Non-Human Identities: The New Blindspot in Cybersecurity

Since the introduction of computers, usernames and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of most data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries. In fact, a recent study by the Identity Defined Security Alliance (IDSA) reveals that credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%). 

Nonetheless, many organizations are still lacking key identity-related security controls and the few forward-thinking companies that have started applying proper access controls are typically focusing on human users. This flies in the face of reality. With digital transformation initiatives that span DevOps, cloud transformation, Internet of Things (IoT), etc., the sheer number of non-human identities far outweighs human users. So, what does this mean for the future of passwords and how organizations approach controlling access to their sensitive resources?

For decades, users have been using static passwords to log in to various accounts and services. Unless mandated by policy, personal preferences, or in response to a data breach, the average password remains unchanged from the moment it is created. This makes it highly susceptible to threat actors, since a static password provides a low probability for verifying the authenticity of a user and can just as easily be a compromised credential purchased on the Dark Net. 

Once in the hands of a cyber-attacker, a stolen password can provide unrestricted access to the compromised account, the ability to move laterally within the network and disrupt business processes or exfiltrate sensitive information. The impact is even more significant if the account belongs to a privileged user, who holds the “keys to the kingdom”. Even when an organization has hardened its security posture by implementing multi-factor authentication (MFA), this added layer of protection does not address threats associated with non-human identities.

Go Beyond Static Passwords

Today, identities include not just people but workloads, services, and machines. In fact, non-human identities represent the majority of “users” in many organizations. Machine identities are often associated with privileged accounts, and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. 

These often pose a blind spot, since machine, IoT, service account, and application identities are not always considered when establishing security controls. Besides underestimating the relevance of non-human identities in the context of a data breach, many organizations are quickly realizing that the traditional static password concept that often requires manual and time-consuming configurations is not suitable in fast-moving multi-cloud and hybrid environments, where access needs are often temporary, and changes are constant.

The Future of Authentication: Ephemeral Tokens

Instead of continuing to rely on a static password model, organizations should move to a dynamic password approach. These ephemeral, certificate-based access credentials address the major security issues that plague static passwords without impacting usability and agility in highly digitalized IT environments. 

When implementing ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, establishing a “zero standing privilege” stance that ensures all access to services must be authenticated, authorized, and encrypted. For each session (be it for a human or machine), the ephemeral certificate is issued from the Certificate Authority (CA), which serves as the trusted third-party and is based on industry-standards such as the temporary X.509 certificate. It encodes the user identity for security purposes and has a short lifetime, avoiding the risk of man-in-the-middle attacks. 

Ultimately, the CA controls access to the target system based on user roles (including roles assigned to workloads, services, and machines), which are created based on rules. The rules for particular roles are generated according to security policies and access requirements. The CA then obtains the rules for each role from the traditional enterprise directory (e.g., Microsoft Active Directory) and uses them to determine proper authentication. This approach alleviates setting up access for each individual user and enables streamlined updates to groups of users.

Conclusion

The integration of identity with security is still work in progress, with less than half of businesses having fully implemented key identity-related access controls according to the IDSA research study. To make things worse, we simply can’t trust static passwords anymore. Furthermore, they’re not suitable for today’s machine identity dominated IT environments that are built for agility and fast-paced change. A better approach is to implement a dynamic password model that when combined with a least privilege approach minimizes the risk of identity-related breaches.