Non-Human Identities

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe.

The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity.

Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin, must be authenticated, authorized, and continuously validated before access is granted.

The Dual Nature of Identity

Identity is a broad concept with a dual reality. On the one hand, people need access to their email and calendar, and some (software engineers in particular) privileged access to a server or database to do their work. The industry has been perfecting managing these identities over the past 20 years as employees join, gain privileges for certain systems, and eventually leave the enterprise.

On the other hand, we have another type of identity: machine identities, also referenced as non-human identities (NHIs), which account for the vast majority of all identities (it's estimated they outnumber human identities at least by a factor of 45 to 1).

Unlike their human counterparts, NHIs—ranging from servers, apps, or processes —are not tied to individuals and therefore pose a whole different problem:

  • They lack traditional security measures because, unlike human users, we can't simply apply MFA to a server or an API key.
  • They can be created at any moment by anyone in the enterprise (think Marketing connecting their CRM to the email client) with little to no supervision. They are scattered across a diversity of tools, which makes managing them incredibly complex.
  • They are overwhelmingly over-privileged and very often 'stale': unlike human identities, NHIs are much more likely to stay long after they have been used. This creates a high-risk situation where over-provisioned credentials with broad permissions remain even after their intended use has ended.

All this combined presents the perfect storm for large enterprises grappling with sprawling cloud environments and intricate software supply chains. It's not surprising that mismanaged identities— of which secrets sprawl is a symptom—are now the root cause of most security incidents affecting businesses worldwide.

The High Cost of Inaction: Real-World Breaches

The consequences of neglecting NHI security are not theoretical. The news is replete with examples of high-profile breaches where compromised NHIs served as the entry point for attackers, leading to significant financial losses, reputational damage, and erosion of customer trust. Dropbox, Sisense, Microsoft, and The New York Times are all examples of companies that admitted to being impacted by a compromised NHI in 2024 alone.

The worst part, perhaps, is that these incidents have rippling effects. In January 2024, Cloudflare internal Atlassian systems were breached because tokens and service accounts— in other words, NHIs— were previously compromised at Okta, a leading identity platform. What's especially revealing here is that Cloudflare quickly detected the intrusion and responded by rotating the suspected credentials. However, they later realized some access tokens hadn't been properly rotated, giving attackers another shot at compromising their infrastructure.

This is not an isolated story: 80% of organizations have experienced identity-related security breaches, and the 2024 edition of the DBIR ranked "Identity or Credential compromise" as the number one vector for cyberattacks.

Should you be concerned? Looking back at the Cloudflare story, the impact is not yet known. However, the company disclosed that remediation efforts included rotating all 5,000 production credentials, extensive forensic triage, and rebooting all the company's systems. Consider the time, resources, and financial burden such an incident would place on your organization. Can you afford to take that risk?

Addressing mismanaged identities, fixing both current exposures and future risks, is a long journey. While there's no magic bullet, tackling one of the biggest and most complex security risks of our era is achievable. Organizations can mitigate risks associated with non-human identities by combining immediate actions with mid- and long-term strategies.

Accompanying Fortune 500 customers in this process for the past 7 years is what made GitGuardian the industry leader in secrets security.

Getting a Grip on NHIs, Starting with Secrets Security

Organizations must adopt a proactive and comprehensive approach to NHI security, starting with secrets security. Gaining control over NHIs begins with implementing effective secrets security capabilities:

1. Establish Comprehensive and Continuous Visibility

You can't protect what you don't know. Secrets security begins with monitoring a wide range of assets at scale, from source code repositories to messaging systems and cloud storage. It's crucial to expand your monitoring beyond internal sources to detect any company-related secrets in highly exposed areas like GitHub. Only then can organizations start to understand the scope of their sensitive information exposure and take steps to fix these vulnerabilities.

GitGuardian Secret Detection boasts the largest number of detectors and the widest range of assets monitored in the market, including all GitHub public activity from the past 5 years.

2. Streamline Remediation

Secrets security isn't a one-time task but an ongoing process. It must be integrated into software development and other workflows to find and fix (revoke) hardcoded secrets and prevent the root cause of breaches. Timely and efficient remediation capabilities, limiting alert fatigue, and streamlining the remediation process at scale are critical. This allows organizations to address issues before attackers can exploit them, effectively and measurably reducing risk.

The GitGuardian Platform makes remediation the number one priority. Unified incident management, custom remediation guidelines, and detailed incident information allow organizations to tackle the threat of secrets sprawl at scale.

3. Integrate with Identity and Secrets Systems

Analyzing the context of a leaked secret is crucial to determine its sensitivity and the associated risk. Integrating with identity and access management (IAM), privileged access management (PAM) systems, and Secrets Managers provides a more comprehensive view of NHIs footprint and activity.

GitGuardian's partnership with CyberArk Conjur, the leader in secrets management and identity security, is an industry first. This partnership brings end-to-end secrets security to the market, unlocking new use cases such as automated public exposure detection, secrets management policy enforcement, and automated rotation following a leak.

Shifting the Mindset: From Perimeter to Secrets Security

The rapid proliferation of non-human identities has created a complex and often overlooked security challenge. Traditional perimeter-based security measures are no longer sufficient in today's distributed, cloud-centric environments. The risks associated with mismanaged NHIs are real and potentially devastating, as evidenced by high-profile breaches that have resulted in significant financial and reputational damage.

However, there is hope. By shifting our focus to secrets security and adopting a comprehensive approach that includes robust detection, automated remediation, and integration with identity systems, organizations can significantly reduce their attack surface and bolster their overall security posture.

This may seem daunting, but it's a necessary evolution in our approach to cybersecurity. The time to act is now—the question is, are you ready to take control of your secrets security? Start today with GitGuardian.


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.