OWASP, a trusted resource for web application security best practices, has highlighted specific mitigations to address the risks associated with Non-Human Identities (NHIs). NHIs, such as service accounts, API keys, and machine credentials, play a critical role in modern applications and services for authentication and authorization. However, the misuse and improper management of NHIs can lead to significant security vulnerabilities and potential exploitation.
One of the key risks identified by OWASP is the reuse of NHIs across multiple applications and services. Organizations may opt to reuse NHIs with broad permissions due to the complexity of managing granular permissions for each NHI. This practice increases the likelihood of exploitation and can result in widespread impact if a compromised NHI is used across various systems. Examples provided by OWASP include the reuse of Kubernetes service accounts, sharing API keys between applications, and leveraging cloud credentials across different services and resources.
To mitigate the risks associated with NHI reuse, OWASP recommends assigning unique NHIs to each application or service, enforcing the principle of least privilege, and conducting regular audits of NHIs usage. By implementing these mitigating controls, organizations can reduce the likelihood of vulnerability chaining and limit the impact of compromised NHIs on their systems.
Another risk highlighted by OWASP is the human use of NHIs for manual tasks instead of their intended purpose for automated activities and workflows. This misuse can lead to challenges in auditing and monitoring NHI activities, potentially enabling malicious insiders or external attackers to exploit vulnerabilities. Examples cited by OWASP include administrators using service account credentials, developers executing commands with NHIs, and unauthorized access to NHIs for persistence.
To address the risks associated with human use of NHIs, OWASP recommends implementing dedicated identities for automated tasks, conducting regular audits and monitoring of NHI activities, utilizing context-aware access controls, and providing education to developers and administrators on the risks associated with human use of NHIs. These measures aim to enhance technical and cultural controls to mitigate the potential risks posed by the improper use of NHIs.
In conclusion, organizations must prioritize the proper management and mitigation of risks associated with NHIs to safeguard their systems and data from potential security threats. By following the recommendations provided by OWASP and implementing robust controls, organizations can strengthen their security posture and reduce the likelihood of exploitation through Non-Human Identities.