Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Non-Human Identities: The New Blindspot in Cybersecurity

Since the introduction of computers, usernames and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of most data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries.

Since the introduction of computers, usernames and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of most data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries. In fact, a recent study by the Identity Defined Security Alliance (IDSA) reveals that credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%). 

Nonetheless, many organizations are still lacking key identity-related security controls and the few forward-thinking companies that have started applying proper access controls are typically focusing on human users. This flies in the face of reality. With digital transformation initiatives that span DevOps, cloud transformation, Internet of Things (IoT), etc., the sheer number of non-human identities far outweighs human users. So, what does this mean for the future of passwords and how organizations approach controlling access to their sensitive resources?

For decades, users have been using static passwords to log in to various accounts and services. Unless mandated by policy, personal preferences, or in response to a data breach, the average password remains unchanged from the moment it is created. This makes it highly susceptible to threat actors, since a static password provides a low probability for verifying the authenticity of a user and can just as easily be a compromised credential purchased on the Dark Net. 

Once in the hands of a cyber-attacker, a stolen password can provide unrestricted access to the compromised account, the ability to move laterally within the network and disrupt business processes or exfiltrate sensitive information. The impact is even more significant if the account belongs to a privileged user, who holds the “keys to the kingdom”. Even when an organization has hardened its security posture by implementing multi-factor authentication (MFA), this added layer of protection does not address threats associated with non-human identities.

Go Beyond Static Passwords

Today, identities include not just people but workloads, services, and machines. In fact, non-human identities represent the majority of “users” in many organizations. Machine identities are often associated with privileged accounts, and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. 

These often pose a blind spot, since machine, IoT, service account, and application identities are not always considered when establishing security controls. Besides underestimating the relevance of non-human identities in the context of a data breach, many organizations are quickly realizing that the traditional static password concept that often requires manual and time-consuming configurations is not suitable in fast-moving multi-cloud and hybrid environments, where access needs are often temporary, and changes are constant.

The Future of Authentication: Ephemeral Tokens

Advertisement. Scroll to continue reading.

Instead of continuing to rely on a static password model, organizations should move to a dynamic password approach. These ephemeral, certificate-based access credentials address the major security issues that plague static passwords without impacting usability and agility in highly digitalized IT environments. 

When implementing ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, establishing a “zero standing privilege” stance that ensures all access to services must be authenticated, authorized, and encrypted. For each session (be it for a human or machine), the ephemeral certificate is issued from the Certificate Authority (CA), which serves as the trusted third-party and is based on industry-standards such as the temporary X.509 certificate. It encodes the user identity for security purposes and has a short lifetime, avoiding the risk of man-in-the-middle attacks. 

Ultimately, the CA controls access to the target system based on user roles (including roles assigned to workloads, services, and machines), which are created based on rules. The rules for particular roles are generated according to security policies and access requirements. The CA then obtains the rules for each role from the traditional enterprise directory (e.g., Microsoft Active Directory) and uses them to determine proper authentication. This approach alleviates setting up access for each individual user and enables streamlined updates to groups of users.

Conclusion

The integration of identity with security is still work in progress, with less than half of businesses having fully implemented key identity-related access controls according to the IDSA research study. To make things worse, we simply can’t trust static passwords anymore. Furthermore, they’re not suitable for today’s machine identity dominated IT environments that are built for agility and fast-paced change. A better approach is to implement a dynamic password model that when combined with a least privilege approach minimizes the risk of identity-related breaches.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...