Elastic’s Search AI is an open-source platform that powers search, observability, and security, offering the flexibility to be self-hosted or leveraged as a fully managed service through Elastic Cloud. In this blog post, we’ll go through the approach the InfoSec team at Elastic took to manage their Non-Human Identities (NHIs) within their environment.
Enterprise Security for AI Agents & Non-Human Identities
Stage 0 – Getting Visibility
Operating across all major Cloud Service Providers, we knew that the number of NHIs present in their environment would not be small. The first approach in getting visibility of all assets was to build an asset inventory. A deep dive into how the team built this Asset Inventory is documented in this blog. NHIs are one of the asset types that are being ingested into the team asset inventory. This allows the team to enrich various data from different platforms and visualize the assets through easy-to-read dashboards.
Stage 1 – Documenting Best Practices
The InfoSec team recognized that while they understood NHI security, NHI owners across the business might not. To bridge this gap in expertise, the Elastic infosec team documented all best practices related to NHIs in their centralized wiki and made them accessible to all employees. From there, the team partnered with the Communications team to promote the best practices across the organisation through the usage of weekly and monthly newsletters.
One of our core principle philosophies is that we’re not done until all members of the organisation are well aware of the best practices and where to find them!
Stage 2 – Show, Don’t Tell
Data is meaningless until you can act on it. That’s precisely why the Elastic team built various visualisations in Kibana to understand their NHI security posture. Through these visualizations, the team was able to perform data analysis and comparison much easier. Discussions with NHI owners were more productive as they could reference tangible data to guide the conversation . The dashboards even sparked some healthy competition between teams to achieve the best NHI posture!In addition, visualizations helped in quickly identifying and resolving straightforward issues.
The team built some generic and platform specific visualizations. Some visualisations ideas include:
- Overall number of NHIs
- Number of stale NHIs
- Number of NHIs without an expiration date
- Number of NHIs that are never used
- NHI Rotation Compliance
- Number of NHIs per AWS account
Stage 3 – Automation with Entro + Tines
Managing the sheer number of NHIs existing within an organisation could be a big headache. While the ideal place is to have everything leveraging workload identities, this is not possible across all platforms. Therefore, automation has become essential in managing the sheer amount of NHIs in our environment. Automation is a must!
One of the important points when building any automation is to involve your target users as part of the process. In this case, they are NHI owners who are engineers and SREs. It is critical to understand the users’ day-to-day operations to reduce user frictions, integrate with their platforms, and get them on board from the early days.
Leveraging the power of Elastic, Tines (Low-code/No-code automation), Entro and Valence (SaaS Security Posture Tooling), the Elastic InfoSec team were able to create various automation to notify NHI owners about the state of their NHIs as well as flag stale and idle NHIs.
Where the main problem is addressing all of the alerts for remediation and prevention. Typically, this falls solely on Infosec to complete, however we took a decentralized approach to the process by distributing the alerts to their respective owners. The team has published some automation stories in the Tines Story Library.
Stage 4 – Continuous Control Monitoring & Proactiveness
Once automation is deployed, it is crucial to make sure that the automation is continuously working as expected and the state is actually improving. Going back to step 2, this is where visualizations make it easy to showcase successes or identify improvements required.
Apart from using the newsletter to share knowledge about best practices, the InfoSec team at Elastic also used their company newsletter to share success stories. Such stories not only help in showcasing their great work, but also helps with getting more teams on board, and expanding the reach.
Proactively maintaining the NHI security posture is also crucial, and GitHub has done an amazing job in providing secrets scanning and push protection capabilities at no cost to public repositories. This is the first line of defence. Leveraging Entro’s secret scanning capabilities, the InfoSec team has developed and deployed a pre-commit hook that could be easily integrated with every repository within Elastic’s GitHub organisation. Pre-commit hooks help to prevent potential secrets leaks in Git. Elastic has also released an official integration for Entro, which one could use to ingest Entro’s prevention logs into Elasticsearch.
Closing Lessons Learned
There is no secret sauce for improving NHIs security posture across an organization. Below are some lessons learned that could be taken from Elastic’s approach:
- Get leadership and engineers’ buy-in. This would help in accelerating the improvement of the NHI posture.
- Data-driven storytelling wins minds.
- Finding owners could be hard – documenting owners is a must.
- User empathy keeps trust; no surprise deletions. Create pilot groups for testing. Make sure that the user’s day-to-day operations are not heavily impacted. This helps highlight emerging issues early. Share successes!
- Automation is a MUST!
As we say at Elastic: “Progress, simple perfection.” Start small and expand as you improve the process. Do not hesitate to ask for help and take any feedback onboard!
