Full Report
Identity-based attacks are on the rise. Attacks in which malicious actors assume the identity of an entity to easily gain access to resources and sensitive data have been increasing in number and frequency over the last few years. Some recent reports estimate that 83% of attacks involve compromised secrets. According to reports such as the Verizon DBIR, attackers are more commonly using stolen
Analysis Summary
# Best Practices: Securing Non-Human Identities (NHIs) via Secrets Management
## Overview
These practices address the increasing threat from identity-based attacks, specifically focusing on securing Non-Human Identities (NHIs) such as API keys, bearer tokens, and JWTs. The core strategy is to treat authentication secrets as unique identifiers (like UUIDs) for NHIs to enable robust observability, governance, and lifecycle management.
## Key Recommendations
### Immediate Actions
1. **Identify and Inventory High-Risk Secrets:** Immediately scan code repositories, configuration files, and infrastructure-as-code to discover exposed or hardcoded secrets (API keys, tokens, passwords) that grant access.
2. **Establish Secret Credential Rotation Baseline:** Mandate and enforce immediate rotation for all publicly exposed or recently discovered high-privilege secrets.
3. **Define "Non-Human" Identity:** Create a working definition within your organization for what constitutes an NHI (e.g., service accounts, managed identities, CI/CD runners, workload identities).
### Short-term Improvements (1-3 months)
1. **Map Secrets to NHIs:** Implement tools or processes to link every discovered credential/secret artifact directly to the specific NHI (workload, service account) that uses it.
2. **Implement Centralized Secret Vaulting:** Begin migrating secrets out of source code, configuration files, and unencrypted stores into a centralized, access-controlled secret management solution.
3. **Assign Ownership and Metadata:** For all critical NHIs, establish documented ownership (team/individual) and mandatory metadata tagging indicating the identity's purpose, scope, and required lifespan.
### Long-term Strategy (3+ months)
1. **Enforce Secret Lifecycle Policies:** Implement automated workflows for creation, dynamic issuance, regular, mandatory rotation, and timely decommissioning/revocation of all NHI secrets.
2. **Leverage Secrets for Traceability:** Configure logging and monitoring to treat authentication events tied to a specific secret as a uniquely traceable artifact, enabling "why, where, and on whose behalf" auditing for every machine identity action.
3. **Standardize Access Policies (Zero Trust for NHIs):** Apply Zero Trust principles by ensuring NHI permissions are strictly scoped (least privilege) based on the documented use case associated with its authenticating secret.
## Implementation Guidance
### For Small Organizations
- **Focus on Visibility First:** Prioritize using automated scanning tools to inventory existing secrets across development pipelines and cloud environments.
- **Adopt a Single Vault Solution:** Select and implement one cloud-native or open-source secret management tool suitable for immediate use in all new application deployments.
- **Manual Ownership Mapping:** Since dedicated inventory tools may be too costly, assign initial ownership manually during the migration process to a central configuration management database (CMDB) or inventory sheet.
### For Medium Organizations
- **Integrate Scanning into CI/CD:** Integrate secret scanning tools directly into the pre-commit hooks and CI/CD pipelines to prevent new secrets from being introduced into repositories passively.
- **Pilot NHI Governance:** Select a non-critical application area (e.g., a staging environment) to pilot the full cycle of NHI governance: linking secrets, enforcing granular policies, and tracking deactivation.
- **Establish Cross-Team Definitions:** Work with Infrastructure, Development, and Security teams to create a shared, documented understanding of key NHI types across varied platforms (e.g., how a Kubernetes SA maps conceptually to an AWS IAM Role).
### For Large Enterprises
- **Deploy Unified Visibility Platform:** Invest in identity or secrets security platforms capable of unifying visibility across highly fragmented estates (legacy systems, multiple cloud providers, edge deployments).
- **Automate Lifecycle Enforcement at Scale:** Implement programmatic enforcement mechanisms (e.g., using orchestration tools or specialized governance platforms) to ensure automated rotation and expiration rules are consistently enforced across thousands of identities.
- **Audit Legacy Debt:** Conduct a specific audit focused on legacy systems that haven't rotated credentials in years, prioritizing rotation or decommissioning for high-risk, unmanaged NHIs.
## Configuration Examples
*Note: Specific vendor configurations are not provided in the source material, but the principle relies on using secrets as unique identifiers.*
**Principle of Configuration:** Configure authorization services to accept short-lived tokens/keys and mandate that log entries explicitly capture the credential's fingerprint alongside the principal identity and the action performed. This allows tracing an ephemeral action back to its originating secret.
Example Focus Areas:
1. **Vault Policy Configuration:** Ensure policies granting access to secrets are dynamically scoped (e.g., time-bound or temporary credentials) rather than static, persistent keys.
2. **Service Mesh/Workload Identity:** Configure platforms like Kubernetes or Istio to issue short-lived workload authentication credentials that automatically inherit audit trails from the CI/CD job that deployed the workload.
## Compliance Alignment
The practices strongly align with the following security control objectives:
- **NIST CSF:** Identify (ID.AM), Protect (PR.AC, PR.DS), Detect (DE.CM), Respond (RS.RP).
- **ISO 27001/27002:** A.5.15 (Access control), A.8.24 (Use of privileged access rights), A.8.29 (Management of technical vulnerabilities).
- **CIS Controls (v8):** Control 4 (Secure Configuration of Workstations and Devices), Control 5 (Account Management), Control 6 (Access Control Management).
## Common Pitfalls to Avoid
- **Treating NHI Governance as Purely Inventory:** Do not stop at merely listing where secrets exist. Governance requires enforcing lifecycle policies (rotation, revocation).
- **Ignoring Non-Human Identities in Audits:** Assuming that standard human IAM reviews cover all access risk; NHIs often outnumber human accounts by 50:1 and are frequently overlooked.
- **Reverting to Persistent Credentials:** Avoid re-introducing long-lived, static credentials when migrating systems, as this negates the traceability benefits of short-lived, verifiably unique secrets.
- **Lack of Ownership:** Creating NHIs without explicitly assigning an accountable team or individual, leading to orphaned secrets that can never be safely decommissioned.
## Resources
- **Framework for Modern Secrets Management:** Implement adoption guidance from major secret vault vendors (e.g., HashiCorp Vault, CyberArk, cloud-native vaulting services).
- **CI/CD Security Tooling:** Utilize specialized tools designed to scan source code and pipelines for secret leakage integrated into the development lifecycle (e.g., GitGuardian, specialized cloud security posture management tools).
- **Interactive Demos:** For immediate self-service exploration of credential visibility platforms (as suggested by the source content).