Managing Non-Human Identity Explosion in the Public Cloud

  • By Eric Kedrosky
  • Sep 15, 2020

With digital transformation comes the move to the cloud. What many businesses don’t realize is that it requires a retooling of their security strategy from the ground up. In particular, the explosion in the number of non-human identities in the public cloud is a risk that businesses simply can’t ignore. In fact, most businesses don’t even plan for non-human identities, let alone secure them, and that is where an organization can get into significant trouble. However, the good news is organizations can safeguard their cloud environments by taking the necessary steps. Let’s first start with the basics. 

What are Non-human Identities?
Non-human identities are identities that act on behalf of a person. They can be pieces of code, such as AWS Lambda functions, or pieces of compute, such as Azure VMs or other public cloud services. Regardless of how you define them, they are extremely useful and often represent the vast majority of identities found in cloud deployments. They do, however, present some unique challenges that are critical to keep in mind.  

Why Should We be Concerned with Safeguarding All Identities, Human and Non-human? 
Before digital transformation, the network formed the security perimeter for on-premises environments. That is no longer the case. In the cloud, human and non-human identities form the security perimeter and as such, need to be managed effectively. 

Examining the Challenges
The first challenge is complexity. Even for organizations born in the cloud, trying to make sense of these identities can be confusing and overwhelming. This commonly leads to cloud misconfigurations, some of which can be absolutely critical.

It is common for an average cloud deployment to have hundreds, if not thousands or more non-human identities. From a management and governance perspective, this creates a rather difficult challenge and if left unchecked can cause a lot of problems such as  failure to comply with least privilege and/or separation of duties requirements as well as attesting to what, where and how they can manipulate an entire cloud environment.

Lastly, from a security perspective, the nature of how identities are used makes determining the chain of events for “who did what” very difficult. For a malicious actor, this is a great way to mask their identity and blend in with the cloud environment. Because of this, any way you look at them, non-human identities can take many forms which can be both extremely powerful and pose significant risks in the public cloud. 

Data breaches are detrimental to a business. That is a no brainer, but what is worse is when they could have been easily prevented. An important lesson to be learned is that good security comes from good operations. With all the high-profile breaches in the past few years, it is surprising how this simple lesson is overlooked. When analyzing those breaches, as well as helping customers of all sizes in their cloud journey, there are consistent and avoidable mistakes that suddenly appear when it comes to non-human identities. 

The Three Most Common Mistakes in Securing Non-human Identities
The first common mistake is allowing overly permissive identities, where the instance, function, etc. has far too many permissions on its own as well as inheriting even more permissions as it is used within and/or across clouds. What started as a function that can do very little in its own account, it now has full admin privileges across the cloud. How does that happen? For reasons explained above, these identities and their usage can get quite complex, quite quickly and as a result, misconfigurations can commonly occur. 

A more concerning reason is that these identities are often intentionally over privileged. Why? This is actually the typical scenario while working to create a locked down identity that can do only what it is supposed to do. However, this can be difficult if something breaks and now the business is impacted. Far too often DevOps teams are told to “get it working now” and “go back and fix it later.” In turn, they do what is asked of them and give the identity the wide open “*” privilege, and the crisis is managed, the business is happy, life goes back to normal and the DevOps team goes onto the next task; never to return to fix it later.

This leads to the next common mistake, what I like to call “lost” identities. These are identities that have either been created or modified and then forgotten. They just sit there in the cloud environment, still very much alive but with nothing to do. That is until someone finds it and decides to use it, which leads to the next mistake.

The third most common mistake is that these identities are often used for unintended purposes … or better said “it made that thing work, so I’ll use it for this thing as well.” While true, it worked, but at what cost? Did it just give full access to sensitive data? Do you even know that it has this access?  Does anyone know that it has this access? The answer to the last two questions is commonly “no.” Even worse is when a bad actor finds one and uses it for their ends. What a great way to hide their actions. So, if good security is based on good operations then let’s learn from these common mistakes to ensure that your non-human identities are provisioned and managed appropriately, throughout their entire lifecycle. 

Spoiler alert, there is no such thing as a silver bullet … no matter what some people say. The truth is that it takes good old-fashioned blood, sweat and tears to effectively manage and secure your cloud environment. That said, there are some best practices within Identity and Data Governance that should be followed to help make that task manageable. While some may say “I hate best practices”; it is important to remember the power is in the context. Best practices exist to point you in the right direction and when applied in the context of your business, they can be extremely powerful. 

Best Practices for Securing Non-human Identities
The first best practice is the need to identify all of the non-human identities that truly exist in the cloud environment -- not what your admin team says it should be, not what your audit team has checked off on their spreadsheets, but what actually exists. Next, you need to know and understand what each and every one of their effective permissions are.

This means that you need to know exactly what each identity can do, within and across the cloud environment. Again, this isn’t what your teams think they can do, but what they actually can do. It is important to know, with absolute certainty, if these identities took any unintended actions. 

It is critical to understand what data these identities can access inside the cloud environment. Much like in the previous example, it is important to be aware if and/or what has been done to this data. On top of that, given how fast things move in the cloud and the myriad of teams with their hands in it, you need to have this awareness at all times. Only at this point, can you truly attest the ability to manage non-human identities and secure each cloud environment.

Non-human identities represent both an extremely powerful function as well as a complex risk in the public cloud, requiring constant attention. By effectively managing non-human identities, which form part of the new boundary for cloud security, it not only strengthens the information security model, but enables organizations to be able to move at the speed of the cloud.

Featured

  • The Future of Access Control: Cloud-Based Solutions for Safer Workplaces

    Access controls have revolutionized the way we protect our people, assets and operations. Gone are the days of cumbersome keychains and the security liabilities they introduced, but it’s a mistake to think that their evolution has reached its peak. Read Now

  • A Look at AI

    Large language models (LLMs) have taken the world by storm. Within months of OpenAI launching its AI chatbot, ChatGPT, it amassed more than 100 million users, making it the fastest-growing consumer application in history. Read Now

  • First, Do No Harm: Responsibly Applying Artificial Intelligence

    It was 2022 when early LLMs (Large Language Models) brought the term “AI” into mainstream public consciousness and since then, we’ve seen security corporations and integrators attempt to develop their solutions and sales pitches around the biggest tech boom of the 21st century. However, not all “artificial intelligence” is equally suitable for security applications, and it’s essential for end users to remain vigilant in understanding how their solutions are utilizing AI. Read Now

  • Improve Incident Response With Intelligent Cloud Video Surveillance

    Video surveillance is a vital part of business security, helping institutions protect against everyday threats for increased employee, customer, and student safety. However, many outdated surveillance solutions lack the ability to offer immediate insights into critical incidents. This slows down investigations and limits how effectively teams can respond to situations, creating greater risks for the organization. Read Now

  • Security Today Announces 2025 CyberSecured Award Winners

    Security Today is pleased to announce the 2025 CyberSecured Awards winners. Sixteen companies are being recognized this year for their network products and other cybersecurity initiatives that secure our world today. Read Now

Most   Popular

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”