• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Cybersecurity

    How to Address an Overlooked Aspect of Identity Security: Non-human Identities

    Jan. 3, 2025
    Prioritizing the management and protection of NHIs as a critical component of your overall security strategy can no longer be an afterthought.
    67780131913b9e382d6de419 Highangleshotlockblackcomputerkeyboardblacksurface

    Compromised identities and credentials are the No. 1 tactic for cyber threat actors and ransomware campaigns to break into organizational networks and spread and move laterally. Identity is the most vulnerable element in an organization’s attack surface because there is a significant misperception around what identity infrastructure (IDP, Okta, and other IT solutions) and identity security providers (PAM, MFA, etc.) can protect. Each solution only protects the silo that it is set up to secure, not an organization’s complete identity landscape, including human and non-human identities (NHIs), privileged and non-privileged users, on-prem and cloud environments, IT and OT infrastructure, and many other areas that go unmanaged and unprotected.

    As we’ve seen with recent breaches like the Microsoft Midnight Blizzard attack, SolarWinds Orion IT incident, and Okta breach, threat actors are manipulating NHIs and waiting longer in environments, looking for the optimal moment to pounce. Within the large pool of NHIs, service accounts – used for machine-to-machine communication within Microsoft’s Active Directory’s (AD) environments – are among the most concerning as they’re a default tactic given their high-access privileges, low visibility, and identity protection challenges.

    According to a recent report, only 5.7% of organizations have complete visibility into their service accounts, leaving a considerable percentage with unknown and unprotected NHIs. To make matters worse, NHI manipulation and the number of them will only accelerate as we rely more and more on machines, which are often overlooked, creating a massive gap in a company’s security posture.

    If recent headlines and research have taught us anything, it’s that NHIs need to be understood and protected now.

    The Growth of NHIs

    While NHIs have been a staple of enterprise IT for decades, their sheer volume has increased exponentially in the last few years, making them top of mind for security teams. For example, a large organization with 100,000 AD users would likely have 23,000 active service accounts, whereas in smaller companies, nearly half of all AD users are service accounts.

    Given the pivotal role NHIs play in ensuring seamless operations in digital environments, on average, 30% of an organization's user accounts today are service accounts. Due to their widespread use, service accounts pose significant security challenges, necessitating robust management and protection measures to prevent unauthorized access.

    The Impact of NHIs on Organizations

    Most organizations use a combination of on-prem management tools, a mix of one or more cloud identity providers (IdPs), and a handful of identity solutions (PAM, IGA) to secure identities. But each tool operates in a silo, leaving gaps and blind spots that cause increased attacks and blind spots. 8 out of 10 organizations cannot prevent the misuse of service accounts in real-time due to visibility and security being sporadic or missing.

    NHIs fly under the radar as security and identity teams sometimes don’t even know they exist. The risks associated with a breached service account are severe since it can compromise an entire SaaS environment. Even though service accounts are not supposed to be synced from AD to the cloud IdP, it’s extremely common for identity teams to sync them inadvertently. While these accounts can’t be used to access SaaS resources by default, an attacker who has gained admin access privileges to the cloud IdP can activate them and assign them access privileges, proving that each NHI expands an organization's attack surface. And, in the age of artificial intelligence (AI), where threat actors are becoming faster and more sophisticated, visibility and holistic identity security are of the essence.

    What Leaders Can do to Solve These Identity Gaps

    Visibility into service accounts is murky at best, but solving the NHI security crisis is possible with the right mindset and tools. Consider the following steps to protect all identities (non-human and human).

    1. Strive for least privilege: Network segmentation is not enough because both humans and NHIs bridge network segments, effectively negating the intended goal of segmentation. Organizations must limit and segment identities following the tenants of least privilege and zero trust. 

    Teams can limit excessive privileges by limiting access at the most granular level, especially on privileged NHIs, based on source, destination, protocol, time, and other factors. This can lead to unintentional risks in an organization, such as data loss or theft, and create more unnecessary targets for phishing attacks.

    To succeed, CISOs must also go beyond those by bounding protected resources on the network and cloud with intermediary identities and launchpads for NHI to engage and interact with those protected resources and networks. If the movie “Lord of the Rings” taught us anything, the “One Ring to Rule Them All” approach is bad. Organizations must apply that same principle to NHIs – and properly segment identities in the same way they (hopefully) are segmenting networks.

    2. Whitelist how and when NHIs can access sensitive resources. This should be based on factors such as isolating access based on source and destination IP addresses, Network Segments (VLANS), time, and other heuristic factors. From there, teams should actively monitor deviations. Unlike user accounts, NHI should be highly predictable. There should be a well-known pattern of access.

    Organizations should seek to understand and discover that pattern and then use it to protect the NHI against being co-opted by a malicious actor. This includes limiting where an NHI can originate from, what it can access, when it can access it, how it can access it, and how many times it can access it. The key is understanding the pattern and then designing identity security around it.

    3. Prevent or substantially limit human access to and use of NHIs. Security and identity teams must go beyond protecting the initial human identity via traditional MFA and securing the non-human identities that operate on behalf of the human users. This can be done by improving visibility in the cloud or on-prem, which is key to defending against future identity threats, especially when it comes to non-human identities that can be harder to track.

    Deploying a robust unified identity protection platform can also help curtail human access to privileged NHI by employing strong access control policies that trigger when a known human VLAN attempts to log into an NHI. Organizations should also limit the number of active sessions a NHI can have to the absolute minimum required.

    4. Uncover shadow and hidden NHI: Approximately 94% of organizations do not fully see their NHIs. Teams need to step back and audit all their systems to understand better where they have unprotected NHIs.

    By extending security controls across an organization’s entire identity infrastructure, security teams will have the visibility needed to detect when an attacker is trying to enter the network and wreak havoc.

    5. Employ micro-segmentation across all identities: Identity micro-segmentation is a crucial strategy to prevent lateral movement and contain the impact of a potential cybersecurity breach – and a strategy too often overlooked because it seems overwhelming.

    Micro-segmentation can be done with modern identity protection suites and AI. Implementing identity micro-segmentation can significantly reduce an organization's attack surface by isolating sensitive resources when done correctly. It can also provide better visibility into user and system activities and allow for flexible and scalable access controls that adapt to today’s changing landscape and the accounts it's securing.

    The call to action is clear: prioritizing the management and protection of NHIs as a critical component of your overall security strategy can no longer be an afterthought. With 90% of organizations reporting an identity-related incident in the last 12 months, the role of identity security should not just be about enabling or preventing access but also about segregating, containing, and even denying even the most privileged access to the organization's most valuable assets.

    About the Author

    John Paul Cunningham | CISO at Silverfort

    John Paul Cunningham is Silverfort's CISO. He is passionate about managing security and risk within firms and has built and led information security, risk management, and comprehensive technology organizations. He has also developed customer-facing organizations built on customer and organizational success. His sphere of influence extends from the boardroom to the breakroom, where he brings business and technology together to deliver solutions that propel the organization forward to achieve its goals.

    Getty Images
    Businesses will continue to invest in cloud and SaaS, but without taking the right security measures, they will become increasingly more susceptible to identity-based attacks.
    Courtesy of BigStock.com -- Copyright: eamesBot
    The last thing an organization wants to discover is that the business it just acquired brought along a catastrophic security flaw.