How a Healthcare provider gained comprehensive NHI visibility with Oasis

Oasis Team

Oasis Team

Published on

November 20, 2024

Managing a hybrid cloud environment with thousands of non-human identities (NHIs) is no small task. For one healthcare provider with 8,500 human identities, a medium-sized security team of 18, and an IT operations team of around 50, the challenge was achieving full visibility across both cloud and on-premises infrastructure. Over time, their environment grew to include more than 100,000 NHIs—spanning over 50,000 certificates, 10,000 service accounts, and countless API keys—creating an increasingly complex and unmanageable identity ecosystem.

Without centralized visibility or automation, the team struggled to manage critical risks like stale accounts and unrotated secrets. These gaps increased their attack surface and drained valuable time and resources from an already stretched security team.

"Non-human identity has been a challenge for years, especially with the explosive growth of cloud adoption, automation, and AI. Managing this manually is no longer an option," explained the Chief Information Security Officer (CISO).

The numbers that told the story

An initial analysis of their Azure environment—spanning 30+ subscriptions and 3 vaults—revealed:

  • 133 service principals hadn’t been used in over 30 days.
  • 46 privileged secrets hadn’t been rotated in months.

These findings emphasized the need for better visibility, governance, and automation to tackle their growing identity challenges effectively.

The challenge: fragmented visibility and manual remediation

The company was facing three main challenges in managing non-human identities:

  1. Limited NHI visibility across cloud and on-prem: They lacked a unified view of their NHIs, making it difficult to identify risks, such as stale accounts or overprivileged identities, across their hybrid environment.
  2. Time-consuming manual processes: Remediation efforts required significant manual intervention, delaying the resolution of critical issues.
  3. On-prem ownership gaps: Assigning and maintaining ownership for on-prem identities was particularly challenging, leaving gaps in accountability.

The solution: turning complexity into clarity with Oasis

Oasis collaborated closely with the organization to transform the organization’s approach to their non-human identity management with a three-step strategy focused on Visibility, Security, and Governance:

  • Visibility: The first step was gaining complete visibility into their NHI environment. Without a single platform to consolidate data from multiple sources, the organization struggled to identify risks like stale accounts and overprivileged roles.
    • Unified NHI visibility: Oasis mapped all NHIs across the provider’s hybrid-cloud environment.
      "Seeing our entire environment in one place was a game-changer. Oasis showed us risks we didn’t even realize we had," shared the CISO.
    • Enhanced ownership for on-prem identities: With stringent onboarding and provisioning processes, Oasis ensured that every identity had a clear owner, enabling the enforcement of least-privilege principles.
      "Before Oasis, it was hard to know who was responsible for what. Now we have a clear structure that keeps us in control," said the CISO.
  • Security: With visibility established, the next step was reducing perimeter risk exposure by identifying critical gaps and developing tailored security policies.some text
    • Simplifying remediation with actionable insights: Oasis provided detailed insights into the highest-priority issues and actionable steps to resolve them. While remediation remained a manual process, the platform's guidance enabled the team to address risks faster and more accurately.
      "Oasis didn’t just highlight problems—they helped us focus on what mattered most and take the right actions," shared the CISO.
    • Credential rotation: By automating this previously manual process, the organization addressed one of its largest security gaps.
      "The ability to automate credential rotation has been huge. We no longer have to worry about lingering secrets becoming vulnerabilities," shared the CISO.
  • Governance: The final step was to make a first step into establishing robust governance processes that aligned with their security and operational needs while minimizing disruptions.
    • Automatic decommissioning process: Inactive non-human identities are automatically disabled based on time of use. For example, service accounts with administrative privileges that hadn’t been accessed within a defined threshold are deactivated, with a ticket and alert created for tracking.

Results: 50% reduction in non-human identity risks

In less than a year, the organization achieved 50% reduction in non-human identity risks with Oasis thanks to:

  • Proactive security posture: The team shifted from reactive remediation to building a forward-looking security strategy.
  • Improved triage and remediation: The team was able to prioritize and efficiently address risk with newly gained visibility on the criticality of issues (high, medium, and low-priority)
  • Improved governance: Clear ownership and automated processes streamlined identity management.
  • Operational efficiency: Automation and actionable insights reduced manual workloads, freeing the team to focus on strategic initiatives.
"When we looked at the overall findings of the tool, we saw that we had reduced our nonhuman risk by 50% in less than a year. That’s something we never even thought possible," said the CISO.

Looking ahead

With a stronger foundation in place, the company is now focused on further automating processes, reducing remaining violations, and continuing to partner with Oasis to stay ahead of emerging risks.

"The automation and insights provided by Oasis have been instrumental in securing our Azure environment. We’re excited to continue this collaboration and explore more ways to strengthen our security posture," concluded the CISO.

At Oasis, we’re committed to helping organizations like yours navigate the complexities of non-human identity management with confidence. Could your team benefit from this level of insight and automation? Let’s talk.

More like this