Apr 12, 2024The Hacker NewsDevSecOps / Identity Management

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems?

Let’s break it down.

The challenge

Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or retrieving information from databases. Communicating seamlessly through APIs, they ensure the seamless operation of services for us users. However, to utilize these APIs, microservices must authenticate themselves using non-human identities and secrets, akin to programmatic access keys.

Now, consider the ramifications if a malicious actor were to obtain one of these non-human identities or secrets. The potential for chaos is immense—secrets could be stolen, data tampered with, or even the entire system brought to a standstill.

Without strong security measures, a system is wide open to these kinds of attacks. Companies need to lock things down tight to keep data safe and systems running smoothly.

The solution

What’s needed is a comprehensive suite of features to meet the needs of managing non-human identities.

Comprehensive secrets visibility

To manage non-human identities and secrets at scale you need a bird’s-eye view of all machine identities in your systems. From ownership details to permissions and risk levels, all this critical information needs to be centralized, empowering your security teams to understand the secrets landscape thoroughly. No more guessing games—just clear insights into non-human identities and their potential vulnerabilities.

Real-time monitoring & protection

To effectively oversee non-human identities, it’s crucial to employ real-time monitoring, enabling constant vigilance over your sensitive information. Any signs of dubious behavior should be promptly detected and flagged without delay. Whether it involves an unauthorized access attempt or an unforeseen alteration in permissions, ongoing scrutiny of secrets guarantees proactive defense against potential risks. Mere alerting isn’t sufficient; a comprehensive solution providing actionable steps for immediate resolution is imperative when suspicious activities arise.

Centralized governance

Centralized governance simplifies secrets management for non-human identities. By consolidating all security controls into one streamlined platform, it becomes easy for you to oversee access to non-human identities. From identification to prioritization and remediation, you need seamless collaboration between security and development teams, ensuring everyone is on the same page when it comes to protecting your digital assets.

Vulnerability detection & false positive elimination

Not all alerts warrant immediate alarm. Hence, vulnerability detection must extend beyond merely highlighting potential risks; it should differentiate between genuine threats and false alarms. By eliminating false positives and honing in on actual vulnerabilities, your security teams can efficiently address issues without being sidetracked by unnecessary distractions.

This is what it takes to manage secret security for non-human identities. It’s what we obsess about here at Entro.

Why Entro

With Entro’s non-human identity management solution, organizations can:

• Gain complete visibility of secrets that protect code, APIs, containers, and serverless functions scattered across various systems and environments.
• Identify and prioritize security risks, remediate vulnerabilities, and prevent unauthorized access to critical financial systems and data.
• Automate the remediation of identified security risks, saving time and resources for the security and development teams.
• Ensure compliance with regulatory requirements such as SOC2, GDPR, and others by maintaining robust access controls and security measures.

Get in touch with us to learn more about Entro’s machine identities and secrets management solution.

Mar 28, 2024The Hacker NewsSecrets Management / Zero Trust

In the whirlwind of modern software development, teams race against time, constantly pushing the boundaries of innovation and efficiency. This relentless pace is fueled by an evolving tech landscape, where SaaS domination, the proliferation of microservices, and the ubiquity of CI/CD pipelines are not just trends but the new norm.

Amidst this backdrop, a critical aspect subtly weaves into the narrative — the handling of non-human identities. The need to manage API keys, passwords, and other sensitive data becomes more than a checklist item yet is often overshadowed by the sprint toward quicker releases and cutting-edge features. The challenge is clear: How do software teams maintain the sanctity of secrets without slowing down their stride?

Challenges in the development stage of non-human identities

The pressure to deliver rapidly in organizations today can lead developers to take shortcuts, compromising security. Secrets are the credentials used for non-human identities. Some standard practices like hard-coding secrets or reusing them across environments are quite well known. But while they may expedite the workload, they open up significant vulnerabilities. Let’s discuss these challenges and vulnerabilities further:

• Hard-coded secrets: Embedding secrets directly into source code is a prevalent yet risky practice. It not only makes secrets easily accessible in the event of a code leak but also creates a real challenge to keep track of that secret and complicates the process of secret rotation and management. When secrets are hard-coded, updating them becomes a cumbersome task, often overlooked in the rush of development.
• Scalability challenges: As systems grow, so does the complexity of managing secrets security. Large-scale infrastructures and cloud-native environments exacerbate the difficulty of tracking and securing an increasing number of secrets spread across various systems and platforms.
• Compliance and auditing difficulties: Ensuring compliance with various regulations becomes arduous in the face of sprawling secrets. In dynamic development environments, keeping a vigilant eye on how secrets are used and preventing misuse is essential but can be challenging.
• Integration with IAM systems: Any robust secrets management system ideally integrates effortlessly with IAM systems to enhance security and streamline processes. However, aligning these systems to work cohesively often presents a significant challenge.

Why is securing non-human identities neglected during software development?

In the world of software development, the relentless drive for speed frequently overshadows the equally crucial aspect of security, particularly in handling sensitive information. This disregard stems from the prevailing mindset governing the development process, where priorities lie in introducing new features, resolving bugs, and meeting tight product launch deadlines. The process for onboarding and offboarding developers is becoming increasingly shorter as well, leaving room for mistakes and vulnerabilities in the haste.

For many developers, immediate functional requirements and enhancements to user experience take precedence. The concept of a security breach resulting from mishandling sensitive data often appears distant, especially when there are no immediate repercussions or mechanisms in the development cycle to highlight the associated risks. This mentality is further ingrained in environments lacking a strong culture of security or adequate training, causing developers to view secrets and non-human identity management as an afterthought.

This imbalance between prioritizing speed in development and ensuring robust security creates a perilous blind spot. While rapid development offers tangible and immediate benefits, the advantages of implementing comprehensive secrets management—such as averting potential breaches and safeguarding confidential data—are more nuanced and long-lasting.

Why is the shift-left security approach no longer enough?

The shift-left approach to software security, which prioritizes integrating security early in the development lifecycle, marks a positive advancement. However, it’s not a cure-all solution. While it effectively targets vulnerabilities in the initial stages, it fails to address the continuous nature of security challenges throughout the software development journey. In the shift-left process, overlooking expired secrets can lead to build failures and significant slowdowns in the development pace.

On the other hand, a developer-centric security strategy recognizes that security should be an ongoing, pervasive concern. Mere initiation of security measures isn’t sufficient; it must be a consistent thread woven through every stage of development. This necessitates a cultural shift within security and engineering teams, acknowledging that security is no longer solely the responsibility of security professionals but a shared obligation for all involved.

6 Best practices for non-human identity and secrets security during development

Organizations need to grow out of the mindset that development stage security is just another checkpoint and accept it as the art that it is that blends into the canvas of coding. Here are some best practices to help materialize this image:

1. Centralized secrets management: Picture a scenario where all your secrets are consolidated into one accessible location, effortless to monitor and oversee. Employing a centralized method for managing secret vaults streamlines the process of tracking and regulating them. However, relying on a single, secure secrets vault is no longer practical in today’s landscape. Instead, you’re likely to have multiple vaults per environment, including various types like Kubernetes secrets, GitHub secrets, a main vault, and others. The most effective approach lies in adopting a centralized secrets management and security platform that seamlessly connects to all these vaults, providing the comprehensive solution needed to effectively manage your secrets.
2. Access control: Access to non-human identities should be as tight as the security at a top-secret facility. Employing stringent authentication practices, like multi-factor authentication, plays a pivotal role in safeguarding sensitive data, ensuring access is reserved exclusively for authorized users.
3. CI/CD pipeline security: The CI/CD pipeline forms the critical infrastructure of the software development cycle. Integrating continuous security scanning within the pipeline helps identify vulnerabilities in real time, ensuring that every build is efficient,secure and secrets free.
4. Threat modeling and code reviews: Identifying potential threats early in the development stage and thoroughly reviewing code for exposed secrets is like having a quality check at every step.
5. Incident response plan: When the unexpected hits, this plan is your go-to guide for a cool, collected response. It’s all about quick containment, slick investigation, and clear communication. Post-breach, it’s your chance to turn hindsight into foresight, fine-tuning your defenses for the next round.
6. Secure coding frameworks and server configuration: Utilizing secure coding frameworks and libraries and ensuring servers are configured with security in mindsets is a strong foundation for development stage secrets security.

Incorporating these practices into the daily workflow makes becoming a guardian of your secrets a natural part of the development process.

Entro: a case study in efficient secrets management

Wrapping up our deep dive into securing non-human identities, during development, it’s evident that with the right secrets management tools and strategies, you can go a long way in your cybersecurity journey — which brings us to Entro.

Entro slides in with a cool, low-key approach to enhance your development stage non-human identity and secrets management without stepping on your R&D team’s toes. It’s almost like the backstage crew at a concert, making sure everything runs without the audience ever noticing. It works completely out of band, through APIs and reading logs, ensuring your secrets are safe without demanding any spotlight or code changes.

Furthermore, Entro differentiates itself in the development stage security arena with features that make managing secrets safer and smarter. One of its standout features is secrets enrichment, where Entro adds layers of context to secrets, giving them their own profile – who owns that secret, who created it, its rotation history, and the privileges it holds.

With Entro, you get to know exactly who’s using what secret and for what, keeping everything tight and right. Click here to learn more.

Mar 13, 2024The Hacker NewsSaaS Security / Webinar

Identities are the latest sweet spot for cybercriminals, now heavily targeting SaaS applications that are especially vulnerable in this attack vector.

The use of SaaS applications involves a wide range of identities, including human and non-human, such as service accounts, API keys, and OAuth authorizations. Consequently, any identity in a SaaS app can create an opening for cybercriminals to compromise, leading to data breaches, compliance violations, and financial losses.

Many safeguards have been developed to better protect human identities, including multi-factor identification and single sign-on (SSO). These measures can protect enterprises against attacks using stolen credentials, such as password sprays.

Protecting non-human identities is more challenging, as MFA and SSO are usually not feasible with accounts that are not associated with any individual employee. Non-human accounts are also more sensitive since they come with the high privileges needed for integration activities. Cybersecurity for non-human entities requires different tactics, including monitoring tools to detect abnormal behavior indicative of different types of suspicious activity.

Despite the risks, the activity of non-human accounts is often overlooked. For non-human identities, advanced methods such as automated security checks must be deployed to detect unusual activity. Tools such as ITDR provide a defensive layer to help boost identity fabric to protect enterprises from attacks.

Join an informative webinar with Maor Bin, CEO and co-founder of Adaptive Shield, where he will dive into the identity risks in SaaS applications, and explain how to defend the SaaS environment through a strong identity security posture.

Topics to be covered during the webinar:

• The new attack surface: Discover how identities, including human users, service accounts, and API keys, are being exploited by cybercriminals.
• Identity-centric threats: Understand the unique risks posed by compromised identities within your SaaS environment.
• Managing Identities: Learn how to detect Identity threats through SSPM and ITDR

Register for this free webinar today and gain the insights you need to protect your organization from evolving cyber threats.

In today’s rapidly evolving SaaS environment, the focus is on human users. This is one of the most compromised areas in SaaS security management and requires strict governance of user roles and permissions, monitoring of privileged users, their level of activity (dormant, active, hyperactive), their type (internal/ external), whether they are joiners, movers, or leavers, and more.

Not surprisingly, security efforts have mainly been human-centric. Configuration options include tools like MFA and SSO for human authentication. Role-based access control (RBAC) limits the level of access; password complexity guidelines block unauthorized humans from accessing the application.

Yet, in the world of SaaS, there is no shortage of access granted to non-human actors, or in other words, 3rd party connected apps.

Service accounts, OAuth authorizations, and API keys are just a few of the non-human identities that require SaaS access. When viewed through the lens of the application, non-human accounts are similar to human accounts. They must be authenticated, granted a set of permissions, and monitored. However, because they are non-human, considerably less thought is given to ensuring security.

Non-human Access Examples

Integrations are probably the easiest way to understand non-human access to a SaaS app. Calendly is an app that eliminates the back-and-forth emails of appointment-making by displaying a user’s availability. It integrates with a user’s calendar, reads the calendar to determine availability, and automatically adds appointments. When integrating with Google Workspace through an OAuth authorization, it requests scopes that enable it to see, edit, share, and delete Google Calendars, among other scopes. The integration is initiated by a human, but Calendly is non-human.

Figure 1: Calendly’s required permission scopes

Other non-human accounts involve data sharing between two or more applications. SwiftPOS is a point-of-sale (POS) application and device for bars, restaurants, and retail outlets. Data captured by the POS is transferred to a business intelligence platform, like Microsoft Power BI, where it is processed and analyzed. The data is transferred from SwiftPOS to Power BI through a non-human account.

The Challenge of Securing Non-human Accounts

Managing and securing non-human accounts is not as simple as it sounds. For starters, every app has its own approach to managing these types of user accounts. Some applications, for example, disconnect an OAuth integration when the user who authorized it is deprovisioned from the app, while others maintain the connection.

SaaS applications also take different approaches to managing these accounts. Some include non-human accounts in their user inventory, while others store and display the data in a different section of the application, making them easy to overlook.

Human accounts can be authenticated via MFA or SSO. Non-human accounts, in contrast, are authenticated one time and forgotten about unless there is an issue with the integration. Humans also have typical behavior patterns, such as logging on to applications during working hours. Non-human accounts often access apps during off-peak time to reduce network traffic and pressure. When a human logs into their SaaS at 3 AM, it may trigger an investigation; when a non-human hits the network at 3 AM, it’s merely business as usual.

In an effort to simplify non-human account management, many organizations use the same API key for all integrations. To facilitate this, they grant broad permission sets to the API key to cover all the potential needs of the organization. Other times, a developer will use their own high-permission API key to grant access to the non-human account, enabling it to access anything within the application. These API keys function as all-access passes used by multiple integrations, making them incredibly difficult to control.

Figure 2: A Malicious OAuth Application detected through Adaptive Shield’s SSPM

Sign up for THN’s upcoming Webinar: Reality Check: Identity Security for Human and Non-Human Identities

The Risk Non-human Accounts Add to SaaS Stack

Non-human accounts are largely unmonitored and have wide-ranging permission scopes. This makes them an attractive target for threat actors. By compromising any of these accounts, threat actors can enter the application undetected, leading to breaches, unauthorized modifications, or disruptions in service.

Taking Steps to Secure Non-human Accounts

Using a SaaS Security Posture Management (SSPM) platform in concert with Identity Threat Detection & Response (ITDR) solutions, organizations can effectively manage their non-human accounts and detect when they behave anomalously.

Non-human accounts require the same visibility by security teams as human accounts and should be managed in the same user inventory as their human counterparts. By unifying identity management, it is far easier to view access and permissions and update accounts regardless of who the owner is. It also ensures a unified approach to account management. Organizational policies, such as prohibiting account sharing, should be applied across the board. Non-human accounts should be limited to specific IP addresses that are pre-approved on an allow list, and should not be granted access through the standard login screens (UI login). Furthermore, permissions should be tailored to meet their specific needs as apps, and not be wide-ranging or matching their human counterparts.

ITDR plays an important role as well. Non-human accounts may access SaaS apps at all hours of the night, but they are usually fairly consistent in their interactions. ITDR can detect anomalies in behavior, whether it’s changes in schedule, the type of data being added to the application, or the activities being performed by the non-human account.

The visibility provided by SSPM into accounts and ITDR into non-human identity behavior is essential in managing risks and identifying threats. This is an essential activity for maintaining secure SaaS applications.

Read more about protecting against non-human identities