Through the years, safeguarding a corporation’s systems was linked with fortifying its “boundary.” There was what could be deemed secure “internally” versus the unsecured external environment. We constructed robust firewalls and deployed advanced detection systems, convinced that keeping intruders outside the perimeters shielded our data and systems effectively.
The issue is that we no longer function within the confines of physical on-premises installations and regulated networks. Data and applications now exist in decentralized cloud environments and data centers, accessed by users and devices connecting from any location on the globe. The defenses have crumbled, and the boundary has vanished, ushering in a new battleground: identity.
Identity is at the core of what the industry has celebrated as the fresh benchmark of enterprise security: “zero trust.” In this model, explicit trust is obligatory for any communications between systems, and no implicit trust is to be retained. Each access request, irrespective of its source, must be authenticated, authorized, and continuously verified before being granted access.
The Dual Aspect of Identity
Identity is a comprehensive notion with a dual nature. On one side, individuals require access to their email and calendar, and some (software developers in particular) necessitate privileged access to a server or database to execute their tasks. The industry has refined the management of these identities over the last two decades as employees join, receive rights for specific systems, and finally depart from the organization.
On the other end, we encounter another form of identity: machine identities, also known as non-human identities (NHIs), which constitute the vast majority of all identities (it’s estimated they outnumber human identities by at least 45 to 1).
Diverging from their human equivalents, NHIs—spanning from servers, applications, or processes—are not linked to individuals and consequently present an entirely distinct challenge:
- They lack conventional security protocols because unlike human users, we cannot merely enforce MFA on a server or an API key.
- They can be initiated at any time by anyone within the organization (imagine Marketing linking their CRM to the email client) with minimal supervision. They are scattered across various tools, complicating their management significantly.
- They are largely over-privileged and frequently ‘inactive’: unlike human identities, NHIs are more likely to persist long after their usefulness has expired. This results in a high-risk scenario where excessively provisioned credentials with extensive permissions persist even after their intended utility has concluded.
Collectively, this scenario sets the stage for major corporations struggling with sprawling cloud ecosystems and complex software supply chains. It comes as no surprise that botched identities— with secrets proliferation as an indication—account for the primary cause of most security incidents impacting businesses globally.
The Severe Consequences of Inaction: Real-World Breaches
Disregarding NHI security repercussions is not theoretical. News outlets are filled with examples of high-profile breaches where compromised NHIs acted as the gateway for intruders, resulting in substantial financial setbacks, harm to reputation, and erosion of consumer trust. Dropbox, Sisense, Microsoft, and The New York Times are all instances of companies that acknowledged being affected by a compromised NHI in 2024 alone.
What makes it worse is that these incidents have ripple effects. In January 2024, Cloudflare’s internal Atlassian systems were undermined because tokens and service accounts— in other words, NHIs—were previously compromised at Okta, a leading identity platform. What’s particularly revealing here is that Cloudflare swiftly identified the breach and reacted by rotating the suspected credentials. Despite this, they later discovered some access tokens had not been appropriately rotated, granting attackers another opportunity to exploit their infrastructure.
This is not an isolated case: 80% of organizations have encountered identity-related security breaches, with the 2024 DBIR edition ranking “Identity or Credential compromise” as the top cyberattack vector.
Should you be apprehensive? Reflecting on the Cloudflare incident, the impact is still uncertain. However, the company divulged that remedial actions consisted of revamping all 5,000 production credentials, extensive investigative procedures, and rebooting all organizational systems. Consider the time, effort, and financial strain such an issue would impose on your entity. Can you risk undertaking that?
Tackling mismanaged identities, rectifying existing vulnerabilities, and addressing future risks is a prolonged expedition. While there is no ultimate solution, overcoming one of the most significant and intricate security hazards of our epoch is plausible. Enterprises can curb the risks linked with non-human identities by blending immediate initiatives with medium- and long-term tactics.
Guiding Fortune 500 clients through this journey for the last 7 years is what positioned GitGuardian as the premier figure in secrets security.
Mastering NHIs, Commencing with Secrets Security
Businesses must embrace a preemptive and all-encompassing strategy for NHI security, kickstarting with secrets security. Gaining command over NHIs starts with implementing effective secrets security capabilities:
1. Introduce Thorough and Ongoing Transparency
You can’t safeguard what you aren’t aware of. Secrets security commencement is rooted in monitoring a broad spectrum of assets at scale, from source code repositories to messaging platforms and cloud repositories. It is crucial to broaden monitoring beyond internal channels to identify any company-related secrets in prominently exposed areas like GitHub. Only then can entities begin to ascertain the extent of their exposed sensitive data and take measures to rectify these vulnerabilities.
GitGuardian Secret Detection boasts the most detectors and the widest asset monitoring scope in the market, encompassing all GitHub public activity from the past 5 years.
2. Simplify Resolution
Secrets security is not a singular event but an ongoing process. It must be integrated into software development and other workflows to detect and rectify (revoke) hardcoded secrets and thwart the root cause of breaches. Timely and efficient rectification capabilities, minimizing alert exhaustion, and streamlining the rectification procedure are crucial in containing the impacts of security breaches.
at a large scale are crucial. This enables organizations to tackle issues proactively, efficiently and quantifiably mitigating risk.
The top priority for the GitGuardian Platform is prioritizing remediation. Incident management consolidation, personalized remediation instructions, and intricate incident details empower organizations to combat the challenge of widespread secret exposure effectively.
3. Embed with Identity and Secrets Systems
Evaluating the context of a leaked confidential piece of information is vital for gauging its sensitivity and the related risk level. Integration with identity and entry management (IEM), high-access management (HAM) systems, and Secrets Managers offers a more holistic perspective of NHIs’ footprint and actions.
The collaboration between GitGuardian and CyberArk Conjur, a leading provider of secret oversight and identity protection, is pioneering within the industry. This collaboration introduces comprehensive end-to-end secrecy protection to the market, unlocking fresh possibilities like automated detection of public exposures, enforcement of secrecy management protocols, and automatic reconfiguration after a leak.
Transforming the Approach: Transitioning from Boundaries to Secrecy Protection
The swift increase of non-human identities has created a challenging and often disregarded security obstacle. Traditional boundary-oriented security strategies are no longer satisfactory in today’s decentralized, cloud-focused settings. The dangers stemming from mismanaged NHIs are genuine and potentially disastrous, as evidenced by prominent breaches causing severe financial and reputational harm.
However, there is optimism. By pivoting toward secrecy protection and embracing a thorough strategy that encompasses robust detection, automated rectification, and integration with identity frameworks, organizations can drastically diminish their exposure to attacks and enhance their overall security stance.
This might appear intimidating, yet it’s an indispensable shift in our cybersecurity methodology. The moment to take action is now—the only query is, are you prepared to take charge of your secrecy security? Commence today with GitGuardian.
About Author
