From the Log4J vulnerability to Colonial Pipeline to SolarWinds, data breaches monopolize the headlines and often have one thing in common: non-personal identities. In fact, in the last two years 94% of companies have experienced an identity-related violation. That jarring statistic alone is reason enough to dedicate 2022 to the year of identity.
As affected companies recover, there is much debate about why these breaches occur and how they could have been prevented. One thing everyone can agree on is that traditional security doesn’t work and the cloud is the killer, but it’s a crime that doesn’t make us angry.
The security paradigm has totally changed. Traditional security approaches cannot be applied to the cloud. Personal and non-personal identities are the new battlefield. To put a number on a seemingly intangible concept, respondents to a survey sponsored by Sonrai Security reported an average of 7,750 existing identities in their cloud, a number that can easily overwhelm you.
To summarize this transformation, companies have gone from monolithic applications to microservices; waterfall to agile development; from IT control to DevOps control; data centers to cloud architectures; infrastructure implemented by people to code. Now, nearly every major data breach that makes headlines involves the compromise of an identity and the subsequent manipulation of person and non-person identity permissions to gain access. Non-person identities have data rights, and these rights make breaches more impactful.
If you don’t manage non-personal identities, your business is losing the battle. With expectations to protect cloud environments at an all-time high, security teams are struggling to control non-personal identities. Responsible teams must reimagine how they manage security.
Non-personal identity challenge defined
A non-personal identity takes many forms. This can include roles, service principles, serverless features, connected devices, and more.
The ephemeral nature, high volume, and lack of oversight make non-personal identities difficult to manage. Due to the sheer volume of non-person identities proliferating in an organization, it is difficult to manage the related risk at scale. An average company can run 1,000 virtual machines or more at a time in virtualized environments and public clouds. They can have thousands of connected devices and multiple SDI components distributed in a global footprint. Non-person identities can far outnumber people, and security teams are often completely blind to them. On top of all that, most non-person identities have excessive permissions and 40% of those permits they are inactive. These identities are easy prey.
It is not uncommon for companies to have more than 10,000 functions defined in your cloud state, many of which affect identities that are not people. The data is no longer in a centralized place. It is accessed through the environment. To minimize risk, we need to continuously discover, classify, audit, and protect data, while also enforcing minimal privileges.
Practical tips to secure non-personal identities:
Enforce least privilege
Least privilege has always been a fundamental security principle, now we must apply it to people who are not people as well. This means giving them only the permissions necessary to complete their task. Nothing else. Enforcing least privilege security controls on all identities is a best practice and the most effective way to reduce overall risk to identities. Least privilege access must be enforced for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.
Effective permissions, or the full list of permissions an identity possesses, must be understood. Effective permissions reveal everything your identity can access and do. Enterprise organizations need to understand the effective end-to-end permissions of non-person identities to understand the full scope of what could happen if a bad actor finds their way.
Prioritize effective permissions
Identity is the new perimeter. If you don’t focus your resources on protecting identities in your technology ecosystem, you will expose your business to security and compliance risks. It really should be one of the highest priorities of modern cloud security. The key goals are to increase security, enforce compliance, reduce business risk, and drive business growth and innovation.
Here are some tips companies can use to protect non-personal identities.
- Continuously inventory all identities
- Continually evaluate your effective permissions and continuously monitor for changes.
- Ensure identity security solutions are in place and configured to manage privileged identities other than individuals
At a minimum, companies must be in control of their identities and their interactions within their environments. It’s all too easy for dormant identities to emerge as employees leave, and for new ones to emerge as intelligent machines replace human responsibility. Let yourself be guided by the Principle of Least Privilege, Least Access and Separation of Duties, while working towards visibility, traceability and responsibility.
This thought leadership blog is in recognition of Identity Management Day 2022 and in sponsorship of the Identity Defined Security Alliance championship program.
*** This is a syndicated Security Bloggers Network blog from Blog – Sonrai Security written by Eric Kedrosky. Read the original post at: https://sonraisecurity.com/blog/proactive-management-of-non-personal-identities/