Securing the Organization in the Era of the Non-Human Worker

Jan. 4, 2022

Statistics have shown the number of non-human workers is increasing. As global businesses continue to leverage cloud computing, DevOps, Internet of Things (IoT) devices, and other “things” to drive their digital transformation initiatives forward, this growth is only expected to continue. For example, by the end of 2020, 72% of organizations were expected to adopt Robotic Process Automation (RPA), with near-universal adoption expected by 2023.

While the use of non-human workers continues its upward trajectory, this further increases the security risks organizations face because of the access that is provided to these “workers.” Disappointingly, organizations typically apply access controls to only humans (employees, contractors, etc.) — despite the risks associated with cyberattacks and data breaches linked to non-human workers and their privileged access to sensitive information.

Human vs. Non-Human Workers and Their Security Considerations

A human worker is employed on a full-time, part-time, or contract basis or completes tasks on behalf of a third-party vendor. This worker can be given access to different organizational accounts and systems, based on their role and responsibilities.

Comparatively, a non-human worker can be a robot or application responsible for myriad organizational tasks or responsibilities. Like a traditional worker, a non-human worker is assigned access to various accounts and systems, and the lifecycle for human and non-human workers is virtually identical. If any worker begins completing tasks for an organization, they must be provided access to the appropriate accounts and systems. Then, the worker can complete their defined tasks. Once the worker no longer requires access to specific organizational accounts and systems, the access privileges must be terminated. On the other hand, if a worker's responsibilities change, their access privileges must be updated accordingly.

 While many organizations successfully track and manage human worker access to accounts and systems, few organizations dedicate the necessary time and resources to do the same for non-human workers. In cases where non-human worker access privileges are ignored or don’t receive the same level of attention as those associated with human workers, serious problems can arise. 

For example, consider what happens when a human worker leaves an organization. The organization must revoke the worker's access to any accounts and systems. In doing so, the organization eliminates the risk that the worker could illegally access these accounts and systems in the future. The organization also closes the loop on the lifecycle for this worker, so no orphaned accounts can potentially remain accessible and pose cyber risks down the line.

But what happens when a non-human worker is no longer needed? For many organizations, a non-human worker, e.g., a bot, service account, IoT device, application, etc., may be deactivated at this time — but the worker's access privileges are ignored and remain intact. In the event an organization does not revoke access to accounts and systems associated with this non-human worker, cybercriminals may be able to exploit the orphaned accounts for unauthorized access. As a result, cybercriminals can use this access to initiate cyberattacks.

Consider this for example 70% of global organizations are unable to fully discover their service accounts, and 20% have never changed their account passwords on their service accounts. This demonstrates the significant risks these non-human workers present.

Organizations must track and manage the identity lifecycle of these non-human workers; otherwise, cybercriminals can launch attacks that wreak havoc across an organization. With the proper approach to the monitoring and management of the identity lifecycle of non-human workers, organizations can improve operational efficiencies while at the same time reducing the attack surface and stopping cyberattacks, data breaches, and compliance issues associated with these entities and their access.

How to Secure the Lifecycle of Non-Human Workers

Having an end-to-end approach to the identity lifecycle of non-human workers ensures an organization can both drive digital transformation while effectively securing its IT environment. It’s essential for organizations that are trying to scale their operations across on-premise, hybrid, and cloud infrastructures.

To secure the identity lifecycle of non-human workers, an organization must first be able to identify them. This requires it to consider:

●      Who and what makes up my workforce, including employees, end-users, and vendors?

●       Which IoT devices must be managed?

●       What bots are being used?

●       What RPAs are used to manage repetitive activities?

●       What service accounts need to be monitored?

●       Are there compliance mandates that must be followed?

●       How are account and system access tracked and managed?

●       Are validation processes in place to verify the presence of non-human workers and how are identities and accounts associated with these workers being used?

●       With what frequency do non-human workers and their identities need to be audited and revalidated?

Next, an organization must establish processes, procedures, and systems to verify all non-human workers are correctly assigned the appropriate access privileges. This requires it to:

● Identify non-human workers for accounts and systems

● Create processes, procedures, and systems to ensure all non-human workers and the identities associated with them are closely monitored and managed

● Avoid privileged groups, as account misuse can be difficult to detect if accounts are placed into groups with built-in, shared privileges

● Perform regular audits to understand how, when, and why non-human workers and their identities are being used

● Create reports and review them regularly; this ensures reports can be used to identify and address anomalous non-human worker patterns

● Develop a non-human worker deprovisioning and offboarding process; this mitigates the risk of orphaned, unmanaged, and outdated non-human accounts

● Leverage access rights management software to ensure non-human worker access privileges are properly set up and appropriate permissions are granted

Lastly, an organization must create and maintain an authoritative record for all non-human workers, at the worker level as opposed to the access level. This system serves as a unified source for managing and monitoring the identity lifecycle of the non-human worker. It also reduces the risk of human errors, security risks, and compliance violations.

Forrester estimates that non-human identities (including bots, robots, and IoT) are growing twice as fast as human identities across many organizations. While these non-human workers clearly provide value and will only continue to become more widely adopted across IT environments, they also present significant risks if not managed appropriately. With a proactive approach, organizations can continuously monitor and manage their non-human worker identities, improve operational efficiencies, and ensure they’re well-equipped to prevent costly cyberattacks and data breaches before they happen. In addition, they can easily manage key identity lifecycle stages for non-human workers and conduct audits as needed. Perhaps most significantly, organizations can close the gap on the non-human worker identity lifecycle and ensure privileged access is only granted when needed and that access is removed when that need no longer exists — without fail. 

About the author: David Pignolet is the CEO at SecZetta. With nearly two decades of experience in application, network and data security, David founded SecZetta in 2006, putting together a highly experienced team and securing strategic partnerships to address a growing need for better IT security and identity and access management in the market. As a successful entrepreneur, David has founded two IT management and security companies working with medium and large enterprises in healthcare, finance and retail. He is a former member of the Air Force National Guard, where he specialized in combat communications focusing on encrypted secure communications.

About the Author

David Pignolet | David Pignolet is the CEO at SecZetta.

David Pignolet is the CEO at SecZetta. With nearly two decades of experience in application, network and data security, David founded SecZetta in 2006, putting together a highly experienced team and securing strategic partnerships to address a growing need for better IT security and identity and access management in the market. As a successful entrepreneur, David has founded two IT management and security companies working with medium and large enterprises in healthcare, finance and retail. He is a former member of the Air Force National Guard, where he specialized in combat communications focusing on encrypted secure communications.