Managing passwords and privileged access is bad enough for people—but that’s going to be dwarfed by the problem of dealing with non-human identities.
How many cloud services, APIs, virtual machines and containers is your organization using? Whatever number you just thought of, you should probably double it—or add a zero at the end. The number of non-human identities is vast and it’s only going up. The entities that use those identities are dynamic—and you probably don’t have a single place to manage even a fraction of them.
“We’re using more and more cloud services and SaaS applications, we’re more interconnected and we’re spending more time online, we have more multicloud environments and at the same time the cyberattacks and crimes are ever increasing,” CVP of Microsoft’s Identity division Joy Chik told TechRepublic.
Traditionally, identity and privilege management has been about human users: employees, partners, suppliers, customers, contractors and other actual people. And that’s just a fraction of the identities organizations are dealing with. Machine identities, service credentials and access keys, serverless functions, bots, IoT devices and other non-human identities make up the vast majority of identities; they’re growing more exponentially and they’re potentially limitless. “Humans might have multiple digital identities, but at least you can count the number of humans on the planet!” Chik said.
“The digital environment [for non-human identities] is pretty dynamic and they have very complex footprints in terms of the permissions and privileges and access controls they may have. There’s a lot more complexity as well as the different islands depending on whether they’re on premises or which different cloud providers they use and the different services and applications: That creates a lot of opportunities for cyberhackers and attackers to infiltrate.”
SEE: Security Awareness and Training policy (TechRepublic Premium)
With many different identities, resources, applications and data sets to secure, organizations are looking for a unified way to manage access control as a first line of defense, using identity as the control plane. “At the end of the day that’s the most common attack vector by the hackers and it’s basically the equivalent of the key to the front door of your house: It’s not the only defense but it’s the first line of defense.”
A more unified control plane for identity would cover multiple clouds and services, and allow organizations to implement the same zero trust approach they’re already adopting for human identities.
The three principles underpinning zero trust are to explicitly verify identities, use the least amount of privilege and assume breach, and they all apply to non-human identities. “Verify explicitly means use strong authentication and that applies to machine authentication as well,” Chik said.
The first two principles in zero trust are there to protect you from the consequences of the third. “It’s not about whether you will be breached or not: It’s about when and how you detect it, and how can you reduce the blast radius. Have strong authentication and use the least amount of privilege to reduce the blast radius when it does happen.”
It’s common for admin accounts to have more privileges than necessary, even on high-value systems like domain controllers, and the same goes for machine identities. Figures from cloud infrastructure entitlement management (CIEM) company CloudKnox, which was recently acquired by Microsoft, show that more than 90% of non-human identities use fewer than 5% of the permissions they’ve been granted—a statistic Chik calls astonishing but not surprising.
“With non-human identities especially, the environment is dynamic. They might need more permissions at a given point in time. The question is, for what and for how long? You need to use software and services to automate that and to revoke it when the access is done. I think the default is that we’ve over-granted permissions because we don’t have good tools that do that today in a holistic way, especially when you have more than one environment to manage.”
SEE: Hybrid cloud: A guide for IT pros (free PDF) (TechRepublic)
Managing the lifecycle of those permissions includes revoking them automatically rather than manually when they’re no longer needed, which would prevent data breaches like Experian’s. Attackers accessed the data through an API running on a version of the Java Struts framework with an unpatched vulnerability. The reason it hadn’t been patched is that it was set up for a competition by somebody who then left the company. An identity inventory would have caught the API access, and lifecycle management would have revoked that once it was no longer needed.
That’s what products like CloudKnox promise. “Having a unified identity, permissions and entitlement management, not just for humans but also for infrastructure, is really critical as we evolve,” she said. Organizations can inventory all the different permissions and access controls in all their cloud environments and manage those so they have the least privilege required for what they actually do.
The CloudKnox roadmap
To start with, Microsoft is selling and supporting the existing CloudKnox products, but there are obvious opportunities to integrate with services like Azure AD and Azure API Management, and to build on the Microsoft Graph.
Part of the appeal of CloudKnox is that it covers multiple cloud services—AWS, GCP and VMware as well as Azure—and Microsoft isn’t changing that. “It really complements the strengths of Azure AD, where we’re providing end-to-end identity management, especially for human identities,” Chik told us. “We’re already starting to provide non-human identity entitlement management for some of the Azure workload and CloudKnox goes beyond just the Microsoft cloud.”
“CloudKnox is very much aligned to our roadmap but in terms of extending what they already have.” Part of that will be extending the product to cover on-premises identities, even through Microsoft solutions or by providing APIs to partners to integrate with CloudKnox.
Managing identities will rely on having more information about what those identities are there for. “You have to look at the end-to-end lifecycle: not just looking at the API from the API point of view, but what is that identity, human or non-human, trying to accomplish? How do you follow the lifecycle of that identity in terms of what action it’s trying to accomplish, what environment it traverses and when does it need access at what level of privilege, and when does that end and then rinse and repeat.”
Microsoft has a lot of that information in various services beyond identity, and it has the machine learning to put it together. “We also have endpoint management, we have device management, we have email protection signals as well as all our cloud assets. So being able to get all these signals connected together and to provide that intelligence is super exciting,” Chik said.
“Because of the signals we get [in the Microsoft Graph] it gives us an advantage; we can leverage the power of cloud and AI and those signals, because I don’t think you can do it in a brute force human way, because you just can’t keep up. It’s way too dynamic.”