Non-Human Identities Sprawl Challenges Security
Move over, humans. With the rise of non-human identities, you may no longer be the weakest link when it comes to security.
As the workforce is increasingly augmented by robotic process automation (RPA) in the form of software bots, physical robots and IoT systems, a Forrester report noted that “when the digital identities of non-human entities and their credentials (certificates, usernames and passwords) rely on weak security measures, attackers can exploit the weak security controls to steal sensitive data, disrupt device operations and cause physical harm.”
“Digital identities are the new boundaries in a zero-trust world,” said Erkang Zheng, founder and CEO at JupiterOne. “The trust and validation of these identities are increasingly more critical to the safety and assurance of any cyber operations.”
But Forrester contends it will take another major data breach to bring this danger to the forefront, something they expect over the next 18 months. A prime target might be IoT devices, which the firm recently found are the second most-targeted corporate assets by attackers.
While platform-specific security worked for simple, bounded use cases, “decentralized purchasing, lack of accountability and ongoing changes to the business have made these platforms ripe for attacks and insider abuses,” the report said.
RPA vendors already include basic secure access controls, Forrester said, “but with two-thirds of bots being used in sensitive data-intensive areas like finance and line of business or powerful access areas like IT, the stakes are high and require top-notch risk-based security. Industry-specific IoT platform vendors and industrial robotics manufacturers have had a track record of uneven security, for example, shipping IoT devices with easy-to-crack PINs (e.g., 1234) and critical encryption flaws.”
Instead, non-human identities need “stronger security and management due to continued rapid adoption, increasing connections to sensitive data, and integration complexities,” they said in a report detailing how identity and access management (IAM) “must evolve to secure these identities with the same rigor previously applied to securing human identities.”
IAM is heading in that direction, and there are a number of solutions that, when used in tandem, can protect against the threat posed by non-human identities. Forrester said the technologies key to securing non-human entities are privileged identity management (PIM), identity management and governance (IMG), key management for machine identities, RPA, application, endpoint security and IoT security.
With PIM solutions, credentials are secured in vaults, and access for human and non-human accounts are monitored with what Forrester says is “powerful administrator-level access.”
IMG solutions govern the “policies for managing the life cycle of human and nonhuman identities,” Forrester said, and let security and risk teams “organize and enforce policies for the vast number of non-human identities across the organization.” That prevents orphaned accounts and overprivileged access from leaving unguarded pathways for attackers.
Key management for machine identities solutions will aid in locking down non-human identities because they bring operational agility to manage the keys that secure them.
RPA software supports the trend because it reduces threats related to bots that come from social engineering, identity misuse and noncompliance.
Application security fends off attacks by humans and non-humans by reducing the security vulnerabilities that attackers can exploit to gain control of accounts.
Endpoint security protects “non-human endpoints from exploit and [detects] when non-human endpoints have been compromised” by correlating endpoint and non-endpoint behavioral data to identify and safeguard against malicious activity whether it comes from human or non-human accounts, according to Forrester.
IoT security enforces secure access and authentication for IoT systems. Solutions address three technology categories—networks, devices and applications with emerging platforms combining all three.
“The security industry needs to move past the notion that identity is purely human-centric,” said Sounil Yu, CISO at JupiterOne. “The Cyber Defense Matrix shows that we also have identities that are device-centric, application-centric, network-centric and data-centric.”
Just like “with human-centric identities, static identities (e.g., usernames/passwords) that don’t change frequently or are reused exacerbate our security problems,” said Yu. “We don’t want to repeat that mistake with non-human identities.”
