From PAM to NHI Management. How technology is opening up new challenges to securing machine-to-machine access

From PAM to NHI Management. How technology is opening up new challenges to securing machine-to-machine access

Publish on

October 2, 2024

As businesses increasingly rely on cloud services and external SaaS platforms, managing non-human identities has become more critical than ever.

In this webinar, join us as Ryan Frillman, CISO at Equifax Workforce Solutions, explores the security risks associated with cloud-based identity creation and the challenges posed by API-centric services. Learn how the rapid development of cloud technology introduces new vulnerabilities, particularly around the management of credentials embedded within code. Ryan will also discuss the balance between trust and automation in managing these identities, offering insights into best practices for securing machine-to-machine access.

Transcript:

Dorene Rettas:
Hi. I want to thank everyone for joining us today. This is our first session of three. We're going to be covering Non-Human Identity: the risks, the realities and how best to manage. I'm Doreen Rettas. I'm one of the co-founders here at Cybersecurity Tribe, and I'd also want to thank our partner for today's event, Oasis.

In this first session, which is titled, from PAM to Non-Human Identity Management, how technology is opening up new challenges to securing machine-to-machine access, Ryan Frillman, who's joining me, is going to cover the security risks that are associated with a lot relying on cloud service providers and external SaaS products for identity creation. He's going to review the simplicity in which API centric services can be accessed with just a single click, right? And that raises important questions about who oversees these vital credentials. The rapid development of technology in the cloud environment unveils unknown risks, which he's going to discuss, along with examining the delicate balance of trust and automation when the credentials remain unknown to human operators. So before I introduce Ryan and pass it off, I want to go over a few little housekeeping items. So in the bottom right, you're going to see a chat function. And in that chat function, when you ask something, it's for all participants to see. It's great for collaboration and responding to one another. The questions widget will just go to Ryan and myself, and those questions will field at the end of the session, providing that we have enough time outside of that... oh, handouts! If you click the apps link, there's a handout, and within that, there's a variety of pieces of information, some collateral from our partner, Oasis, as well as a report on Non-Human Identity management, so you can download those at any point. As soon as I introduce Ryan, I'm going to go ahead and throw a poll up on the screen, and if you guys would just take the time to respond to the poll, Ryan is the CISO of Equifax Workforce Solutions. He leads teams in security across Equifax. He has longevity in cybersecurity leadership, but if I gave you his entire background, it would take the full session. So Ryan, I'm going to go ahead and get that poll up, and then from there you can take it over. Here we go.

Ryan Frillman:
All right, so really looking at conversation here is to get us started, as you look at the poll, is really kind of understanding is, how do you treat your non-human you know, conserving credentials, an aspect that we see it all the time is like, again, let me make sure everybody's on the same page of what we mean by non-human identities.

Non-human identities are system-to-system accounts, API secrets, would you think of like people put in scripts that literally, humans don't have interaction with, a lot of times that they rely on; well, if there's not a human that's going to be typing it in or changing the password or using a day-to-day basis, it's more of those system the system accounts. So just to get everybody's baseline on from a definition perspective, that's what we're really talking about here. Is those, those kind of accounts, and a lot of times, too, if you look at it, is, you know, what is the risk related to those accounts? You know, I would say, let's roll it back. If you look at, you know, where those accounts are being created, and the context of allowing two devices or two systems that communicate to each other, either internally or externally, is where really the risk lies, you get this kind of feeling of, oh, there is not a human interaction. So they may not have the same rigor as those that would have human accounts, because ones may not know those passwords on the top of their head, or utilizing password keepers, or considered to be PAM proves access managers or secrets managers to how's those information.

Let's really talk about the risk overall, related to non-human identities. And really, I kind of look at it is, if we look at the context of shadow IT, from 10 years ago, or even five years ago, you know, you would say, hey, that has a lot of complexity. You mean, back at that point in time, you need to have a physical device, you need to have access to the network to plug it in, and you need also do to have the capacity for that set system to communicate to either user base internally or those that are externally. Meaning, some cases, have a web interface.

Nowadays, if you look at that from a cloud service provider, anybody can get a SaaS or consider via software as a service. In the context of shadow IT some of those SaaS providers, SaaS solutions are free, which could be: one may be beneficial to the company, because they don't necessarily have to sign up and have expenditures to pay for those services; but sometimes in the aspect of shadow IT, you look at as anybody can set it up with any credentials and log into those and sometimes those credentials could be the aspect of, hey, let's set up an API to have connections between maybe your system -it could be your PC or server that maybe you have access to that's on prem or in the same aspect is it's within the cloud-. Whether, you name your favorite cloud service provider, we're able to subscribe to those containers or subscribe to those compute devices and communicate to those SaaS providers in the context of shadow IT.

There lies some of the risk, because now an individual, maybe an employee, is going outside of the company standards and utilizing those shadow IT devices, in this case, a shadow IT, let's say, a cloud service, to communicate to another system, utilizing non-human identities. And they may not follow the same. Maybe you have some rigor around your considering no- human identities, where now you're outside that aspect.

So you look at it as an aspect, and I see, some of you look like you are using the same rigor, and some of you are just not sure, or say no, understand that we have a limited that have responded to that conserv poll. The context is relatively is the risk that we need to know about, and the aspect of hey, or what are you concerned about? In some cases, a lot of people are concerned about, if you do have that same rigor. For example, let's say you change the password, or have it set to a password expiration, it could cause an outage. Which is one of those things from a technology perspective, is a big loss, meaning it could have an impact to the company, if it is a revenue generated service.

So some of those things that you have to understand is, what's the ease of access to connect those APIs with a click of button by managing those credentials. In some cases, you know, if you look at an a human, nonhuman identity using APIs. The risk discussion is, well, we're just going to accept the risk because of a human is not utilizing those user credentials, meaning they're not storing them, they're not writing them down, they're not using them, using them day to day and so many cards to phish them or call them. They're not relatively going to give those credentials up because they're immediately going to say, I don't know the password, or that is a system. Why would you ask me for those, those specific credentials? Now, again, if you look at from a threat perspective, yes, our threat actors are being very sophisticated, where they may have a way of their writing or conserving how they're talking those individuals to get those credentials, or more than likely, some of those individuals that would set up those credentials would say, hey, there's alarms. I not willing to give up those that information to somebody that's on the phone. I don't know them. And it kind of go more in that, hey, we're not going to share. So, a lot of entities accept that risk because of, again, it's not known to the human on a regular basis; and some of those are programmatically not even known to the human in general, meaning they're hard coded in either a script or the base code, or even at that same time, as well as within the connection themselves. So, when we think about is, hey, I have to type in a username and password every time I log in the system, if it is generated or is a part of a non-human, it's there without their knowledge, meaning it's built into the system itself.

So then you must ask yourself, is, hey, does the operations of an impact outweigh the credential misuse? And again, it's per organization, I would say is how they would utilize is it internal? Is it external? How those services being rendered? Are they automated or in the same taxes I have built into my CICD pipeline? As that builds up, I have the capability to store it in a secrets manager, so it literally pulls the secrets out of the secret manager and then basically builds in a process. But as I mentioned before, that's where there is standard processes defined as far as in how you look at your non-human identities. This is not the same context of you what you don't know. So it's the common cliche of, I don't know what I don't know, or the unknowns of the unknowns is where I was discussing the shadow it so if an employee, or contributing an internal individual sets up a service, they may not know a there is a standard practice. And also, too, they say, well, there is a standard practice. However, I'm building in the dev environment, or I'm building in a, you know, an environment with kind of like a sandbox that may not have the same rigor around there. Well, you have to figure out what that is. It's kind of like the again, if you look at from your CMDB, I got to know all my inventory in order for protectives. So you have to ask yourself, hey, I may accept the risk where I have standards in place, because I have enough compensating controls, or in some cases, complementary controls, in place, to lower the risk or make an acceptable risk. But really we must identify from an inventory, what about those other areas, or other non-human identities that you don't know; so you're going to have a little bit of that practice, or you have to identify those areas, and also, two is have the tools to help you find those kind of conversations where you do have those non-human identities.

So, I did a little research, as well as like, well Ryan, overall, this is, you know, been for ages, since computers always been system accounts, there's always been baked in accounts. What's the overall risk? So did a little bit of research and understand that. And if you look at, for example, some of the reports that come out, either a) from, you know, from Verizon or what's the cost of data breach, you know, they have seen an uptick on those percentages up where between 71 or 72% and soars is the Verizon data breach that says, hey, there has been an identity has been utilized to do a either a lateral move or entrance into that environment. So if you look at that, if you look at your identities, you can also say, Oh, if 71% roughly, is causing those data breaches, how many of those are non-human versus a human identity at the same time, as well as evaluating, do you even know where non-human identities are stored or even being managed? So you got to kind of review those of your constant threat and understand is: hey, how am I managing my service accounts? And also too is, if I'm managing them manually, how many of those are being automated? So, if you can throw up the next poll during I would kind of want to know too, as well as how many are looking at how to automate the management of your service accounts. So, kind of looking at from a perspective is I don't want to manually manage these because of they could cause issues. They can cause outages. I'd rather just have a tool do it myself. That way. It's kind of one, a human never knows necessarily the credentials, whilst two is, I don't have to think about it, because it's all already automated process that's being performed that those credentials are being managed accordingly. Maybe I had the same as the previous question. I want to have the same rigor around those but I don't have to say all right, at 11:59:59 on a Saturday night, when I know that potentially I'm going to have less traffic, we're all going to reset the passwords all at the same time, and it requires somebody to either a, connect to your cloud service provider, or, in some cases, be it on-prem in the business to click the button that says, change the password to this password, and then spend the next two hours or an hour to do checkout to make sure there's no problems with that product. So it looks like, you know, I would say half of you all are looking at, you know, the yes perspective to try to automate, which is a good thing. You want to have less interaction, you could always say that there's the other side of house of more human errors that cause problems within security, whether on purpose or on accident. So if you do have those automation and aspect, you know you can rely on those to having less air related to a human.

So the other aspect too is, if you look at it from: how do you support? so, with the automation, what I mean by supporting, supporting technology, we look at AI, you know, that's the big buzzword the last year and a half, even though AI has been around for a while, is companies are looking to go faster and are saying, hey, technology, how can we take advantage of these new technologies and new capabilities, whether it's just being a cloud and overall, or an aspect of being or having AI. So , ook at that aspect is proof of concept. How long does it take to get from a POC to production? Because at the same time too, as you look across the industry, the one that gets into production the fastest usually wins, right? Is because of, hey, I have a new service or have a new capability, more than likely, customers are going to subscribe to those early adopters or earlier services to take advantage at the same time too, the first to the market, you have a little bit more of build time, meaning customer usage to your environment that can provide feedback to make your product even better. So it's more advantageous for those credentials to be or non-human credential, non human identities, to be baked in their products faster to quicker. Hey, how do we do this? How do we get these system to system accounts? Going back to my first point of having the ability to do shadow IT with developers, you kind of have to look at that conversation of, how are we getting ahead of that when we can manage those right from the front and says, Hey, if you want non-human identities, here's our process on how to get those at the same time too. Here's the API to connect into that, that said tool and said device so you can make sure that when you build you're utilized tThese credentials to the right purpose, at the same time too, is we understand from an inventory as within the security space, if we need to trigger me, maybe we see credentials on from a threat intel on these no- human identities, and we need to disable that account, or disable that service, whatever it may be, or rotate the credentials. We can do that programmatically with automation for our service accounts, to support our technology friends and also to our business partners, to say they can deliver as fast as they can, at the same time too, is we have a close eye on these accounts to make sure that there's not going to be an issue going forward. And we also, too, at the same time too, can review those credentials to understand is, are they following the processes? And then also, we have tools that identify where we are using, using non-human identities to make sure that they're being reviewed on a regular basis. And that same time too, as a set the first poll, following the rigor that we have in place.

Now, looking at, for example, inherited risk, Where are the keys to the kingdom? Or where's the keys to code base? I think that's another risk that we need to look at and evaluate from a non-human identity. We look across the spectrum, and we look at, you know, top breaches that have occurred within the last, you know, maybe even two to three years. Some of that is because somebody looked through some public GitHubs, posted them on pace been and found some secrets that maybe were built in the code base, and that entity is not utilizing a secrets manager. So sometimes we kind of forget about that fact and maybe it was code base that was created maybe two years ago, or is developed and development, sorry, developed and GitHub as a development aspect of that, and then that same code base was pushed to production. Well, there lies the issue of, we just made the news. We had a security event because of those credentials were posted in that environment somebody scanned the GitHub and found those credentials and posted them on pastebin, or worse, utilize those credentials so exfiltrate some data or do some lateral movement within that environment.

So, you would have these kind of capabilities where you look at tool base and say, Well, what are we doing? Are we just searching through GitHub to ensure that we're finding those credentials, or at the same time too? Is we evaluating, how are we managing those non-human identities that we can make sure, from an inventory control perspective, we know and understand of the possibility those keys credentials of being potentially replaced, or sorry, found within GitHub that we need to identify, of saying we need to turn those off, or we know at some point is they need to have, they're having a rotation so their credentials or secrets are out there. There's a little bit of risk aspect of it that they're going to be rotated out because of, excuse me, the rotation that we have in place.

So, looking at those inherited risk, you also have to look at, is there a trust factor, right? As I mentioned earlier, with trust factor of automation, if humans don't know the credentials, do we sometimes just say, All right, we just accept the risk as stated before, human interaction with identities is one of those things that we have to identify. We have to figure out what is and what is not, the risk that we're going to accept with non-human identities. So from overall, from a gapping perspective, you got to know the risk the reality. How are you managing the credentials at the same time, as well as are you, or do you have the right tool in place to make sure that you're protecting your environment overall?

So, I think during I think we can open it up the questions, because I noticed we don't have a lot of time here, but I want to make sure we get enough time for for questions. Does anybody? Does anybody have any questions that they have immediately, based off of what was discussed today.

Dorene Rettas:  
Brian, we did get two questions submitted in the platform. And first of all, thank you so much. There were two things you said that really jumped out. Well, there was a lot that that jumped out, but when you talked about the research you did into risk, right? And 71% and if we could quantify that into non-human identities, that would be very helpful, right? Eventually, we'll get to that point. But also, when you said, do you know where your non human identities are even being stored? And I can tell you from conversations that we have with CISOs, many don't, so that's a huge concern. Now get to the questions, because I do know we're hitting the end of time here. These are great questions. Do you have recommendations on how to communicate the risk of having non-human identities?

Ryan Frillman:  
Yeah, so, I mean, I would look at it aspect of you know, pick your favorite framework. Um. I used to be a MITRE employee, so I like the MITRE attack surface or MITRE attack matrix, and just kind of look at theirs, where you see anything related identity, whether it be initial access or credential access, meaning that, from an attack perspective, any way they get in, and where they see lateral movements, utilize those frameworks and says, Hey, from a risk perspective, I can use this non-human identity and potentially do these kind of recourse, meaning, go along and do lateral movements, or use that a way in to gain access that system. That way you're explaining the risk is, it's not, you know, again, it's not Ryan explain the risk. These are frameworks that are being utilized to understand what those risks are, and also, too, is it helps identify as, hey, we have a gap in some of our areas that we need to improve upon, because the risk may not be accepted because of how it's being utilized. And again, utilize that Verizon data breach. You know, there's tons of reports out there from a vendor perspective that you can use to support your hey, here's the rest of the organization of the non-human identities.

Dorene Rettas:  
and one more, and then we'll have to wrap up so it they asked you mentioned platforms that help. Are there specific, excuse me, specifics you look for when selecting a platform?

Ryan Frillman:
Yeah, I look at, you know, depending on your organization, the biggest one is, I look for hybrid approach, like, if I'm on-prem or in the cloud, I would literally ask the vendor or ask the tool, hey, I have a little bit of both: Does your Do you support that environment? Because, again, you have non-human adanities, wherever you have compute services. So you could have it on prem versus in the cloud, while at the same time too, as I mentioned about, shadow IT to see if it operates outside your boundary. Mean, yes, you can utilize them with the SaaS platform to connect to so look at those capabilities within how your environment is built. And at the same time too, is the visibility: Is the tool able to get complete visibility to your environment where you have non human does it have the proper APIs to connect to your systems? Is it compatible with your secrets manager and your privileged access management solution so you can understand of how it's built out of visibility that yes, there is connections that you can get all right, where's my IAM solution, because most likely that's where that's going to be to start, or where I should be looking at is my credentials, and then where I have, again, as I mentioned, Privilege Access Manager or secrets manager, where I have those solutions in place, you have to have those tools that have able to talk to each other. And then the last one would be, is, is a support of our development our development team is utilizing these systems on a regular basis. Were they able to connect to them to build the product? If they can't, but know, build it early in the pipeline, then it may not be the right solution for you. But also, at the same time, use all these as points that you as yourself, as you manage in your organization, you would have to ask every organization is different, but I would look at these kind of points to help out select the right tool.

Dorene Rettas:
Great points. I did see we had a couple of more questions, as well as some commentary and questions in the chat. Unfortunately, we're not going to have time to address them here, but we do capture that all. So we will get back to everyone via email. Ryan, I want to thank you again. You gave a lot of valuable information and non human identities, and the management of is just becoming increasingly important for organizations, especially as you noted with recent breaches. So your insights were very helpful. I want to thank our partner Oasis for helping us to put this on today, and I do hope that everyone that's participating here or attending here is able to join us in our next session, and that will include CISO Bezawit Sumner and Roey Rozi from Oasis, and they're really going to be focusing on the best practices around Non-human Identity Management, so with that, thank you.

Ryan Frillman:

Thank you.

More like this