The challenges of securing NHIs throughout the Product Development Lifecycle

Non-human identities play a key role in product development – they’re responsible for enabling machine-to-machine communication, facilitating systems integrations, and the general automation of repetitive tasks.

However, as products and companies mature these identities become increasingly difficult to manage – Gartner estimates that more than 45 non-human identities are created for every human identity in a company.

These non-human identities come in all shapes and sizes, from service accounts and API keys to OAuth tokens and certificates and get things done without human intervention, functioning as digital credentials used by machines, services, and applications to authenticate and communicate with each other. NHIs are often granted broad access permissions and operate without the same level of scrutiny as their human counterparts. For example, service accounts are created to allow applications or services to access system resources and perform their respective tasks, meaning they often come with high-level privileges. This extensive access makes them attractive targets for cyber attackers. API keys are even more susceptible to attacks because often they can be found in plain text in source code.  Outlined below are some of the key challenges and considerations for building and delivering secure products without exposing the NHIs that run them.

Understanding the posture and security of NHI’s across a product development organization is a challenging task because NHI’s can be created, stored, used, and shared in so many different places.  NHIs exist in SaaS apps, cloud platforms, secret managers, exposed systems, and on-prem systems. Inventorying and cataloging NHIs throughout the environment is critical, but without the context of understanding the functionality and utilization of each NHI it’s still difficult to determine actionable outcomes.

2. Excessive permissions

Non-human identities often have broad, always-on access that violates the principle of least privilege. When compromised by attackers, these overly permissive credentials are directly responsible for lateral movement and increase the blast radius of an attack.  Restricting the scope of privileges associated with an NHI to its intended functional use minimizes or even eliminates risks associated with compromisation.

3. Weak authentication security

NHIs are sometimes referred to as machine identities – further highlighting that these identities are often automated and unmanned.  This means typical authentication security mechanisms such as MFA do not apply to these identities, increasing their risk of exposure. Without processes in place to salt/hash secrets, they can be exposed in plain text in many places, introducing a myriad of entry points for attackers.  When an NHI/Secret is left visible in source code for example, attackers can utilize it to exploit this identity as imposters – making it even more difficult to recognize the system is compromised.

4. Unmanaged lifecycles

Most product development organizations lack standardized NHI basic NHI lifecycle management workflows in their processes and pipelines. Without such processes to handle provisioning and de-provisioning, identities become orphaned when the associated human users leave the company or the original purpose is forgotten. These orphaned identities are often not rotated frequently, increasing the window of opportunity for attackers to exploit them.

5. Decentralized ownership

Non-human identities are typically managed ad-hoc by different teams, such as DevOps, IT, data science, etc., without clear security accountability. This decentralized approach leads to inconsistent non-human identity security in SaaS and difficulty enforcing uniform policies across the organization.

6. The wrong tools for the job

Legacy privileged access management (PAM) solutions and secrets managers were not designed to handle non-human identities’ dynamic and transient nature in SaaS and cloud environments. Even cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM) tools lack the context on identity permissions and activities to detect and mitigate risks effectively.

What steps can you take to secure non-human identities?

In order to establish a successful NHI security program, the following critical steps must be taken:

Discovery and inventory of everything

This is the most critical step in securing NHIs throughout the product development lifecycle – In order to create and maintain a comprehensive inventory of all non-human identities across a multi cloud ecosystem, an automated secrets scanner is necessary.  This scanner must be capable of mapping all non-human identities across SaaS applications, cloud platforms, and on-premises systems – across all creation locations, storage locations, and exposure locations.

Entro offers rigorous scanning capabilities that go beyond the codebase, including CI/CD pipelines, collaboration tools, and cloud configurations to develop a comprehensive and thorough inventory of secrets within an organization.

This complete inventory allows for the classification and normalization of all discovered identities based on their types, permissions, and associated risks.  This context is necessary to enable effective management and monitoring.

2. Follow the Principle of Least Privilege

A critical step in reducing the exposure of an attack is to limit the power of the attacker.  Entro helps solve this challenge by identifying “over-permissive” NHIs with permissions associated that are not in use. By reducing the scope of permissions to only those needed for the NHIs to provide their business purpose, exploited NHIs provide an attacker with little-to-no exposure into critical assets and systems beyond the base functional use of the identities they have compromised. It is therefore crucial when creating an NHI that the associated privileges should be as restrictive as possible, while still allowing the NHI to perform its business function.

3. Establish enterprise-wide IGA

Identity Governance and Administration (commonly referred to as IGA) is an established set of policies and procedures that articulate and enact an organizational security strategy for identities.  Most organizations have IGA policies and processes in place for human identities.  This same concept needs to be extended and delivered across machine identities as well, including monitoring and response workflows as well as onboarding and offboarding workflows for identities.  By building and standardizing these processes and procedures, a culture of accountability can be fostered for human and non-human identity workflows alike.

4. Manage NHI Lifecycles

In order to securely and consistently maintain an environment filled with Non-human identities, the lifecycle of NHIs must be managed and automated extensively from beginning to end.  Checks must be put in place whenever identities are created to ensure they are given appropriately restrictive permissions while still serving its functional purposes.  Throughout the lifecycle of these NHIs access and utilization must be monitored to immediately identify any anomalous behavior.  When the functional purpose of an NHI has been served, the identity should also be retired so it cannot be assumed and exploited by an imposter.

5. Introduce an NHI Security Platform

NHI Security platforms are a must for enabling advanced automated security checks, real-time monitoring, behavioral analytics, and machine learning algorithms that can spot anomalies humans cannot.  When selecting an NHI security platform it’s critical to ensure the platform can:

• Implement birthright provisioning for non-human identities based on predefined roles and use cases.
• Ensure identities are created with the appropriate permissions and access rights from the outset.
• Employ static risk analysis to periodically evaluate the security posture of non-human identities.
• Set up automated alerts and notifications based on predefined risk thresholds to promptly address any identified issues or vulnerabilities
• Enforce Secrets rotation to minimize the window of opportunity for attackers to exploit compromised credentials
• Implement an automated vaulting mechanism to securely store secrets and make sure the credentials associated with non-human identities are vaulted at your vault of choice. This centralized approach simplifies the process of accessing, rotating, and revoking secrets, reducing the risk of unauthorized access.
• Automate de-provisioning workflows to promptly remove or disable non-human identities at the end of their lifecycle, ensuring that unnecessary access is eliminated promptly.

All this will ensure you’re never troubled with manual errors and follow consistent policy enforcement. With ML-powered continuous NHI abnormal behavior monitoring, advanced risk analytics, and context-aware insights offered by Entro, there’s not much more you can ask for.Come onboard and see it for yourself. Click here for a quick demo!