Decommissioning Orphaned and Stale Non Human Identities

Originally published by Oasis Security.

Written by Yonit Glozshtein, Director of Product Management, Oasis Security.

Unmanaged non-human identities (NHIs) pose a significant security risk in today's digital landscape. NHIs often operate outside traditional IT security reviews, making them vulnerable to exploitation. A common scenario we encounter during security assessments is the presence of stale or orphaned NHIs that should have been decommissioned but haven't.

An orphaned NHI is an NHI that is no longer in use but is still enabled and has active permissions. Stale or orphaned NHIs are typically the undesired outcome of changes in business operations, such as ceasing work with third-party vendors, changes in organizational structure, such as an employee leaving the company or transitioning to a new role, or technology changes, such as replacing an application. A common finding from our security assessment are stale NHIs from discontinued SaaS applications used for one-time tasks, such as data migration. Once the task is completed, these applications are often forgotten, left lingering in the environment without proper offboarding processes. From this simple example, it is easy to recognize how, in today's fast-paced business world, orphaned NHIs can become a common occurrence if an organization lacks good visibility and effective operational processes.

These NHIs represent a grave danger as they increase the attack surface and can serve as potential backdoors for extended periods without detection. For instance, cases similar to Cloudflare's recent breach have shown that exploited NHIs, which should have been decommissioned, served as entry points for unauthorized access.

The risk of inaction regarding unmanaged stale non-human identities extends even further. Over time, these dormant applications accumulate, needlessly expanding the attack surface. This situation parallels the risks seen in supply chain attacks, where adversaries exploit vulnerabilities in trusted third-party vendors or service providers to gain unauthorized access to networks and data..

‍

Challenges with decommissioning NHIs

Challenges with decommissioning NHIs

Offboarding non-human identities is a complex and error-prone process without the right tool for the job. The most common pain points we hear about are: #1 lack of visibility - "I don't know which NHIs are unused" - and #2 operational risk - "I don't know what an NHI is for, and I am afraid of breaking something". Insufficient understanding of security posture, rapidly evolving business needs, and ambiguous ownership are a few more.

A primary obstacle hindering the deletion of non-human identities is the difficulty in identifying and assessing their status accurately. Unlike human users, whose lifecycle within an organization is typically well-documented, non-human identities often operate in the background and are often excluded from the automated containment tools many detection offerings provide to stop identity-based attacks. This lack of visibility into whether these entities are still actively utilized complicates the offboarding process, leaving organizations susceptible to exploitation.

Moreover, the complexity of modern IT ecosystems further exacerbates the challenge of offboarding non-human identities. With the proliferation of interconnected systems, applications, and services, organizations struggle to maintain a comprehensive inventory of all non-human identities and their associated permissions. As a result, stale accounts and dormant identities accumulate over time, increasing the attack surface and presenting enticing targets for malicious actors.

Because of the large scale and highly dynamic nature of NHIs, maintaining a reliable inventory is extremely challenging without automation. Recognizing if an NHI is orphaned or unused is even more complex because it requires critical contextual information on ownership and usage. Context and dependency mapping are also necessary to ensure that decommissioning operations won't impact business continuity. For most organizations, managing operational risk involves manually tracking metadata and orchestrating cross-team triaging processes that can be laborious and prone to errors. In many cases, the complexity of manual operations becomes an insurmountable barrier that leads to inaction.

‍

How to decommission NHIs without operational disruptions

To address these issues, organizations must adopt a proactive approach to non-human identity management. This includes implementing robust processes for regularly reviewing and revoking access permissions, establishing clear ownership and accountability for non-human identities, and leveraging advanced monitoring and analytics tools to detect and mitigate security risks promptly. Leveraging a tool that automatically and continuously provides a holistic inventory of NHIs with rich contextual information becomes paramount.

By investing in comprehensive non-human identity governance and management practices, organizations can mitigate the risks posed by these overlooked security holes. By doing so, they can strengthen their security posture, safeguard sensitive data, and ensure compliance with regulatory requirements in an increasingly complex and interconnected digital landscape.