Managing Non-Human Identity Explosion in the Public Cloud

With digital transformation comes the move to the cloud. What many businesses don’t realize is that it requires a retooling of their security strategy from the ground up. In particular, the explosion in the number of non-human identities in the public cloud is a risk that businesses simply can’t ignore. In fact, most businesses don’t even plan for non-human identities, let alone secure them, and that is where an organization can get into significant trouble. However, the good news is organizations can safeguard their cloud environments by taking the necessary steps. Let’s first start with the basics. 

What are Non-human Identities?
Non-human identities are identities that act on behalf of a person. They can be pieces of code, such as AWS Lambda functions, or pieces of compute, such as Azure VMs or other public cloud services. Regardless of how you define them, they are extremely useful and often represent the vast majority of identities found in cloud deployments. They do, however, present some unique challenges that are critical to keep in mind.  

Why Should We be Concerned with Safeguarding All Identities, Human and Non-human? 
Before digital transformation, the network formed the security perimeter for on-premises environments. That is no longer the case. In the cloud, human and non-human identities form the security perimeter and as such, need to be managed effectively. 

Examining the Challenges
The first challenge is complexity. Even for organizations born in the cloud, trying to make sense of these identities can be confusing and overwhelming. This commonly leads to cloud misconfigurations, some of which can be absolutely critical.

It is common for an average cloud deployment to have hundreds, if not thousands or more non-human identities. From a management and governance perspective, this creates a rather difficult challenge and if left unchecked can cause a lot of problems such as  failure to comply with least privilege and/or separation of duties requirements as well as attesting to what, where and how they can manipulate an entire cloud environment.

Lastly, from a security perspective, the nature of how identities are used makes determining the chain of events for “who did what” very difficult. For a malicious actor, this is a great way to mask their identity and blend in with the cloud environment. Because of this, any way you look at them, non-human identities can take many forms which can be both extremely powerful and pose significant risks in the public cloud. 

Data breaches are detrimental to a business. That is a no brainer, but what is worse is when they could have been easily prevented. An important lesson to be learned is that good security comes from good operations. With all the high-profile breaches in the past few years, it is surprising how this simple lesson is overlooked. When analyzing those breaches, as well as helping customers of all sizes in their cloud journey, there are consistent and avoidable mistakes that suddenly appear when it comes to non-human identities. 

The Three Most Common Mistakes in Securing Non-human Identities
The first common mistake is allowing overly permissive identities, where the instance, function, etc. has far too many permissions on its own as well as inheriting even more permissions as it is used within and/or across clouds. What started as a function that can do very little in its own account, it now has full admin privileges across the cloud. How does that happen? For reasons explained above, these identities and their usage can get quite complex, quite quickly and as a result, misconfigurations can commonly occur. 

A more concerning reason is that these identities are often intentionally over privileged. Why? This is actually the typical scenario while working to create a locked down identity that can do only what it is supposed to do. However, this can be difficult if something breaks and now the business is impacted. Far too often DevOps teams are told to “get it working now” and “go back and fix it later.” In turn, they do what is asked of them and give the identity the wide open “*” privilege, and the crisis is managed, the business is happy, life goes back to normal and the DevOps team goes onto the next task; never to return to fix it later.

This leads to the next common mistake, what I like to call “lost” identities. These are identities that have either been created or modified and then forgotten. They just sit there in the cloud environment, still very much alive but with nothing to do. That is until someone finds it and decides to use it, which leads to the next mistake.

The third most common mistake is that these identities are often used for unintended purposes … or better said “it made that thing work, so I’ll use it for this thing as well.” While true, it worked, but at what cost? Did it just give full access to sensitive data? Do you even know that it has this access?  Does anyone know that it has this access? The answer to the last two questions is commonly “no.” Even worse is when a bad actor finds one and uses it for their ends. What a great way to hide their actions. So, if good security is based on good operations then let’s learn from these common mistakes to ensure that your non-human identities are provisioned and managed appropriately, throughout their entire lifecycle. 

Spoiler alert, there is no such thing as a silver bullet … no matter what some people say. The truth is that it takes good old-fashioned blood, sweat and tears to effectively manage and secure your cloud environment. That said, there are some best practices within Identity and Data Governance that should be followed to help make that task manageable. While some may say “I hate best practices”; it is important to remember the power is in the context. Best practices exist to point you in the right direction and when applied in the context of your business, they can be extremely powerful. 

Best Practices for Securing Non-human Identities
The first best practice is the need to identify all of the non-human identities that truly exist in the cloud environment -- not what your admin team says it should be, not what your audit team has checked off on their spreadsheets, but what actually exists. Next, you need to know and understand what each and every one of their effective permissions are.

This means that you need to know exactly what each identity can do, within and across the cloud environment. Again, this isn’t what your teams think they can do, but what they actually can do. It is important to know, with absolute certainty, if these identities took any unintended actions. 

It is critical to understand what data these identities can access inside the cloud environment. Much like in the previous example, it is important to be aware if and/or what has been done to this data. On top of that, given how fast things move in the cloud and the myriad of teams with their hands in it, you need to have this awareness at all times. Only at this point, can you truly attest the ability to manage non-human identities and secure each cloud environment.

Non-human identities represent both an extremely powerful function as well as a complex risk in the public cloud, requiring constant attention. By effectively managing non-human identities, which form part of the new boundary for cloud security, it not only strengthens the information security model, but enables organizations to be able to move at the speed of the cloud.

Featured

  • An Inside Look From Napco at ISC West

    Get a look into the excitement at ISC West 2025 from Napco. Hear from some of their top-tech executives live from the show floor. Read Now

    • Industry Events
    • ISC West
  • Upping the Ante

    I am not a betting man in terms of cards, dice, blackjack or that wheel with the black marble racing around the circumference of a spinning wheel, but I would bet on the success of ISC West this year. Read Now

    • Industry Events
    • ISC West
  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West
  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.