What's Broken with Identity Management?

Originally published by Oasis Security.

Written by Danny Brickman, Co-founder & CEO, Oasis Security.

Identity management is a critical component of enterprise security. Identities are the key construct through which we control how authorized entities (individuals, software or devices) can access data and perform actions. Historically, human identities have the primary focus of identity access management. While human identities remain strategically important, shifts in infrastructure and workload architecture have driven the exponential growth of non-human identities, completely changing the identity landscape and opening up new challenges.

‍

Non-human identities bring new security challenges

‍The shift to hybrid multi-cloud, microservices architectures and agile development has fueled the exponential growth of non-human identities, such as service accounts, principal accounts, IAM roles, secrets, tokens, keys, etc., which now outnumber human identities by 10-50x, opening a massive attack surface. With more and more business processes in the future being automated via AI-workflows and accessed by AI-powered services, this trend is likely to accelerate even more.

The security risks of unmanaged NHIs are further compounded by the fact that, on average, there are 5x more highly privileged NHIs than there are humans and that with NHIs organization can’t leverage biometrics or other forms of secondary verification. Oasis research with organizations that don’t have an NHI management enterprise strategy shows a rapidly growing attack surface with numerous toxic combination vulnerabilities.

It is not surprising to see an increase in the number of cyber attacks that involve exploitation of NHIs:

• 38TB of data accidentally exposed by Microsoft AI researchers
• Okta says hackers stole customer access tokens from support unit
• Slack employee tokens stolen, GitHub repository breached
• CircleCI incident report for January 4, 2023 security incident

‍Given their pivotal role, securing NHIs has consequently become a critical objective with high stakes, as a breached NHI could easily lead to data exfiltration and compromised business operations.

‍

The security stack doesn’t address Non-Human Identity Management

‍

The scale and dynamic nature of NHIs poses complex operational challenges that existing security solutions, such as IAM, PAM, CSPM, IAG, Secret Manager, aren’t designed to address.

• IAM and PAM solutions focus on human identities and “break-glass" accounts used by humans. They are designed around a centralized management model where identities are provisioned and managed by a central team and are associated with an identifiable individual with the ability to leverage MFA.
• Secret Managers focus on vaulting of secrets, but are not identity-aware. Consequently, they lack the knowledge of ownership, usage, permissions and accessed resources. As a result, they can be used effectively to implement security policies or to automate processes like secret rotation.
• CSPMs are focused on cloud - not all NHIs live in the cloud - and take an infrastructure-first vs. identity-first approach. While CSPMs can show certain posture issues, they won't help to actually remediate the threat. As a result issues will just continue to pile up to the never ending list that the security team needs to take care of, with no solution or fix.

‍Non-human identities are deeply ingrained into operational systems and software. Lack of holistic visibility with relevant contextual information and control over their lifecycle could mean significant downtime for business critical applications when reacting to a threat or even during regular maintenance operations.