Introduction
Half a century ago, no one would have imagined how times would change in the world of computers. Once believed that computers were the domain of human beings – their prerogative to access, operate and manage – it is remarkable how today’s scenario is such a far cry from those early days. Take the case of passwords. Though they started to be used in the sixties, and are still used to recognize and authorize users, digital identity management has evolved to a new high by encompassing non-human identities like machines, applications, and services. Automation has been a game changer for non-human identity management practices, leading experts to opine that identity management is no longer human-centric.
A question of identity
Non-human Identities (NHIs) take their name from the “machine identities” that they constitute. Typically they are used in two environments. The first is the case of applications and services that are required to interact with cloud resources. The second is the case of machine identities that are used in the authentication and management of devices. These may include identities that manage digital certificates, keys, and credentials that permit access to devices like servers, IoT devices, and laptops. Though this is very much a classical definition, the fact is that with virtualization, the distinction between the two types of identities – applications/services and machine identities – is slowly blurring.
Identity is at the core of the manner in which human and non-human identity management is carried out. Studies on NHI best practices indicate that systems are however best kept differentiated to ensure optimal benefits in the manner of granular control, ease of administration, improved security, scalability and flexibility, and compliance requirements.
However, organizational needs must dictate the nature of the management systems to take care of the two entities, so that the best approach to IAM is established and followed.
What is NHI and NHIM
Cybersecuritytribe (1) describes Non-Human Identity Management (NHIM) as ‘the process of managing and securing the digital identities of machines, applications, APIs, virtual machines, IoT devices, bots, and other automated entities within an organizational ecosystem’, where Non-Human identities comprise digital entities assigned the task of identifying, authenticating and authorizing devices, as well as the applications, cloud workloads, and automated processes. Any digital identity not operated by a human is categorized as an NHI, and the management thereof is termed NHIM. NHIs represent a broad category that includes any digital identity not associated with or operated by a human. NHIs have distinct characteristics. Based on organizational needs, they can be created, pressed into service, scaled up, or terminated.
Typical NHIs include:
- Digital certificates issued by approved certification authorities
- Cryptographic keys used to generate private and public identity token numbers
- Security processes to authenticate access
- Life-cycle management processes for certificate/key/secret management
- Compliance and standards processes
- IoT devices and IT infrastructure items
- Shared and service accounts
- Bots
- Artificial Intelligence applications
- Application Program Interfaces (APIs)
Why the need for NHIM
The need for NHIM arises from the rampant spread of digital operations, and the inroads it has made in every sphere. Amongst the most compelling reasons that make the case for NHIM are:
- Complexity and sheer volume of IT architectures and infrastructure/environment
- Ever-increasing scale-up in automation and digitalization in most organizations
- Cyber threats from bad actors intent on capitalizing on vulnerabilities
Unmonitored NHIs can expose organizations to security violations including gaining unauthorized access, compromise of supply chains, and exfiltration of sensitive data.
Challenges
NHIM comes with a fair amount of challenges. Cyberark (2) presents a good guide for some of the better-known NHIs that are commonplace today. These include, but are not limited to:
- Cloud Environments and Cloud-Native Apps used by organizations across multiple Cloud Service Providers (CSPs) are known to present issues related to flexibility, scalability, shortcuts and a general lack of security features
- Inadequately-secured DevOp Tools that can pose a risk hazard at higher levels in the event they are not configured optimally
- Poorly-orchestrated access levels for Automation tools and scripts creating potential attack points
- Vulnerabilities in Commercial off-the-shelf applications from software vendors, and a general lack of integration with other organizational security tools
- Limitations in legacy homegrown applications and mainframe applications that are hosted on-prem that can compromise security with vulnerabilities being exploited by bad actors
Best practices
Effective NHIM is a part of the cybersecurity posture of the organization. An essential part of good NHIM includes effective secrets management and several key practices in the nature of:
- Discovery and Inventory of all NHIs and secrets (confidential data) in the cybersecurity ecosystem
- Knowledge of contextual enrichment of each NHI so that impact can be estimated if the same is compromised
- Risk Analysis and security posture management and processes connected with all NHIs
- Detection and response capabilities in the event of NHI compromise
- NHI integration and charting of operational workflows so systems can be alienated in event of a compromise
- Implement least privilege rights so as to ensure the limits of damage are restrained to start with
- Invest in regular audits for across-the-board activities associated with NHIs starting with permissions and culminating in the remediation
- Enhance process effectiveness with secure credential management and strong authentication systems involving Multi-factor authentication
- Monitor logging, activity and incident response so untoward security issues are addressed promptly and effectively
Conclusion
While cases of Human Identification Access Management (HIAM) abound, the Cloudfare breach of November 2023 is cited as a case of the importance of not taking NHIM lightly. In the Cloudfare breach, failure on the part of the cybersecurity firm to rotate its credentials that were stolen from its IAM specialist Okta, resulted in source code being accessed. Minimal damage however occurred thanks to the zero trust environment installed that prevented lateral movement within Cloudfare systems. Commenting on their LinkedIn handle, NHIM solutions provider Astrix Security called it a case of ‘seeing how non-human access is abused by attackers to achieve high privilege access to internal systems which goes unmonitored.”
Organizations would ignore this warning at their own peril. They are called to invest in the right NHIM platforms and stringently follow best industry practices if they wish to improve their security posture.
References:
