Non-human identities. It seems like every technology conference that I’ve attended over the past year or so has had NHIs as a primary topic. And it’s no wonder. What have become powerful tools in the new world of hyper-automation, dynamic IT infrastructures, and complex security processes, have also led to new vulnerabilities within many IT environments.
For just a moment, let’s look at why NHIs are important to focus on from a security perspective. I have 3 primary vulnerabilities:
- The numbers of NHIs in a typical environment are staggering in comparison to human identities; and only growing in number. They are so plentiful, in fact, that most are forgotten; especially over time.
- Many NHIs have highly privileged access rights to perform the work that they are tasked with
- It is not uncommon to have NHIs running unmanaged. That is, there is no “real person” overseeing what happens to them concerning what they are doing and how they are doing it. This is primarily around the allocation of access rights and entitlements.
The combination of these 3 items: Forgotten + Highly Privileged + Unmanaged is a recipe for disaster. And, to add to that, NHIs do not have the security controls that human do. There’s no such a thing as MFA or Captcha for a robot (“Click here to prove that you are not a robot”…”Uh, but I AM a robot!”).
So now, what do we do about it? Many experts in the security industry have stated that there are 2 primary areas that need to be in place to handle the event that an NHI is compromised: First is rapid, real-time detection of a threat followed by rapid, real-time remediation. This, of course, is exactly what ITDR is; though not traditionally limited to non-humans. But it is perfect for handling such situations.
Looking at the ITD portion of ITDR, meaning the Identity Threat Detection, the sheer volume of work performed by most NHIs (workload identities, machine identities, etc.) can make it easier to detect anomalies. However, because of the vulnerabilities listed previously, normal threat detections may have delays built into how data is captured and calculated. But – it is crucial that anomaly detection for NHIs be as close to instantaneous as possible.
There are other threat detection methods as well, such as detecting compromised credentials that are used by NHIs.
I think you get the point: identity threat detection needs to be quick and sure. The last thing you need is a bunch of false positives. Detections need to have a high level of assurance that this truly is a threat.
If false positives need to be examined by humans, this may cause actual threats to be ignored. And, worse, if the ITDR process is fully automated, false positives that are acted on in an automated manner may cause interruptions to essential business processes.
Next is the remediation. Again, this needs to be very quick and sure. Typically, playbooks are crafted in advance to perform based on the type or severity of the threat, or a combination of both. The typical types of remediations would be things like:
- Revoking of access rights
- Disabling one or multiple accounts
- Communication with other systems, such as trouble ticketing
- Notification of administrators, security teams, etc.
- Forcing a recertification of all access rights of an identity
- Any combination of these items
The interest in NHIs and the interest in ITDR is not a coincidence - the two go hand in hand. As the saying goes, the best offense is a good defense. In this case, this means that the best strategy for NHIs is to manage and protect them and therefore never get to the point where threat detection is needed. Proper entitlement management is key to vulnerability management in NHIs. However, you still need to handle those threats that make their way through.
