29 Apr Securing Against a Different Type of Identity Threat

Non-human accounts: understanding risk, challenges in securing them, how to enhance security, and evolving strategies

– Hananel Livneh, Head of Product Marketing, Adaptive Shield

Tel Aviv, Israel – Apr. 30, 2024

Organizations that take SaaS security seriously spend much of their efforts on controlling access. That might include requiring multi-factor authentication (MFA) or secure sign-on (SSO) when logging on, password complexity rules to reduce the risk of password spray attacks, or invitation expiration dates to prevent threat actors from finding old invitations and using them to access an application.

Despite all the efforts to control access and manage identities, one type of identity is often overlooked — non-human accounts. These accounts can include service accounts, OAuth authorizations, and API keys that receive authentication when first connecting but are quickly forgotten about. In a world where security officers are hunting threat actors accessing dormant accounts or fully deprovisioning former employee accounts, scant attention is paid to active non-human accounts.

This laissez-faire attitude is understandable when dealing with non-human user accounts that have expected behaviors. With so many dynamic users accessing SaaS applications, security teams are grateful to have one less thing to monitor. However, that could be a big mistake.

Understanding Risk from Non-Human Accounts

Non-human accounts are very similar to human accounts. They have a username and authentication method, access to specific areas within the app, and perform various tasks.

For example, a sales app or device can be a non-human account. After the sale, it accesses the CRM, enters the application, and updates customer purchases. If items are returned, the POS reenters the application and updates the field. To do so, the non-human POS account needed access to the application and read-write-delete permissions. During setup, the programmer may even grant the application additional privileges to support future capabilities.

The risk with these accounts may be higher than human accounts. For one, they are rarely monitored and don’t require MFA or SSO. Additionally, non-human accounts may access accounts at all hours of the day. When a human user goes onto an app at 3 a.m., it’s worthwhile for an administrator to check the logs to make sure they acted appropriately. When a non-human enters the app in the middle of the night, it is business as usual.

Considering that these accounts are frequently unmonitored and have wide-ranging permission scopes, they are an attractive target for threat actors. Compromising any non-human account could lead to breaches, unauthorized modifications, and service disruptions.

Challenges in Securing Non-Human Accounts

Securing non-human accounts presents a multifaceted challenge. Each application has its unique method for managing these accounts. For instance, while some applications revoke OAuth integrations upon user deprovisioning, others maintain the connection.

Furthermore, the handling of non-human accounts in SaaS platforms varies widely. Some incorporate these accounts into their user inventory, while others segregate them into distinct sections, potentially causing oversight. Unlike human accounts, non-human accounts are often authenticated once and then left unattended unless integration issues arise.

Additionally, many organizations resort to using a single API key across all integrations. This approach often entails assigning broad permission sets to the API key to cover diverse organizational needs. Alternatively, developers may opt to leverage their own high-permission API keys to grant access to non-human accounts, effectively providing unrestricted access within the application. However, this practice essentially equips these API keys with all-access passes, complicating control and oversight efforts.

Enhancing Security for Non-Human Accounts

By integrating a SaaS Security Posture Management (SSPM) platform alongside Identity Threat Detection & Response (ITDR) solutions, organizations can oversee their non-human accounts and promptly identify any irregularities in their behavior.

An SSPM can monitor non-human accounts in the user inventory. Centralizing identity management simplifies the process of monitoring access and permissions, enabling seamless updates irrespective of the account type. This unified approach to account management ensures consistency and adherence to organizational policies, such as prohibiting account sharing. Additionally, non-human accounts should be confined to specific pre-approved IP addresses and refrain from accessing applications through standard login interfaces (UI login). Permissions should be meticulously tailored to suit the unique requirements of each application, avoiding overly broad access.

ITDR complements these efforts by detecting anomalies in the behavior of non-human accounts. Despite their propensity to access SaaS applications around the clock, non-human accounts typically exhibit consistent interaction patterns. ITDR can identify deviations in behavior, such as changes in schedules, types of data inputted into the application, or activities undertaken by the non-human account.

The combined visibility provided by SSPM and ITDR into account activities and non-human identity behavior is indispensable for mitigating risks and promptly identifying potential threats. This proactive approach is fundamental for safeguarding the integrity of SaaS applications.

Evolving Strategies for Non-Human Account Security

Looking forward, organizations must adopt proactive measures to enhance the security of non-human accounts. Integrating SSPM platforms and ITDR solutions offers a promising avenue for centralized monitoring and timely anomaly detection.

By unifying identity management, enforcing stringent access controls, and leveraging behavioral analytics, organizations can mitigate risks associated with non-human accounts and uphold the integrity of their SaaS applications in an increasingly dynamic threat landscape. Embracing this proactive approach will be crucial in safeguarding against evolving identity threats and ensuring a robust security posture.

Learn more about securing non-human accounts and overall SaaS security.

Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political Science and Philosophy (PPE). Oh, and he loves mountain climbing.

About Adaptive Shield