Best practices to secure Non-Humans Identities

Best practices to secure Non-Humans Identities

Publish on

October 2, 2024

The growing reliance on cloud services and SaaS applications has highlighted the importance of securing non-human identities.

In this webinar, join cybersecurity experts Bezawit Sumner, CISO at Crisp, and Roey Rozi, Director of Solutions Architecture at Oasis Security, as they discuss best practices for managing and securing non-human identities. They will explore how these identities, which extend beyond service accounts to include API keys and tokens, pose unique risks due to their privileged nature and lack of human oversight. Learn about the critical need for lifecycle management, automated processes, and the importance of prioritizing identities based on their risk profile.

Discover actionable strategies to protect your organization from emerging threats related to non-human identities in today’s complex cloud environments.

Transcript:

Dorene Rettas:
Thank you all for joining us today for our second session under the online event of non-human identity: the risks, the reality and how best to manage. I'm Dorene Rettas. I'm one of the co-founders here of Cyber SecurityTtribe, and I want to thank Oasis, our partner, for helping us to put on this event. I'm pleased to be joined by two thought leaders. I have Bezawit Sumner, also known as Bez. She is the CISO of crisp and rRoey Rozi, who's the director of solutions architecture at Oasis Security.

They're going to be discussing best practices to secure non-human identities. If you weren't in the first session, I just want to go through a couple of little housekeeping items. So in the bottom right, you'll notice a chat function. The chat function is great because it allows you to type something in there, but the other attendees can see it as well, and so you can respond to each other, which is wonderful for collaboration. We also have a questions widget. If you put something in the questions, it's only going to go to US speakers. Lastly, there is a widgets for handouts,iIt might be under an Apps icon on the bottom, and there, there's a few different pieces of thought leadership, including a report, which you can download at any point during today's session. So with that, I'm going to let Roey start and kick it off. And Roey, I'd love for you to just give an overview of what non human identities are. I know a lot of folks think immediately of service accounts, but it goes far beyond that. So could you enlighten us all?

Roey Rozi:
Thanks, Doreen. First of all, thanks for getting us all here. So what are non-human identity? The way we look at it is that non-human identity are any identity that is not managed by your existing human centric stack. So think of all of your like SSO and MFA, and a new employee comes in, a user is automatically created. He leave. Everything is automatically deprovisioned. Anything that's not managed directly through that stack we would consider a non-human identity, and that includes service accounts in Active Directory or in other services, but it also includes API keys, tokens, anything that can connect between application and if not, deprovisioned when an employee leaves remains.

Dorene Rettas:
Okay, thank you. So that's actually a lot to think about and be aware of.

Bez, I know we've talked about this in the past. In your opinion, why our non-human identity is oftentimes more dangerous than the human identities?

Bezawit Sumner:
Well, thank you Doreen, and thank you, Roey. So to the same, you know the definition provided on non-human identities, we always think about, you know, human it's best with accounts, and I know how to protect it. And one of the first things that we think about protection is MFA. Right? We have multi factor authentication to protect human accounts, but we have no MFA on these privileged accounts. Or usually there's, we have to think about the equivalent of what that MFA is for non-human identities. And we have number, the increase, the number has increased for these number of identities because of, you know, as or we said, SaaS applications, or we have SSO so we want multiple applications to be able to deliver on the work that we're doing. And we have, you know, set up microservices in order, you know, we went from what was, what we were used to, to these smaller microservices. And then now we have with the, you know, the use of AI we only getting more and more of these non-human identities, and they're most, mostly highly privileged, because they have to do work. Of, you know, they're, you know, they're alive 24/7 essentially, they're working 24/7 that makes them very highly privileged. And these are these identities are created without a true owner, because they're created maybe as a result or as a residual account. And they are not necessarily being seen all the time because someone is not probably logging into them all the time, and in the cloud world that we live in right now, we within cloud service providers, as well as with SaaS applications, we have just seen the increase, and this is also with work from home, right when we went remote, there were a lot of reasons to for us to use a lot of services that was going to that Were going to help us. So with all of this, Doreen, it has made it that much more complex to manage these non human identities.

Dorene Rettas:
Thank you. And Bez, if you don't mind, I'm just going to stick with you for a minute.

Bezawit Sumner:
Okay

Dorene Rettas:

So how do you think cyber leaders should approach the management of non-human identities? Because that's a huge undertaking, and something that I think oftentimes has been forgotten or not focused on. So what do you need to be doing as a cyber leader today?

Bezawit Sumner:
Absolutely. one. We always have to think about the asset inventory of it, right? We have to know how many, what do we have? How many of it Do we have? And we have to have the life cycle of management. Managing it, all of the identities that we're creating, whether knowingly, unknowingly or, as I said, residual. So we have to have an inventory of identities, and we have to have a clear ownership of who, you know what these services as service accounts, or any of the identities that where we talked about, how what they're doing, and you know where their place, or whatever the case maybe in their use of it. So we have to have a life cycle of managing identities, and within the life cycle of the managing the identities, we have to have a process of purging unused once, right? I think we sometimes we set it and forget it, because we're not necessarily seeing it. So make sure you know you have an inventory. What are they? What are these identities doing? What are they used for? Assign a clear owner to all of these identities, so that if and when you have to reach out, even for internal management, there's a clear way to a clear path and managing those. And within one study, there is a 1 to 45 ratio of human identities to non-human identities, and that, you know that could be many for depending on what research we're looking at, but that shows you the sheer volume and the sheer amount of work that one has to do. So it has to be an automated process in order for us to manage these identities, because one human account does what leaves an organization. That's one thing. But if there's really is that 1 to 45 it makes it very difficult, and we have to manage the process of onboarding and offboarding this identity asset has to be automated. So overall asset inventory, identify ownership, clear ownership and clear use, and manage through that with an automated process that that would be the start and something that's manageable, scalable.

Dorene Rettas:  
Thank you, Bez, that was super helpful. I'll tell you. It's interesting. I I started talking about non-human identities with our CSO community somewhere around February or March, and immediately some were like, Oh, I've never thought about non-human identities or Oh, you mean service accounts, right? And then Bez, you and I spoke, and you were like, this is something I've been talking about for a while. So fast forward, that was only February.

We're talking really seven months, and it feels like everybody is thinking about non human identities today. And obviously there was a major breach in the news that was related to non-human identities. So that's raised the awareness. But as I speak with more and more CISOs about their focus over the next year and identity and access management comes up, they oftentimes will say, you know, non-human identities, this is something I really need to pay attention to, or we haven't figured out a solution yet. So Roey on that, figuring out a solution. Let's discuss the most effective approaches to mitigating risk of non-human identities.

Roey Rozi:
Terrific. So this is something we've been doing a lot with a lot of different organizations. I've been working closely with leaders and administrators to to do this. So the first challenge is always, as Bez mentioned, creating the inventory, getting all of the data into one place, and there's a lot of different systems. So the non-human identity can be all over the place. It could be on-prem and Active Directory and identities and databases, and it can also be in the cloud, and different cloud providers and their different identities and access keys that they have, and also in different SaaS products, which is a very long tail, think of all of your SaaS products: Salesforce, Snowflake, databases, all of them can create service accounts and API keys that are being shared across the organization and just creating an inventory of all that is the first step, getting all the information into one place, and that is usually the first step. Once we have that inventory, what we will want to do is we will want to prioritize everything, right? So understand what has the most privileges, or where your crown jewels are residing, and say, Okay, these are the most important identities, and they should be governed with the utmost care. So this will change for different organization, Bez with in your case, for example, right? What would be the crown jewel?

Bezawit Sumner:
Oh, the data that we have, all the data that we need to and we're protecting the safeguard of, you know, safeguarding on behalf of our participants.

Roey Rozi:  
And if all data the same, or would there be some data that is more privileged?

Bezawit Sumner:
There are some that would be, you know, privileged, and part of it is making sure that we we understand which, which ones are considered the protected health information, and then which ones are, you know, potentially business sensitive, but you're right. And in the crown jewel aspect of it, it would be any, any of our systems that that are hosting the protected health information, which is crown jewels for us.

Roey Rozi:  
That sounds very accurate for. What we've been seeing and for example, so healthcare to always be PHI their health information, and also some critical business trade secrets, things like that. With financial institutions, it's sometimes different. It's all about credit card information, PCI or other sensitive banking information, insider trading, things like that. So the so first step is to identify the riskiest identities based on what type of access they have, either high permissions, wide permissions, or access to specific pieces of data. And that'd be prioritizing. Second Level is prioritizing based on risk. So give a few examples. If you have one identity which is shared with just one place, internal, not Internet facing, interesting, but not but it's more protected, but identities that are Internet facing, which you can log into from every machine, so any IP can log into them, and also have wide access and also have been laying there for a long time, or maybe shared with a third party, it will be higher prioritized for remediation, for setting up automatic rotation, for example, or it's more important to know who's the owner responsible for them. So that's the prioritizing part, which we always like to start with. And then the last step is to prioritize based on specific risk factors, for example, identities that might have been exposed in a breach or that an afforded employee still has access to them in their internet facing and then we will always tell the customer to disable or rotate this identity as the first step. And then we can go down by the priority, starting with the highest privileged ones and going down the stack.

Dorene Rettas:
Thank you for that. Any other thoughts around, perhaps things that cyber leaders aren't thinking about today as it relates to those non-human identities? I mean, Roey we obviously mentioned some of the industries that are very prevalent in concerns, right? And obviously it's vertical, industry wide, excuse me. But anything else that cyber leaders need to be thinking about?

Roey Rozi:
So, I think an interesting thing that often is missed is to rethink about the priorities. Often, when I get them to calls with CISO, especially ones that have been in the game for a long time, they instinctively think about on-prem Active Directory, Legacy accounts, which are definitely important and have been there for a while, and are a great thing to fix, and auditors look at them all the time. But in terms of risk, I think a lot of the newer SaaS platforms that are Internet facing, that have a lot of data that you don't think about office 365, modern databases, different SAS tools, are a place that's often neglected, and I think should be cared about, just much, if not even more.

Dorene Rettas
Perfect. Thank you. Bez. Anything else on your side?

Bezawit Sumner:
Yes. And what, one thing I want to build off of, what Rory just said is maybe as leaders, what we what we have to be aware of, is that no, you know not, none of these certification or audits we're doing are coming and asking us about our life cycle of non-human identity. So part of it is for us to be proactive and making sure that we're thinking about all the ways that, you know, wherever the business processes are, whatever is important to our organization. So it's not because it's going to show up on our account or our reports, or it's not going to show up on the reports of the firms or vendors or whomever we're working with. So I think it's very it's important for us to be mindful that it's out there. There's a risk that comes with it, and with all the things where we talked about from risk prioritization, so as much as we're doing it for ourselves and it's not going to show up in our audit reports, it's very important that we care about in our risk in our vendor risk assessments, that we even consider and say: how are you doing these things? Because it doesn't necessarily show up and not explicitly, and not in the healthcare space that I've seen it so far.

Dorene Rettas:
Oftentimes things aren't a problem until they truly are a problem. And what I'm about to say goes across all areas of cyber security, but most definitely when it comes to non-human identity, and it's a silly analogy, if you will but we had been getting alerts, of course, in Florida, about tornadoes at one point, and like anything, you just kind of like, oh yeah, it's not a problem, until we actually drove right through a very serious tornado. And, you know, fortunately, we're able to live to tell about it. But as a result of that, we became much more aware of what to do. So when you think about non-human identities right now, there are probably those out there that say, oh, you know, I don't need to worry about that just yet, or it hasn't been raised from an audit perspective. But the reality is that's until something happens. So the idea to Bez, your point is to be proactive, be on top of it now, before it becomes too late.

I saw that we did have some questions come in through the platform, but unfortunately, we're running out of time because we have another session right after this. So for those of you who submitted questions and thank you for that, we're going to get back to you via email. They're not going to go unanswered. That's the good news. Roey and Bez, I want to thank you both for joining me today and sharing this information with which I think is very helpful to our audience. Of course, a huge thank you to Oasis for partnering with us for this. And Roey, I know I'm going to see you for the next session, so I'm hoping all in attendance here will be able to join us there, because this is where the rubber meets the road. Roey is going to share some information on some true case studies and the results of those. So look forward to seeing you all there. Thank you so much.

More like this
Case study - How leading organizations solved security challenges leveraging NHIM
Case study - How leading organizations solved security challenges leveraging NHIM
From PAM to NHI Management. How technology is opening up new challenges to securing machine-to-machine access
From PAM to NHI Management. How technology is opening up new challenges to securing machine-to-machine access
Breaking the Identity Perimeter: An Attacker's Perspective
Breaking the Identity Perimeter: An Attacker's Perspective

Secure all identities, NHIs first

Don't leave your business vulnerable. Contact Oasis today for a free security assessment or to learn more about how we can protect your assets and reputation.
Free risk assessment →Get a Demo