Most organizations don’t give the same thought and attention to their non-human workers, such as bots, RPAs and service accounts, as they do human workers and identity lifecycles.
The term non-human worker conjures up several images. In this case, we’re talking about “non-living workers,” so no worries about mistreating any animals. Some examples include chatbots, robotic process automation, robots and more. They’re now likely to be working alongside us in the office.
SEE: Robotics in the enterprise (free PDF) (TechRepublic)
“The number of non-human workers is growing, particularly as global organizations increasingly prioritize cloud computing, DevOps, Internet of Things devices, and other digital transformation initiatives,” said David Pignolet, CEO of SecZetta, in an email interview.
Pignolet does not have a problem with non-human workers; his concern is the lack of identity management regarding non-human workers and the increasing number of cyberattacks and data breaches caused by subverting the access privileges given to non-human workers.
The Forrester Research article How To Secure And Govern Non-Human Identities starts by asking:
- Do you know how many software bots, physical robots, or IoT devices connect to your network?
- How many of these devices store critical data or interact with it?
“Such nonhumans boost productivity but also amplify operational challenges related to discovery, lifecycle management, and compliance,” the article said. “They can also expand your threat surface, leading to unmanaged zombie accounts that malicious actors will use to carry out attacks.”
When non-human workers get fired
Cybersecurity departments have identity management under control. Employees are given certain privileges and access upon employment, with the privileges and access revoked upon employment termination. That is not always true with non-human employees.
“Non-human workers—including service accounts, RPAs, IoT devices, and bots—often have their access privileges left intact even after they are no longer required,” Pignolet said. “This opens up the organization to potential cyber risk by making it easier for cybercriminals to gain unauthorized access privileges given to the orphaned accounts.”
SEE: How ghost accounts could leave your organization vulnerable to ransomware (TechRepublic)
Pignolet discussed the types of non-human workers and the problems they pose regarding identity management:
Service accounts: These are used in operating systems to execute applications or run programs. They require privileged access to the applications, databases and servers they operate within, yet these accounts have:
- Passwords that never expire (and must be manually changed)
- Easy-to-find credentials that are often embedded in configuration files
“These factors do not bode well for cybersecurity, exposing threats on several fronts,” Pignolet said. “Not to mention, service accounts are notoriously mismanaged—73% of global organizations admit to not auditing, removing or modifying their service accounts.”
Robotic Process Automation: This technology allows computer software to emulate human actions associated with digital systems used to execute business processes. “RPAs inadvertently pose cyber risks due to the privileged access they require to log in to certain business systems and perform tasks” Pignolet said. “Their privileged credentials are usually hard-coded into a script, and if the credentials aren’t monitored for long periods or properly secured, cybercriminals can launch attacks to steal them.”
IoT devices: Internet of Things devices are physical objects embedded with sensors, software, and other technologies to connect and exchange data with other devices and systems over the internet. “Because IoT devices store data as well as have access to sensitive company and personal data, they are prone to data compromises,” Pignolet said. “If the device’s credentials aren’t updated regularly or revoked once the non-human worker is no longer required, it can make them susceptible to cyber-attacks and data breaches.”
Bots: A bot is a computer program that operates as an agent for a user or other program, or to simulate human activity. “Cybercriminals can turn a chatbot into an ‘evil bot’ and use it to scan an organization’s network for security vulnerabilities,” Pignolet said. “Evil bots can also disguise themselves as legitimate human users and gain access to other users’ data.”
What’s the solution?
In order to manage the identities of non-human workers effectively and safeguard organizations against the potential risks they pose, an organization needs to take an end-to-end identity-management approach, Pignolet said. “This ensures the organization can continue driving its digital transformation, while still keeping its IT environment secure.”
SEE: IoT is especially useful in healthcare, but interoperability remains a challenge (TechRepublic)
The first step is to identify all non-human workers. This requires asking questions such as:
- What bots are being used?
- What RPA technology is being used?
- What service accounts need to be monitored?
- What IoT devices need to be managed?
Then an organization must establish processes, procedures and systems to verify that all non-human workers have an identity created that can be used to make well-informed decisions about access privileges. This requires the organization to think about:
- Performing regular audits to understand how, when and why their non-human workers are being used
- Developing non-human worker deprovisioning and offboarding processes
- Replicating the rigor around managing human-identity lifecycles with their non-human counterparts
“To accomplish this, organizations need to establish and maintain an authoritative record for all non-human workers at the worker level, not the access level,” Pignolet said. “This record becomes a unifying source for managing and monitoring the lifecycle of non-human workers and reduces the risk of human errors, security gaps and compliance issues.”
Why is it important?
As organizations increasingly rely on non-human workers to perform vital functions within their businesses, they must account for the identity lifecycle of non-human workers or risk opening a door cybercriminals will use to their advantage. Pignolet concluded: “Treating non-human workers like their human counterparts avoids security risks, compliance issues, and a litany of other operational-efficiency problems.”