From “Who Has Access to What” to “What Has Access to What”: The Evolution of Identity Management
Oct 16, 2024
Sameera Kelkar
As the workforce shifted online, IT and security teams have been tasked with securing and enabling their digital workforces. This involves ensuring that users have access to the right tools needed to do their jobs without granting excessive permissions beyond what their roles demand. In simpler terms, they are responsible for asking and answering the age-old identity question: “Who has access to what?”
However, in today's digital landscape, this question is no longer sufficient.
Beyond the human workforce, companies' entire operations are online. Software powers our world, connecting data across the internet, and facilitating interactions between HR systems, identity providers, and downstream apps. These processes are driven by millions of interactions between applications, billions of API calls annually, and sensitive resources that protect a company's most valuable assets. These are the Non-Human Identities (NHIs)–the service accounts, application identities, and automated processes– critical to facilitating digital interactions. When improperly managed, they can expose tremendous vulnerabilities.
Despite their crucial role, NHIs often lack the same identity controls as human identities. To mitigate risks, ensure compliance, and boost operational efficiency, security teams need to evolve their approach. It's time to go beyond asking “Who has access to what?” and start asking “What has access to what?”
By focusing on “what”, organizations can:
Mitigate Risks & Prevent Abuse: Non-Human Identities enable applications to communicate, automate tasks, and process data at scale. However, without proper oversight, these NHIs can become entry points for malicious activities. NHIs that have accrued excessive or unnecessary permissions can lead to lateral movement and further damages in the event of a breach. Understanding the access patterns of NHIs also allows for the detection of unusual activities that could indicate security breaches or misuse.
Ensure Compliance: Mapping out NHI access simplifies reporting and auditing processes, making it easier to demonstrate compliance with regulatory requirements. A clear understanding of what has access to what means organizations can demonstrate compliance with standards like GDPR, HIPAA, and SOX more efficiently.
Boost Operational Efficiency: Managing NHI permissions and dependencies effectively ensures seamless operations during changes like credential rotations or employee departures, preventing unexpected system disruptions.
It's time to acknowledge the critical role NHIs play and implement the necessary controls to secure them effectively. In an era where digital interactions are the backbone of business operations, the traditional question of “Who has access to what?” is no longer sufficient. Security leaders must expand their focus to include “What has access to what?”