Skip to main content

Have you been hearing a lot about non-human identities (NHIs) lately? That’s because as more workloads are moved to the cloud, attackers have found easy ways to directly breach these SaaS systems using accounts that do not belong to an actual human employee. NHIs are digital credentials that facilitate machine-to-machine interactions and perform repetitive tasks without human intervention. Typical examples of growing attack vectors are service accounts,API keys, certificates, and OAuth tokens.

Why NHIs Are Hard to Secure

Most organizations have spent years securing their standard user employee accounts by implementing several security tools to thwart credential theft, create automated workflows to manage an account’s lifecycle, and take remediating action when issues are detected. So why can’t NHIs just utilize those same policies and workflows?

  1. NHIs cannot have the same security policies as standard human accounts. Most notably, MFA cannot be utilized because no human is involved in approving authentication requests. Unique password management, vaulting, and credential rotation policies must be considered and often require a developer skillset to implement.
  2. NHIs cannot have the same governance policies as human accounts. Standard triggering events of governance workflows for provisioning, least-permissive access control, scoping, and decommissioning will not apply to non-human accounts since they are often created outside of the standard automated user onboarding process.
  3. NHIs are typically long-lived credentials with higher privileges than standard user accounts. This leads to an identity sprawl of overly permissioned identities that are not part of an organization’s identity governance administration.
  4. The number of NHIs is likely much higher than the number of employee accounts. Non-human identities outnumber humans as much as 50 to 1.
  5. Implementing advanced methods to detect unusual activity typically does not apply to NHIs as it can be nearly impossible to generate a normal baseline of activity for these accounts that operate continuously with a constant rate of activity

Now, you can see why so many experts sound the alarm about creating a plan for securing NHIs since many existing controls, policies, and workflows for securing standard user identities will not apply.

How Attackers Are Using NHIs Today

Attackers have realized that it may be easier and faster to attack widely used SaaS software suppliers rather than individual users. That’s why supply chain attacks have been on the rise since the infamous SolarWinds fiasco. While SolarWinds exploited vulnerabilities in open-source software, many of the latest destructive attacks utilized NHIs to gain access directly to some of the largest software vendors in the world – OktaDropboxGitHub, and Microsoft.

While I won’t go into the root cause of each of these attacks, the common theme these attackers utilize is to breach human user accounts that can be used to move laterally onto critical servers to attain escalated privileged non-human accounts. For example, nationstate cyber attackers will target dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system. The attacker will then wait for an enforced password reset for all users during an incident and then simply follow instructions to reset the password and use the newly stolen credential to move laterally or access higher privileged accounts. Additionally, typical brute force and password spraying campaigns are simply being used to attain service accounts credentials.

Proactively Identify and Govern NHIs

As with any constantly evolving attack vector, defense in depth and implementing cyber security fundamentals will help defend from bad actors. That means you’ll need to take advantage of all IAM security tools you have in your arsenal: Identity Governance and Administration (IGA), Identity Security PostureManagement (ISPM), Privilege Access Management (PAM), Identity Threat Detection and Response (ITDR).  Since attacks typically involve compromised human and non-human accounts, your security strategies need to constantly be updated to address both.

To effectively address non-human account security, it’s crucial to establish mechanisms for gaining visibility of all NHIs and to maintain an inventory of these accounts. This should be an ongoing activity, as most organizations have insufficient tracking software to continuously manage NHIs as they are created. Recognizing and addressing these security gaps is the first vital step in ensuring that NHIs are managed and governed at the same level as standard human accounts.