3 key strategies to reduce the risk of non-human identity

For every 1,000 human users in an organization there are typically 10,000 non-human connections or information. This means that the basic function of detection, inventory, and continuous monitoring is essential.

This work must take place in all areas, whether it is business IT systems that are hosted and managed internally or external environments such as SaaS systems, the latter of which pose additional challenges to organizations when it comes to visibility and monitoring.

That’s why organizations need to have strong SaaS governance systems in place and can rely on resources like the Cloud Security Alliance (CSA)’s SaaS Governance Best Practices for Cloud Customers guide.

It is one thing to have a system and a governance system, but organizations must also have a modern security tool capable of maintaining visibility across the NHI environment regardless of the state in which those signals and connections exist.

While visibility is an excellent first step, and is consistent with long-standing best practices such as inventory, you also need tools that can provide rich context to help prioritize NHI-related risks appropriately. Having visualizations such as communication maps can show the interactions that occur, the systems, products and vendors involved and the associated risks.

This includes information on what permissions each NHI has, such as what they can read and write, the level of privileges of those NHIs (such as administrative level access) and more. To help with the broader antitrust push, you also need to be able to decide, based on the level of access NHIs have, what level of permissions are used. This can help right-size permissions and help zero-trust principles such as controlling unauthorized access.

We know from reports that only 2% of installed permissions are used, which means 98% of the permissions used on accounts are unnecessary and over-permissive. These credentials continue to be prime targets for attackers and one of the leading companies in data breaches, per sources such as the latest Verizon data breach report.

That means these NHIs are just sitting there waiting to be compromised by an attacker, and when they do, attackers are able to bypass permissions, access sensitive data and take other damaging actions that affect the organization, its systems and its boundaries. the data.

The ability to effectively monitor and manage your organization’s NHI-related posture requires consideration of a wide range of factors. This includes factors such as issues related to the rights assigned and used, the reputation of the vendors and their products involved, the real-time context of behavior such as suspicious behavior and threat intelligence such as a breach of law or recent vendor involvement. All these concepts and context can be used to completely reduce organizational risk related to NHIs.

NHIs often facilitate communication with third parties, such as business partners, customers, external SaaS providers, and more. If those third parties experience a security incident, it requires a strong response to the breach and the exchange of information for any NHIs that were affected as part of the incident.

The first step in any breach response operation is to understand whether you have been affected; the ability to quickly identify any affected credentials associated with the third party that experienced the incident is critical. You need to be able to determine what NHIs are connected to, who uses them, and how to exchange them without disrupting critical business processes, or at least understand those implications before exchange.

We know that in a security incident, speed is king. Being able to outwit attackers and reduce response time through documented processes, visibility, and automation can be the difference between mitigating the direct impact of a third-party breach, or being swept off the list of affected organizations due to third parties. relationship.

Although we know that situation management is a basic security function, it is not a silver bullet. Being able to proactively identify suspicious activity associated with your organization’s NHIs is critical to determining what behavior is normal and what should be cause for concern, such as potential threats or malicious activity.

Determining suspicious behavior can be done by using various factors, such as IPs, geolocations, Internet Service Providers (ISP), and API functionality. If these factors change in the basic work related to NHIs they may indicate bad work and warrant further investigation, or even correction, if an attack or compromise is confirmed.

Not only are security teams often understaffed, but they also often lack a deep understanding of the entire organization’s system and third-party ecosystem and the details of which permissions are assigned and which associated uses are appropriate.

That’s why modern security tools aimed at protecting NHIs often provide automated monitoring tools that can automate maintenance workflows such as rotating passwords or limiting permissions granted to mitigate threats. They should also provide the ability to integrate with existing security stacks to help enable SOC and Security teams to respond quickly and effectively.

By combining these detection and posture controls, breach response and mystery detection, organizations are able to overcome the risks associated with their NHI footprint.

Knowing the magnitude of the problem with modern organizations with tens of thousands of NHIs distributed and operating in both internal and external systems, the idea of ​​dealing with these risks manually is simply not practical. Organizations must rely on identity and access management (IAM) and identity threat detection and response (ITDR) tools to perform these tasks at scale.