Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Help shape the future of cloud security! Take our quick survey on SaaS Security and AI.

Current Challenges with Managing Permissions and API Keys

Home
Industry Insights
Current Challenges with Managing Permissions and API Keys

Blog Article Published: 09/18/2024

The State of Non-Human Identity Security cover

Recent CSA survey data shows that organizations are struggling to manage permissions and API keys. (API keys are the codes used to authenticate users and applications.) Keep in mind that API keys are also a type of non-human identity (NHI). An NHI is a digital construct used for machine-to-machine access and authentication. NHIs present unique security challenges that traditional Identity and Access Management (IAM) guidance often overlooks.

Astrix commissioned CSA to develop the above-mentioned survey and a subsequent report. The goal was to better understand the industry’s knowledge, attitudes, and opinions regarding NHI security and its challenges. CSA conducted the survey in June 2024 and received 818 responses from IT and security professionals.

Shockingly, CSA found that only 20% of the surveyed organizations have formal processes for offboarding and revoking API keys. Even fewer have procedures for rotating them. Additionally, nearly 40% of organizations take weeks or more to offboard keys.

Below, get more insights into organizations' current challenges with managing access and security.


Reactive Permission Reviews Lead to Security Gaps

Frequency of review for service account permissions

Only 22% of the surveyed organizations review permissions for service accounts yearly, while 19% do so randomly, when needed. Organizations are likely addressing service account permissions only to prepare for an audit or upon request. The manual and tedious nature of this process further complicates proactive management, increasing the risk of oversights.

Organizations need to move away from “point-in-time” assurance to more proactive measures. CSA recommends continuous monitoring and automated management. These measures are crucial for identifying and mitigating risks promptly. Without robust, automated solutions and systematic review processes, organizations remain vulnerable to security incidents and face significant challenges in securing their NHIs effectively.


Difficulties with Service Accounts and Tech Debt

Difficulty levels of managing permissions for new versus existing service accounts

Survey data reveals that managing permissions is notably easier if the service account is new. Only 9% of organizations find it highly difficult to manage permissions on new accounts. On the other hand, 22% of organizations find it highly difficult for existing accounts.

This disparity highlights the issue of tech debt. Retroactive changes to permissions are more cumbersome and error-prone compared to initial setups. Such difficulties often lead to gaps in security.


Managing and Offboarding API Keys

Type of process for API key offboarding/revoking versus rotating/rolling back

The management of API keys is another critical area where organizations falter. Only 20% of the surveyed organizations have a formal process for offboarding and revoking API keys. Even fewer have a process for rotating or rolling them back.

This lack of formalized procedures means that individuals often skip steps or do not strictly follow outlined processes. This can result in a redundant attack surface. Additionally, when organizations do not properly offboard, revoke, or rotate API keys, the keys can remain active and potentially exploitable.


Manually Offboarding API Keys Leads to Long Timelines

Timeline for API key offboarding versus rotating/rolling back

Only 19% of the surveyed organizations have automated processes for offboarding API keys. Only 16% have automated processes for rotating or rolling them back. With manual handling, organizations may not know the full impact of changes. This leads to many uncertainties about what might break or what systems might be affected.

Additionally, the survey shows that nearly 40% of organizations take weeks or more to offboard API keys. Similarly, 24% take days and 18% take weeks to rotate or roll them back. Only a small fraction of organizations can handle these processes automatically or immediately.

Organizations need to adhere to formalized, automated processes for managing permissions and API keys. This creates more efficient processes and reduces human error. Without such measures, organizations remain inefficient and vulnerable to potential security breaches.


Read the full survey report to get crucial insights into NHI security gaps and recommendations. Besides permissions and API keys, the report covers:

  • Perceptions around NHIs and their security risks
  • Current security efforts, policies, and management of NHIs
  • Challenges with connecting to third-party vendors
Cloud Key ManagementIdentity and Access ManagementSurveys

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Download the Non-Human Identity Security Report
Register for CSA's Global AI Symposium
Discover the Benefits of CSA Corporate Membership
Trending This Week
#1 QR Codes, Audio Notes, and Voicemail - Clever Tricks Up a Phisher’s Sleeve
#2 The Importance of the Shared Responsibility Model for your Data Security Strategy
#3 Natural Disasters: A Perfect Storm for Data Breaches
#4 Demystifying Secure Architecture Review of Generative AI-Based Products and Services
#5 Mechanistic Interpretability 101
Level up with Cloud Infrastructure Security Training
Related Articles:
The Cloud Security Layer Cake: Modern Use Cases for PAM

Published: 09/19/2024

Top Threat #2 - Identity Crisis: Staying Ahead of IAM Risks

Published: 09/16/2024

What are OAuth Tokens, and Why are They Important to Secure?

Published: 09/12/2024

As Non-Human Identity Attacks Soar, Cloud Security Alliance and Astrix Security Reveal Critical Gaps in Non-Human Identity Protection

Published: 09/12/2024