The nature and importance of non-human identities (NHI) has changed dramatically. As IT infrastructure has transformed from relatively static on-premises systems to dynamic cloud architectures, the privileged secrets required have evolved as well. Simple service accounts have given way to a massive proliferation of ephemeral tokens, API keys and other secrets. This evolution has created new risk management challenges that most organizations are just starting to understand. Join me as we start a journey together, reviewing the transformation of privileged secrets as background to coming to grips with this new security challenge.
Definition
One might ask what is a Non-Human Identity? And so, before we start our journey we need to begin with first understanding what a Non-Human Identity actually is. Put simply, a Non-Human Identity (NHI) is an identity that performs programmatic operations without any human intervention.
Now that we got that we armed ourselves with an understanding of the concept, we can go ahead and start to understand where it all began.
On-Premise
Up until the late 1990’s, on-premises data centers formed the core of enterprise IT infrastructures. Programmatic interactions between systems were authenticated by service accounts, and enabled virtually any interface that didn’t involve a human. The accounts themselves were widely distributed in the data center: some were centralized in Active Directory or Unix repositories, but many others were hard-coded in applications, middleware, or database interfaces. Even then, organizations struggled to manage these accounts, but the risks associated with poor management were somewhat limited given the closed nature of the IT architecture.
IaaS and PaaS
The advent of cloud computing drastically changed the characteristics of non-human identities. Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) drove a new wave of IAM roles, access keys, and secret management strategies. The emergence of the web-oriented persona, often exposed directly to the Internet, resulted in an explosion of interfaces between systems, and greater exposure of such interfaces to unauthorized and potentially malicious access. The balance of power shifted from IT to the lines of business, making draconian risk management controls much more difficult to justify and implement.
SaaS
Enterprises started to embrace Software-as-a-Service (SaaS) applications at roughly the same time as IaaS and PaaS, though with more trepidation. SaaS applications empowered organizations to leverage the myriad benefits of cloud technology without the hassle of IT management. However this also meant that much of the ability to dictate governance controls was lost. So SaaS adoption tended to start with the least mission-critical functions and grew more essential to the business over time.
The business risk associated with non-human identities increased further as SaaS took hold. The use of API keys, a new type of non-human identity, was essential to integration of SaaS applications. OAuth tokens, indispensable for SaaS-to-SaaS communications, emerged as potential weak points. Their potential danger stemmed mostly from their ephemeral nature and lack of scalable monitoring of their use. Businesses were left wrestling with the task of navigating and securing an intricate web of interdependencies. The mishandling or breaching of just one non-human identity could trigger a series of domino-like effects.
CI/CD
In parallel with the transformation of IT architectures, the software development lifecycle has also changed dramatically. Ponderous serialized software development life cycles (SSDLC) have given way to the more agile CI/CD (continuous integration & deployment) approach, backed by code repositories and automated deployment mechanisms. Yet more use of non-human identities is crucial in managing CI/CD permissions and making secure cloud resource interactions possible. This proliferation only increased the risks associated with such identities, as they were now deeply embedded in the software lifecycle itself, not just the resulting code.
Modern Workloads
The emergence of container technologies in the 2010’s, supported by management systems such as Kubernetes, further drove the importance of non-human secrets management. It became clear that archaic practices such as storing secrets in code or configuration files were no longer viable. This led to the birth of vaulting technologies, engineered to manage and access secrets securely. The IT security industry began to invest heavily in cloud risk management and entirely new product spaces were born to provide some relief from the overwhelming challenge now facing enterprise security organizations.
Looking Back and Looking Forward
This review of the evolution of privileged secrets and non-human identities highlights just how much has changed in the last 25 years. As both IT architectures and development methodologies transformed, the role of NHI has become more dynamic, prevalent, and mission critical. The terrain of enterprise IT is now diverse, from conventional on-premise systems to vast clouds and SaaS dependencies. And the relevance of first to third-generation non-human identities such as service accounts, API keys, and OAuth tokens is expanding at a rapid pace.
Unfortunately, the risk management understanding and supporting security solutions to tackle the risks associated with non-human identities has lagged far behind what is required. A new strategy capable of handling the intricate and dynamic nature of these identities is required, supported by new risk management solutions that can scale and adapt. A fresh approach is on the horizon, so keep your eyes peeled for what's coming next.