KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The text discusses the growing importance and risk associated with non-human identities in IT security, particularly focusing on workload identities used in multi-cloud and agile environments like DevOps. It highlights how cyber-attacks involving non-human identities are increasing, emphasizing the need for organizations to reassess their legacy Identity and Access Management (IAM) strategies. The document identifies different types of non-human identities, including device, IT admin, software, and automation, explaining that these identities typically interact with various IT resources. The complexity and volume of these identities pose significant management challenges, requiring robust policies and tools to ensure security and compliance. Effective management includes the removal of embedded passwords, implementing least privilege access, and using lifecycle management for permissions. Microsoft Entra Workload Identities and Permissions Management are described as tools designed to manage and secure these identities, offering visibility, control, and risk detection across multi-cloud environments.
Unmanaged non-human identities number in the millions and present a serious risk to IT security
The number of cyber-attacks involving non-human attacks is increasing
Workload identities, a type of non-human identities (or identities for apps and services), are of particular interest to attackers as they can offer a short cut to network penetration
Multi-cloud access and agile working environments such as DevOps have increased the usage of non-human identities
Organizations need to reevaluate legacy IAM strategies designed for non-human Identities
Workload identities should not be set and forget but continually assessed and managed by software tools and policies
Microsoft is launching a new generation of identity and cloud management tools including Microsoft Entra Workload Identities and Permissions Management
Attacks on organizations that involve non-human identities are proliferating. We are seeing the growth of ransomware attacks that use non-human identities to hijack systems and exfiltrate data. Cyber attackers can use stolen or leaked credentials to conduct credential stuffing attacks on non-human identities, such as bots or applications. One of the most high-profile attacks involving non-human identities was SolarWinds in 2020, where malicious code was placed into applications used for automatic software updates and this spread out to customers. More recently in December 2022, hackers gained access to high level LastPass developer accounts and stole source code that had been left unprotected. The hackers targeted the home PC of a senior developer, inserted a keylogger to steal the primary password and used this to get a foothold into cloud resources. They then stole non-human identity passwords used for automated services residing in a LastPass AWS account.
Unlike human identity access management, non-human identity credentials are often of the “set and forget” type because the workload attached is expected to perform the same routine over and over. Non-human identities are often not so well covered by traditional Privileged Access Management (PAM) software designed to manage the quirks of human identities first and foremost.
Non-human identities assigned to software (see Figure 1) are used to authenticate and authorize access to cloud resources such as databases, storage, and other services. In the Microsoft Azure and Microsoft Entra ecosystems, these are called workload identities and can also be targeted through misconfigurations, such as weak credentials or incorrect permissions. Workload identities may have a human administrator assigned to them but it can be hard to keep track of all workload identifies assigned to services, scripts, containers etc. Adversaries have used workload identities to establish persistence in cloud environments after gaining initial access through a compromised administrator.
Concurrently, multi-cloud IT architectures have become essential to organizations seeking the speed and dynamism to run applications and tools needed for fast changing markets and operating conditions. DevOps and other agile teams within organizations have come to rely on dynamic clouds to complete workloads, in response to demands from their internal customers.
These networks are much more open to employees, third party users, suppliers, and customers; what was once considered “privileged” is becoming the norm as collaboration and data sharing become ubiquitous between applications. The emergence of non-human identities gaining access to cloud-based resources is an important part of this environment.
This new architecture incorporates multiple instances of cloud services including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), hybrid combinations of cloud and on-premises installations.
The speed at which these environments operate has put severe pressure on the capabilities of traditional access management platforms such as Identity Governance Administration (IGA), Identity Access Management (IAM) and Privileged Access Management (PAM). Hence the need for newer Cloud Infrastructure Entitlement Management (CIEM) platforms and easier to use management tools for non-human identities attached to workloads operating across the cloud.
Non-human identities are proliferating and acquiring new significance for identity and security managers in modern computing environments.
One of the significant changes that have been taking place is the rapid growth in the volume and different types of non-human identities. Failure to ensure comprehensive identity management capabilities for these identities as well as human identities is likely to expose organizations to business, security, and compliance risks.
It is therefore important for organizations to recognize where and how non-human identities are used in their IT environments and to ensure they have the necessary systems and processes in place to manage them properly. They should also ensure they are controlled with the required visibility, security, traceability, authentication, and authorization processes. Non-human identities are emerging in four main areas: Device, IT Admin, Software, and Automation (see Figure 1 below).
Figure 1: Different classes of non-human identities and the things assigned to them. (Source: KuppingerCole).
Device
A group of non-human identities interacting with enterprise IT resources that range from the personal to the industrial and other internet connected devices collectively known as the Internet of Things (IoT).
IT Admin
Within IT Admin, service accounts and shared accounts are increasingly used by non-human identities to perform repetitive admin and maintenance functions.
Workloads
These are applications, scripts or code, services and containers that perform automated tasks and often linked to DevOps and Automated Admin functions (see above) but not exclusively. The emergence of Infrastructure as Code (IaC) has accelerated the growth in software identities. In this domain, non-human identities often interact with other non-human identities and applications.
Automation
Machine Learning technologies in analytics and behavior analysis have introduced a whole new set of resources to the enterprise IT environment with identities that also need to be managed.
The number of non-human identities will continue to multiply and will interact with each other more often, and across more domains. The sheer number of non-human identities and the labyrinthine environments in which they operate is the key challenge to management. But it is not the only challenge. The spread of cloud and digital infrastructures has in many cases not been regulated or planned by management - so called decentralized purchasing. Often it is the result of semi- organic growth with departments defining and sourcing components on an autonomous basis. This includes the adoption of IoT, automation tools and code development, and such autonomy in cloud and software procurement is likely to be permanent. This has also increased the number of non-human identities significantly.
Vendors and buyers of IAM tools are realizing that the existence of standing privileges for human identities is a risk and capabilities have been developed to strip human identities of such access (known as Least Privilege). However, it is likely that many millions of forgotten or unknown non-human identities, especially software identities, continue to have unmonitored standing access to critical parts of the enterprise as default. There is a growing realization among all enterprise stakeholders that this is untenable.
Non-human identities, including workload identities, have a role in modern IT infrastructures to ensure the smooth running of key departments and the creation of new applications and infrastructure. How can CISOs and IT leaders start to control their usage and protect the wider organization?
Before any software or technology platform can be deployed, IT leaders must consider the type of capabilities, policies and functions needed to bring non-human identities under control. They should also consider some administrative and operational changes to assist in managing non-human identities. In print these steps seem logical but, will require hard work, time and input from multiple departments including IT security, DevOps, HR, Identity Management leaders and other parties. Some processes can be implemented with existing software (like PAM for example) and others by improving business policies. Others will require new software designed to manage cloud activity and also software to control all types of non-human identities.
Some basic points to consider:
Some more granular points to consider:
For most businesses these steps will mean making changes to their IT architecture to become more agile and flexible. It may involve the purchase of extra tools such as software platfroms dediacted to managing workload and other non-human identities in the cloud partculalry, but also on-premises.
Figure 2: Polling demonstrates the concern buyers have about the risks in multi-cloud deployments. (Source: KuppingerCole)
Cloud Identity and Entitlement Management software helps govern cloud entities by offering visibility into unnecessary permissions, detecting potential threats, and enforcing consistent access regulations across all cloud platforms.
Going forward, organizations should plan to support all kinds of identities and ensure they have the tools to understand the level of risk in each identity type so they can make informed decisions on how those identities can be used for specific transactions or interactions. This may involve risk-based scoring through Identity Governnace platforms and also adaptive authentication and authorization techniques via Identity Providers.
Microsoft Entra is intended to make identity management more dynamic and compatible with multi-cloud environments.
Microsoft Entra is growing its portfolio of identity and access management products. In this section we look at two: Microsoft Entra Workload Identities and Microsoft Entra Permissions Management. The two are compatible and can be made to work together through the Microsoft Entra Admin Center, but also available to procure as separate products.
Microsoft Entra Workload Identities is an IAM solution specifically focused on managing workload identities as defined earlier in the text. It contains tools to secure access, detect risk and manage the lifecycle of workload identities assigned to applications and services in Azure.
Key to the software usability is its deployment of conditional access policies to control access of workload identities. Admins can add new access management policies then assign these to workload identities,
Admins can control policies by scripting the policy parameters under which a workload identity may access a resource – this includes approved location, or a specific risk setting decided by the admin. Creating and setting policies is accomplished through the Microsoft Entra Admin Centre. All changes and settings are easily configured via drop down menus and click boxes.
Risky workload identity activity can be discovered in the Microsoft Entra Admin Centre by clicking on “Risky Workload Identities” and then allowing the tool to identify those tracked as risky by for example, unusual sign in behaviour or other anomalous behaviour displayed by the Microsoft Entra Workload Identity. Full details of the identity’s history are made available to the administrators
More granular information on workload identities can also be found and the Entra Admin Center will come up with a list of recommended actions at any one time. These include renewing expiring workload credentials and removing unused or inactive applications registered in Azure AD. Microsoft Entra Workload Identities allows admins to view new and unused workload identities and review whether they still need access to certain resources.
Microsoft Entra Workload Identities uses cloud-based AI to scan for workloads identities that have been compromised and block their access by setting conditional access policies, and help implement Zero Trust principles into workload identity management.
Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) platform that complements the activity of Microsoft Entra Workload Identities. It generates on-demand access to high-risk permissions and provide always on monitoring to right size identity permissions and prevent excess standing privileges for identities.
The product offers visibility and control over permissions for any identity and any resource within Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP). The number of IaaS platforms supported is highly likely to be expanded as Microsoft develops the platform. It uses a modern dashboard interface to provide admins or IT managers with an easy-to-understand window into the activity of all identities, both human and workloads, across multicloud infrastructures.
A primary capability of an effective CIEM platform is full discovery and visibility into identities and their permissions across multi-cloud. This informs a key part of the platform; the Permissions Creep Index, a qualitative measure of risk by comparing an identities’ permissions granted vs. permissions used and their access to high-risk resources.
To deploy Microsoft Entra Permissions Management, customers are required to have an Azure Active Directory (Azure AD) account to sign in to. Once established, customers with a Global Admin role can execute Permissions Management on their Azure AD tenant, and then onboard AWS, GCP or Azure cloud accounts as needed.
Once discovery has been completed Permissions Management can automatically delete permissions that have been unused for more than 90 days, granting additional permissions on-demand for just-in-time access for cloud resources. All such actions can be triggered by a request for access from an identity, and all activities are recorded for analytics purposes. The user experience is the same for any identity type, identity source and cloud. A human identity can also request access on behalf of a workload identity which is a neat and forward-thinking capability.
Permissions Management offers out-of-the-box forensic reports which are also fully customizable to meet the needs of the reporting channels. Reports can be scheduled or produced on-demand in response to an incident or investigation and distributed by email. Future development will include refinement of the UX and dashboard to mirror that of other Microsoft platforms. More importantly, Microsoft says it will support more IaaS services across the board in the future.
Identity and Access Management has never been more important, but it has also never been more challenging as the IT world becomes increasingly services-oriented, mobile, and cloud-based. These changes include the proliferation of non-human identities, which is something no organization can afford to overlook as they gear up their IAM capabilities for the short, medium, and long term. It is essential that all organizations:
In the medium to long term, organizations need to adapt to a new way of doing business in an increasingly digital and services-based world. KuppingerCole Analysts believe that IAM must therefore evolve to become a service akin to an Identity utility that is easy to consume and flexible in supporting emerging business requirements across heterogenous and increasingly hybrid modern enterprise IT environments.
These steps will enable the organization to start building digital services based on a future-proof platforms to provide a centralized set of services to enable a consistent approach to access management, identity governance and administration (IGA), consent and privacy.
https://www.kuppingercole.com/research/lc80355/privileged-access-management-for-devops
https://www.kuppingercole.com/research/an71125/integrating-security-into-an-agile-devops-paradigm
https://www.kuppingercole.com/research/lc80474/zero-trust-network-access
https://www.kuppingercole.com/research/lc80767/ciem-dynamic-resource-entitlement-access-management-dream-platforms
https://www.kuppingercole.com/research/lc80757/access-management-2022
https://www.kuppingercole.com/research/lc80207/container-security
Privileged Access Management 2023 | KuppingerCole
© 2024 KuppingerCole Analysts AG. All rights reserved. Reproducing or distributing this publication in any form is prohibited without prior written permission. The conclusions, recommendations, and predictions in this document reflect KuppingerCole's initial views. As we gather more information and conduct deeper analysis, the positions presented here may undergo refinements or significant changes. KuppingerCole disclaims all warranties regarding the completeness, accuracy, and adequacy of this information. Although KuppingerCole research documents may discuss legal issues related to information security and technology, we do not provide legal services or advice, and our publications should not be used as such. KuppingerCole assumes no liability for errors or inadequacies in the information contained in this document. Any expressed opinion may change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Their use does not imply any affiliation with or endorsement by them.
KuppingerCole Analysts supports IT professionals with exceptional expertise to define IT strategies and make relevant decisions. As a leading analyst firm, KuppingerCole offers firsthand, vendor-neutral information. Our services enable you to make decisions crucial to your business with confidence and security.
Founded in 2004, KuppingerCole is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as technologies enabling Digital Transformation. We assist companies, corporate users, integrators, and software manufacturers to address both tactical and strategic challenges by making better decisions for their business success. Balancing immediate implementation with long-term viability is central to our philosophy.
For further information, please contact clients@kuppingercole.com.