Several trends, such as cloud, microservices and devops, have fueled the exponential growth of NHIs (Non-Human Identities) in enterprise environments. Industry research shows that NHIs now outnumber human identities by as much as 45x. With more and more business processes being automated via AI and accessed by AI enabled services, NHI growth is likely to accelerate even more and further increase the risk exposure.
This article explores reasons why non-human identity management is required, provides examples of known incidents where attackers exploited NHIs and gives reasons as to why traditional solutions to identity management offer only limited protection with NHIs. The article is an extract from the 'The Essential Guide to Non-Human Identity Management' which is available to download.
Why NHIs are Utilized by Threat Actors
Given their pivotal role, securing NHIs has consequently become a critical objective with high stakes, as a compromised NHI could easily lead to data exfiltration and compromised business operation. Attackers love NHIs because breaches are harder to detect, often going undetected for long periods of time. Due to the lack of MFA, NHIs can become long term backdoors with a large blast radius as they often have elevated privilege levels.
Solutions that seek to rotate passwords on a fixed cadence to a lengthy and random value may help to reduce the risk of an account compromise. Because NHIs often govern service to service access across an organization’s infrastructure, once exploited they can also be leveraged for supply chain attacks.
Noteworthy Incidents Where Threat Actors Exploited NHIs
It is not surprising to see attacks on NHIs on the rise. A few recent prominent examples are:
- Mercedez-Benz - The Mercedes-Benz breach occurred when a private key was inadvertently published in a public GitHub repository, granting unrestricted access to the company's source code.
- Cloudflare – The Cloudflare incident occurred as attackers exploited multiple unrotated and exposed secrets. The chain of events began with the Okta breach in October 2023, during which the attacker gained administrative access to Cloudflare’s Okta system.
- Microsoft AI Incident - The Microsoft AI breach occurred as researchers, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additional private data — including a disk backup of two employees’ workstations. The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.
Traditional IAM Programs Not suited for NHIM
Traditional IAM programs lack visibility and lead to NHIs being unmanaged because traditional cybersecurity tools offer limited or no capability in this area.
IAM and PAM solutions focus on human identities. They are designed around a centralized management model where identities are provisioned and managed by a central team and are associated with an identifiable individual with the ability to leverage MFA.
Secret Managers focus on vaulting of secrets but are not identity aware. Consequently, they lack knowledge of ownership, usage, permissions and accessed resources. As a result, they can be used effectively to implement security policies or to automate processes like secret rotation.
Cloud Security Posture Management (CSPM) solutions can help but are focused on cloud instances and not all NHIs exist in the cloud - and take an infrastructure-first vs. identity-first approach. While CSPMs can show certain posture issues, they will not help to actually remediate the vulnerability. As a result, issues will continue to pile up in the never-ending list that the security team needs to take care of, with no solution or fix.
Lack of visibility results in lack of action, which leads to increased breaches and operational paralysis. Lack of lifecycle automation results in continued ungoverned exposure as new NHIs are created and huge operational complexity when issues need to be addressed. In order to address the NHI attack surface without sacrificing operational efficiency, adding Non-Human Identity Management to enterprise IAM programs becomes essential.
