Non-human identities (NHIs) refer to digital entities such as API keys, OAuth tokens, devices, service accounts, and machines. NHI are a leading concern for security teams because they can pose a significant risk to the security of an organization, yet most companies do not have proper visibility into them.
Where do NHIs play a role?
Non-human identities (NHIs) are prolific in most modern organizations that rely heavily on cloud or SaaS. These identities are used by end users to connect applications for integration purposes, to support breakglass and emergency access, and to provide contextual access to services. Furthermore, in cloud infrastructure environments, such as AWS, GCP, Github, and Azure, NHIs are integral to automation and microservices.
Most often, these NHI are not managed by the central IT team and instead they can be “created” and managed by individual users, without the direct approval of the IT or security teams. These mechanisms of access, which may include API keys or OAuth tokens, can lead to additional vulnerabilities exploited by hackers if not properly secured. This can significantly increase the attack surface area for an organization, without the security even being aware of the issue.
Types of non-human identities
The following is a list of the various types of NHI that an organization may encounter:
- API Keys: depending on the SaaS or application, API keys may be scoped to an organization or a user. These keys allow for the secure interaction between applications and are generally essential for facilitating app to app integration. Exposure of API keys can open up organizations to security risks such as unauthorized access, data breaches and system disruptions.
- OAuth tokens: are digital credentials used in OAuth 2.0, an authorization framework that enables applications to access resources on behalf of a user or another application without sharing credentials such as passwords. These tokens come in two flavors: access tokens, which grant limited-time access to resources, and refresh tokens, which can be used to obtain new access tokens. OAuth tokens may be used in applications, services, or IoT devices to authorize interactions between systems without hardcoding credentials into code or configuration files. This reduces the risk of credential leakage and misuse. However, if not managed properly, OAuth tokens can introduce vulnerabilities. For instance, if tokens are not adequately protected, they can be intercepted and used by malicious actors to gain unauthorized access. Thus, ensuring secure storage, transmission, and regular rotation of OAuth tokens is critical for maintaining the security of non-human identities.
- Machine identity: is a bit of an overloaded term, but generally refers to infrastructure identities (e.g. the machines running applications or infrastructure). Machine identities generally engages in authorization between services with no human in the loop. Machine identities are typically managed using cryptographic keys, digital certificates, and other credentials that validate and secure interactions between services. Proper management of machine identities helps prevent unauthorized access, data breaches, and disruptions by ensuring that only authenticated and authorized machines can interact with each other. This is vital for maintaining the integrity, confidentiality, and availability of systems and data in today’s digital landscape.
- Device identity: is overloaded with machine identity, but generally refers to a device which an end user may use for work such as a smartphone or workstation. These devices are assigned a unique identifier, often in the form of digital certificates, cryptographic keys, or other credentials that validate its authenticity. Device identity is often used for access control decisions when a user is requesting access to a resource or application. As companies adopt multi-factor authentication (MFA) to verify end users, devices become a bigger attack surface risk since compromising the device can allow for exfiltration of access tokens, api keys, or other credentials.
Non-human identity use cases
The following is an illustrative list of a handful of use cases where machine identity is used today:
- Robotic Process Automation (RPA): uses software robots or “bots” to automate repetitive, rule-based tasks traditionally performed by human workers. These tasks include data entry, transaction processing, and generating reports, among others. RPA is relevant to security concerns for non-human identities because these bots often require access to sensitive data and systems to perform their tasks effectively.
- Service Accounts: are accounts that are generally used for integration or troubleshooting. Service accounts may be dedicated to a single user or shared across a group or team of individuals. Service accounts represent a significant risk to the attack surface of an organization as they may not be well monitored, they tend to have significant permissions, and they may not be protected by traditional security controls such as multi-factor authentication (MFA).
- Infrastructure: machine identity is used extensively in the build out of infrastructure. Machine identity is typically used to secure service to service interactions.
- Application integrations: OAuth or API tokens are a common pattern for integrating Software as a Service (SaaS) applications. When two SaaS applications need to communicate or share data, these tokens facilitate this interaction by providing a secure and standardized method for authorization.
- Device aware access: is accomplished using device identity by leveraging unique identifiers and authentication mechanisms to verify and control which devices can access specific network resources and services. Each device is assigned a unique digital identity, often in the form of certificates, cryptographic keys, or other secure credentials, ensuring that only authenticated and authorized devices can communicate with the network. When a device attempts to access a resource, its identity is validated through these credentials, allowing for granular access control based on the device’s trust level, location, type, and security posture.
- Automation tools: automation scripts, tools, or pipelines may use NHI to authorize themselves against databases, infrastructure, or other applications or services. Automation tooling can be very hard to understand since it may be built and managed to disparate teams and/or not managed in typical software development lifecycles or pipelines.
Why non-human identity management is important
Managing non-human identities is crucial to cloud security and identity security programs. Modern organizations leverage significant cloud services, infrastructure, and SaaS creating an ecosystem that is ripe for cyberattacks that leverage NHI. According to a recent article by CSO online, the proliferation of these identities is extreme and may outnumber human users by as many as 50 to 1.
Security teams must prioritize non-human identity management visibility and management to mitigate associated vulnerabilities and potential data breaches. Frequently, solid identity and access management (IAM) and identity governance and administration (IGA) practices can provide visibility into NHI and help to secure them. Furthermore, NHI, particularly service accounts, API keys, OAuth tokens, and machine identity can benefit from applying a lens of least privilege access to them. These identity types can all have the scope of what they can access , and are authorized to do, extremely limited and reduced.
Summary
Non-human entities must be part of a comprehensive cybersecurity strategy that includes secrets management, monitoring, and lifecycle management. Effective management of these identities ensures the security posture of cloud-native applications and workloads, protects companies against infrastructure misconfiguration errors, and protects sensitive data access across system boundaries.
