Non-humans are everywhere these days. Sure, you’ve seen the much-deserved hype about how AI-powered tools like ChatGPT are going to change everything. But there are plenty of more mundane non-human entities that you interact with in your daily life: the smart thermostat program that knows to cool down your house at a certain time every day, the application on your phone that suggests directions to a place you’ve searched for, and many others. Non-human identities pervade every aspect of our lives, both personally and professionally.
In fact, machine identities outweigh human identities by a factor of 45 to one, according to CyberArk research. Machine identities like bots in robotic process automation (RPA) workloads and microservices running in the cloud are growing at an exponential pace as more companies transform digitally. They’re automating many formerly mundane tasks and increasing many functions’ operational efficiency. These non-human identities rely on secrets (including passwords, SSH keys and API keys) to access critical resources and do their jobs. And those secrets need to be secured, just as privileged credentials for humans do.
There are likely several areas across your organization that house non-human identities using secrets that need to be managed and secured. Below, we walk through seven types of the most common non-human identities you may find in your organization and some security challenges for each type when it comes to secrets management. Understanding these challenges (and seeing how different they can be for each identity type) is the first step to building a cohesive plan on how to mitigate them.
1. Cloud Environments and Cloud-Native Apps
Many organizations use multiple cloud service providers (CSPs) to maintain pricing control, enable flexibility and avoid cloud vendor lock-in. Each CSP has their own method for storing, accessing and managing secrets. Additionally, cloud-native applications built in these platforms are continually updated using CI/CD processes and often use secrets to communicate with other microservices in the cloud environment to run. The main issue to address when it comes to the cloud is ensuring your security is as flexible and dynamic as the environment your developers are working in.
- Developers need to be able to work dynamically and at scale.
- Developers can take shortcuts (i.e., hard coding secrets) or skip over security requirements.
- Compliance roadblocks can be created from not meeting corporate security requirements.
- Underlying DevOps tools and container platforms can lack security.
- Code repositories can accidentally expose secrets and cloud access keys (see the AstraZeneca breach, where access to sensitive patient data was exposed through a credential on GitHub).
2. DevOps Tools, CI/CD Pipelines and the Software Supply Chain
DevOps tools typically require a high level of privileged access to perform their tasks. Thus, CI/CD pipelines and other DevOps tools are known as “Tier Zero” assets, meaning if an attacker gains access to these assets, they can then access more privileged credentials. The software development lifecycle moves fast, and the tools used within it can become a big vulnerability if your DevOps teams aren’t fully aware of necessary security measures.
- Security has to shift left to be involved earlier in the development cycle.
- DevOps admins and developers may choose to use built-in secrets management functions, contributing to secrets or vault sprawl.
- Human checks and balances may need to be forced.
- An attacker may be able to escalate access once a tool is compromised (see the CircleCI breach).
3. Automation Tools and Scripts
Automation tools and scripts can be powerful and perform complex IT and other related tasks. But they can also be very simple, such as a basic PowerShell script used infrequently. While these simple scripts may not jump out as being a large vulnerability, these automation tools and scripts often require high levels of privileged access and have been responsible for some high-profile breaches in the past.
- Too often scripts use embedded hard-coded credentials and can be posted to repositories.
- Scripts may be overlooked as a security vulnerability because of their simplicity.
- Ease of replicating and infrequent use make scripts hard to track.
- Some automation tools have built-in (native) secrets management capabilities that can lead to secrets sprawl and vault sprawl.
- Attackers can still exploit high-value credentials even if the tool is basic (see the 2022 Uber breach).
4. COTS and ISV Applications
Commercial-off-the-shelf (COTS) and independent software vendor (ISV) applications both require a high level of privileged access to do their jobs. Because these apps aren’t owned by your company, they have some unique security needs that should be addressed, including ensuring that they are integrated with your security tools.
- These apps require vendor-developed integrations.
- They are vulnerable to weaknesses in the vendor’s software supply chain and CI/CD processes.
- High levels of access mean there is a high level of exposure if they are compromised by an attacker.
- Personal information stored in business applications could be exposed in a data breach.
- Least privilege and just-in-time access are imperative to reduce risk.
5. Robotic Process Automation (RPA) Workloads
RPA bots help development and operations teams (and other “citizen developers”) automate many formerly mundane tasks, speeding up workflows. But manual credential rotations for these bots do not scale, especially when an organization is using a large number of unattended bots without a human supervisor. The biggest challenge for security teams is the need to ensure that they are enabling RPA velocity while also centrally managing policies to stay compliant and defend against attacks.
- Manual rotation and management processes don’t scale.
- Security can be seen as a blocker to deployment or operational efficiency requirements.
- Security wants easy-to-use integrations to minimize security issues and speed up deployment.
6. N-Tier/Static Homegrown Applications
While many of the above applications harness newer digital innovations such as the cloud and automation, most organizations still depend on a variety of internally developed applications. These applications include a variety of traditional environments (such as Java) and operating systems, including Unix/Linux, and because they are hosted on-premises, they can pose some different challenges to the other types of identities.
- Credentials are hard coded or locally stored, introducing risk if compromised.
- Automatic rotation is sometimes not possible for the credentials used by these apps.
- Access rights need to be better tailored, as these apps can be over-permissioned.
- They need to easily connect to other systems and applications.
7. Mainframe Applications
Like N-tier applications, applications hosted on mainframes (such as zOS) are still widely used by enterprises for specific use cases. These are the most mission-critical applications an enterprise has, and it’s vital that these applications do not experience outages or have their processes interrupted by security procedures.
- Credential rotation can potentially interrupt high-volume transactions.
- Credentials are hard coded or locally stored, introducing risk if compromised.
- High levels of reliability are required.
So How Do You Keep Track of It All?
You can see how overwhelming secrets management can get when you’re working with a large number and variety of non-human identities. Each group has its own nuances and stakeholders that need to be considered when creating security policies. Being aware of all the different identity types in your organization and understanding all the different security needs that must be considered are the first steps to building a cohesive program to manage and secure these identities and the secrets they use.
That’s where centralizing secrets management can help. Our eBook “Key Considerations for Securing Different Types of Non-human Identities” walks you through best practices for securing secrets in each of these categories. It also provides a phased approach on how you can build a more effective secrets management program.
Kristen Bickerstaff is a senior content marketing manager at CyberArk.