The State of Non-Human Identity (NHI) Security
Reviewing key findings from Cloud Security Alliance (CSA)'s NHI Security Report
Welcome
By now you’ve heard me talk about the importance of securing Non-Human Identities, or NHI’s as they are referred to.
For a deep dive on the fundamentals of what NHI’s are and why securing them is key, you can see my previous efforts below:
CSA in collaboration with NHI Security firm Astrix recently published one of the most comprehensive NHI reports I’ve come across yet, and I wanted to take some time to unpack the findings.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 6,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Key Findings
The report defines NHI’s as “bots, API keys, service accounts, OAuth Tokens and Secrets” and stresses their role in automating tasks, and driving innovation, especially in environments using Cloud, Microservices and API’s.
The report cites 5 key findings, which are:
Organizations have high anxiety and low confidence when it comes to NHI Security. This is driven by the fact that organizations are increasingly aware of NHI threats and incidents but lack a solid strategy and technical solution themselves to address the issue.
Organizations are struggling with fundamental NHI security practices such as managing service accounts, auditing and monitoring NHI’s or implementing concepts such as least permissive access control.
API keys and permissions associated with them continue to be a pain point, as only 20% of organizations have a process for off-boarding and revoking API keys or rotating them.
A lack of a focused product and solution for NHI security is leading to organizations cobbling together a variety of tools not focused on the use case or only covering aspects of it. This is leading to incidents due to issues such as a lack of credential rotation, insufficient monitoring and overprivileged accounts.
Lastly, there is an increased interest and signal that organizations plan to increase investment in NHI security to address these gaps, with 24% of organizations planning to invest in the next 6 months and 36% planning to do so in the next 12 months.
The report found that only 1.5 out of 10 organizations are highly confident in their approach to NHI security compared to 1 in 4 for human security.
This may seem alarming, but shouldn’t be surprising given the former has been a longstanding attack vector and thing for organizations to grapple with and consider, where NHI’s are more novel and modern when it comes to being such a pervasive consideration in attack surface management. This includes estimates that there are 20 NHI’s for every 1 human identity/credential.
While most organizations are only somewhat or moderately confident in their ability to secure human identities compared to NHI’s, the majority are either moderately or very concerned about NHI’s as an attack vector. This demonstrates a gap in the level of concern with the ability to actually address the threat.
One interesting finding was that organizations were particularly struggling with service accounts, especially in Snowflake environments. It was found that 23% of Snowflake users are service accounts, which is concerning, given organizations own admittance that they’re struggling to manage and secure service accounts. Couple that with recent Snowflake security incidents and it is certainly a cause for concern.
The report also illuminated insights into the most challenging aspects of NHI management. These concepts and practices are problematic with human identities, and are only exacerbated due to the sheet scale and opaque nature of NHI’s.
We also continue to see the broader software supply chain as a concern, with 38% of organizations reporting no or low visibility into third-party vendors connected by OAuth Applications. This means organizations have little to no understanding of who is connected, how, with what level of access nor the activities they are carrying out that may present organizational risks.
While it would be intuitive to think organizations are proactively managing NHI’s, that simply isn’t the case. The survey found that only 22% of organizations review permissions for their service accounts annually, and 19% do so randomly, if at all.
This flies in the face of a lot of the industry zero trust dialogue, which includes concepts such as least-permissive control. This means not only are many NHI’s overly permissive, organizations little to no proactive effort to right size their permissions. Given reports such as the Verizon DBIR continue to emphasize the role of credential compromise in security incidents, these are rich resources just ripe for abuse and will have a larger impact than if they were proactively monitored and managed.
Another major gap highlighted by the report was managing and off-boarding API keys.
We all know when it comes to accounts, credentials and access management, organizations need formal processes for the full account lifecycle, including provisioning and de-comissioning, as individuals change roles, move on from the organization and more.
The same can be said about NHI’s such as API Keys, however most organizations admitted to either have informal processes or formal processes that were only somewhat followed. This included only 20% of organizations have a formal process for off-boarding and revoking API keys and only 16% having a process for rotating or rolling back API keys.
This means these keys, much like user accounts would in the abcense of a formal process, are often never actually cleaned up, and when they do, it takes quite a while.
As demonstrated in their findings below, nearly half of teams surveyed take weeks or months to off-board or rotate/rollback API keys, if they do at all.
Another key finding, as we have mentioned is that organizations lack a single comprehensive solution to deal with NHI’s. As seen below, they are using a large array of tools and approaches to manage NHI’s.
This leads to a disjointed approach with disparate visibility, governance and monitoring.
Some of the key capabilities cited when asked what they would be looking for in a tool to deal with NHI’s involved things such as OAuth Apps, Management of Secrets throughout their lifecycle, identity discovery and tracking access and behavior.
Most security tools cited above provide only a subset of these activities which is leading the rise of NHI-specific products and vendors to address the current disjointed approach that organizations have to take.
This of course leads to increased risks of security incidents tied to NHI’s, as captured by the survey below:
There are some glimmers of hope among the survey though as well. Most notably is the fact that over half of the organizations involved stated that they plan to invest in NHI tools and solutions within the next 6-12 months.
This demonstrates that organizations realize both the current gaps they have when it comes to sufficient processes and tooling for securing NHI’s, as well as their need to address it.