• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Student360
  • About
    • Secure360
    • UMSA
  • Secure360 2022
  • For Sponsors
  • For Speakers
  • Get Involved
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

The New Security BattleGround: Non-People Identities

February 21, 2022 by Secure360 and UMSA

This is a guest blog post on behalf of Sonrai Security, one of our 2022 Secure360 Gold sponsors! Thanks for sharing this content with us.

From the Sega to the CapitalOne and SolarWinds, data breaches monopolize the headlines and often have one thing in common – non-person identities  – non-people, machine identities. As impacted enterprises recover, there’s debate over why these breaches happen and how cloud security can improve. But one thing everyone can agree on is that traditional security is dead, and the cloud is the killer. The paradigm has changed. Traditional security approaches no longer work. People and non-people are the new battleground. As Cybersecurity and Infrastructure Security Agency technical strategist Jay Gazlay clearly said during the most recent Information Security and Privacy Advisory Board meeting, “Identity is everything now.”

Enterprises have gone from monolithic applications to microservices; waterfall development to agile; IT control to DevOps control; data centers to cloud architectures; person-deployed infrastructure to code. With expectations for securing cloud environments at an all-time high, security teams are struggling to control non-people identities. Responsible teams must reimagine how they manage security.

According to a benchmark study from Dimensional Research and the Identity Defined Security Alliance, 94% of companies have experienced an identity-related breach while 74% have already had an identity breach. Nearly every major data breach in headlines today involves the compromise of an identity and subsequent manipulation of people and non-people identity permissions to gain access. Non-people identities have rights to data and these rights make breaches more impactful. If you aren’t managing the non-people identities, your enterprise is losing the battle.

 

Non-people Identities Defined

A non-people identity takes on many forms, but in general, they can act intelligently and make decisions on behalf of a people’s identity. Common non-people identities include roles, service principles, serverless functions, IaaC, containers, VM, applications, scripts,  and compute resources.

The ephemeral nature, sheer volume, and lack of visibility make non-people identities challenging to manage. With container orchestration, the typical lifetime of a container is 12 hours (1). Serverless functions, already adopted by 22% of corporations (2), spin up and are gone in seconds.

Due to the sheer volume of non-people identities that proliferate across an organization, it’s tough to manage related risk at scale. An average enterprise may run 1,000 virtual machines or more at a time in virtualized environments and public clouds. They may have thousands of connected devices and multiple SDI components spread across a global footprint. There are far more non-people identities than people identities and oftentimes in areas of which security teams are completely unaware.

It is not unusual for enterprises to have over 10,000 roles defined across their cloud estate (2), many impacting non-human identities. Data is no longer in one centralized place. It is being used by all these identities. To minimize risk, we need to continuously discover, classify, audit, and protect data, while enforcing least privilege.

 

Non-people Identities Need to Maintain Least Privilege

Least privilege has always been a fundamental security principle, giving identities only the permissions required to get their work done. Nothing more. Enforcing least privilege security controls across all identities is a best practice and the most effective way to reduce overall risk to identities. Least privileged access should be applied for every access decision, answering the critical questions of who, what, when, where, and how identities access resources.

Effective permissions, or the full permission sets that are granted to an identity, must be understood. Effective permissions paint a true picture of what your Identity can do and what it can access. Enterprise organizations must understand the end-to-end effective permissions of non-people identities to ensure data security.

 

Effective Permissions Must Be A Priority

Identity is the new perimeter. Comprehensive identity management for all identities, people and non-people is required. Failure to implement these capabilities in their technology ecosystem will expose enterprises to security and compliance risks. Key goals are increasing security, enforcing compliance, reducing business risk, and driving towards business growth and innovation.

Here are some tips that enterprises can use to protect non-human identities.

  1. Continuously inventory all Identities
  2. Continuously evaluate their effective permissions and monitor continuously for changes
  3. Ensure identity security solutions are in place and configured to manage privileged non-human identities

At the very least, enterprises need to be in control of all identities and their interactions within their environments. Therefore, enterprises must work to eliminate shared accounts so that all human or non-human identities interacting with systems have an identity that can be managed and used for applying the Principle of Least Privilege, Least Access, and Separation of Duties, while working towards visibility, traceability, and accountability. It is also essential that organizations have a standard, policy-based way of managing identities, which are common targets of compromise for malicious actors.

 

If you want to learn more about how exactly Sonrai is positioned to help you secure, configure, constantly monitor and remediate your cloud – we are always here to help. Contact us today to start a conversation, or request a demo at www.sonraisecurity.com.

Filed Under: Guest Posts, Cybersecurity

About Secure360 and UMSA

The Secure360 and UMSA team is made up of professionals in the security and risk management industries. Topics of expertise range from physical security, IT, risk management, cybersecurity, cloud, information security and records management.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. smallarmy
    smallarmy: @TylerCohenWood @Secure360 Good
    about 1 day ago

  2. Secure360 Conference
    Secure360 Conference: Woo hoo!! Thanks to everyone who donated and for those who would still like to, you can do so at… https://t.co/jW3EsvOAFp
    about 1 day ago

  3. Bryghtpath LLC
    Bryghtpath LLC: Bryghtpath CEO @bryanstrawser presented last week at the @Secure360 Conference on "Navigating the Ransomware Challe… https://t.co/iXa3JeRKNN
    about 3 days ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2022 Secure360. All rights reserved.