What are non-human identities and why do they matter?

Identity and access management (IAM) is so critical to cybersecurity that it has generated such universal axioms as “identity is the new perimeter” or “hackers don’t hack in, they log in” to underscore its importance.

That’s not surprising when reputable sources such as the Verizon Data Breach Investigations Report routinely name compromised credentials as a core attack vector for incidents and data breaches. Universal concern over IAM has led to an industry-wide push towards zero trust and the dissolution of the legacy network perimeter model in cybersecurity.

The discussion around IAM commonly focuses on securing usernames and passwords and identities associated with human users. But non-human identities (NHI) — digital and machine credentials associated with apps, devices, or other automated systems — have a vastly outsized access footprint compared to that of humans.

Non-human identities outnumber humans as much as 50 to 1

Some organizations have found that for every 1,000 human users, organizations typically have 10,000 non-human connections or credentials — in some cases, NHIs can outnumber human identities a much as 50 to one.

NHIs may include identity types such as service accounts, system accounts, IAM roles, and other machine-based identities used to facilitate authentication activities in an enterprise and is oriented around API keys, tokens, certificates, and secrets.

We also know that secrets continue to be a rapidly growing challenge in the age of cloud-native environments and methodologies, with millions of secrets being detected in scans of public GitHub repositories and thousands exposed in data breaches, such as that suffered by Samsung.

This explosion in NHIs has been led by factors such as the push towards microservices, Kubernetes clusters and containers, cloud integrations and automation, and the proliferation of third-party SaaS services that organizations are consuming.

An NHI is essential for machine-to-machine access and authentication

Each identity type has its own unique way of facilitating and governing the use of NHIs for machine-to-machine access and authentication. Not only are the NHIs vast in number but their governance is even more complicated, as they exist across the entire enterprise, among different tools, services, environments and more, all often with security having limited visibility and control over their secure use or throughout their identity lifecycle.

The importance of securing NHIs isn’t lost on CISOs and security leaders — investment firm Felicis published a survey of over 40 US-based leading industry CISOs and found NHIs as the most-cited top pain point in need of a satisfactory solution. This illustrates just how many security leaders are identifying gaps in their identity security stack when it comes to addressing this emerging risk.

The importance of securing machine identities is emphasized in the US National Institute of Standards and Technology’s (NIST) foundational zero-trust publication “Zero Trust Architecture,” which emphasizes that NHIs are often granted special privileges and are acting on behalf of developers and system administrators.

NHIs are exponentially more challenging than human identities

Security teams pour significant energy and resources into securing human credentials and identities such as provisioning, least-permissive access control, scoping, decommissioning and robust security measures such as multifactor authentication (MFA).

But the sheer scale and opaqueness of NHIs within the enterprise and beyond — when accounting for third parties such as external service providers, partners, environments and more — makes them exponentially more challenging.

Developers, engineers, and end users across the organization and broader ecosystem often create NHIs and grant them access without a deep understanding of the implications of these long-lived credentials, their level of access, and their potential exploitation by malicious actors — without the governance or involvement of security teams.

The implications of this is manifesting in massively overly permissive identities. Some cloud-native security companies have found that only 2% of granted permissions are actually used, suggesting that there is a massive sprawl of ungoverned, often unsecured, identities with far more access and permissions than needed, making them ripe for exploitation and abuse by attackers.

NHI access is facilitated by Open Authorization

NHIs are a core part of enabling activities, workflows and tasks in enterprise environments, often using widely pervasive and popular software and services such as Google, GitHub, Salesforce, Microsoft 365/Azure AD, Slack and more.

A lot of the machine-based programmable access is facilitated by a popular online authorization standard known as Open Authorization, or OAuth for short. It can be used to facilitate delegated access for various client types such as browser-based applications, mobile applications, connected devices, and more.

OAuth utilizes access tokens, which are pieces of data used to represent the authorization to access resources on behalf of end users in the enterprise or beyond. OAuth uses core components to facilitate this activity including resource servers and owners, authorization servers, and clients.

The visualization below demonstrates a basic OAuth Flow:

Astrix Security

Software supply chain attacks are increasingly widespread

What makes the use of OAuth potentially problematic is that the consumer, or end user in this case when it comes to dealing with external services such as SaaS, have no control over how those OAuth tokens are stored. This is all handled by the external service provider or application.

This isn’t inherently problematic, except that we know that software supply chain attacks are on the rise. Attackers have realized it is far more effective to target widely used software suppliers than it is to target a single individual or customer organization.

These attacks are not only focusing on widely used open-source software components such as Log4j and XZ Utils, but also the largest software companies in the world, such as Okta, GitHub, and Microsoft. The Microsoft attack involved nation-state hackers abusing Microsoft Office 365 and its use of OAuth.

The incident even impacted the US government leading to a Cybersecurity Safety Review Board (CSRB) report which made some damning claims about the security culture at one of the largest software companies on the planet. In Microsoft’s own guidance for responders when dealing with the nation-state attack they discussed how the APT was “adept at identifying and abusing OAuth applications to move laterally across cloud environments”.

OAuth is but one focus in these attacks, as discussed above, but attackers are also taking advantage of personal access tokens (PAT), API keys, service accounts, tokens and other forms of secrets which can be used to compromise internal systems and data or target external customers and connections.

NHIs are increasing in use and as an attack vector

This not only emphasizes the need to secure NHIs but also for organizations to have a robust SaaS governance plan in place, due to the fact that when it comes to cloud security most organizations may be using two to three IaaS providers but several hundreds of SaaS providers, often not under the purview of internal security teams and with little to no security or rigor in place with regard to the level of access, types of data or visibility into the external SaaS providers should they be impacted from a software supply chain attack.

The role of NHIs in material cybersecurity incidents is even making its way into US Securities and Exchange Commission 8-K filings, such as one recently filed by Dropbox, which stated: “The actor compromised a service account that was part of Dropbox Sign’s back-end, which is a type of non-human account used to executive applications and run automated services.”

This demonstrates both how pervasive NHIs are in the modern enterprise and their increased role as a target for malicious actors. NHIs are fundamental for the modern digital ecosystem and are used heavily both internally for cloud, development and automation as well as externally to integrate with the robust SaaS ecosystem in which all organizations now live.

Without a comprehensive approach to securing NHIs, CISOs and security teams may find themselves vulnerable and with a critical gap in their identity security strategy.