effective way to reduce overall risk to identities. Least-privilege access should be applied for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.

Effective permissions, or the full permission sets that are granted to an identity, paint a true picture of what an identity can do and access. Enterprise organizations must understand the end-to-end effective permissions of non-people identities to ensure data security.

Managing Effective Permissions Must Be A Priority
Identity is the new perimeter. Comprehensive identity management for all identities, people and non-people, is required. Enterprises' failure to implement these capabilities in the technology ecosystem will expose them to security and compliance risks. Key goals are increasing security, enforcing compliance, reducing business risk, and driving toward business growth and innovation.

To protect non-human identities, enterprises need to:

  1. Continuously inventory all identities
  2. Continuously evaluate their effective permissions and monitor them continuously for changes
  3. Ensure identity security solutions are in place and configured to manage privileged non-human identities

At the very least, enterprises need to be in control of all identities and their interactions within their environments. Therefore, enterprises must work to eliminate shared accounts so that all human or non-human identities interacting with systems have an identity that can be managed and used for applying the principles of least privilege, least access, and separation of duties, while working toward visibility, traceability, and accountability. It is also essential that organizations have a standard, policy-based way of managing identities, which are common targets of compromise for malicious actors.

Eric Kedrosky is CISO at Sonrai Security. He joined the cloud security software company in February 2020 after 16 years of working in the industry. Highlights from his career include working as Director of Security & IT at Verafin, Directory of Information Services & Security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.