For years, the security of a company’s systems has been synonymous with the security of its “perimeter.” There was what was safe “inside” and a dangerous outside world. We’ve built robust firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls will keep our data and systems safe.
The problem is that we no longer operate within the confines of physical premises and controlled networks. Data and applications now reside in distributed cloud environments and data centers that users and devices can access from anywhere on the planet. The walls crumbled and the perimeter dissolved, opening the door to a new battlefield: identity.
Identity is at the heart of what the industry has hailed as the new gold standard for enterprise security: “zero trust.” In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust should exist. Every access request, regardless of its origin, must be authenticated, authorized and continuously verified before access is granted.
The dual nature of identity
Identity is a broad concept with a dual reality. On the one hand, people need access to their email and calendar, and some (particularly software engineers) have privileged access to a server or database to do their jobs. The industry has been improving the management of these identities over the past 20 years as employees join, gain privileges to specific systems, and eventually leave the enterprise.
On the other hand, we have another type of identity: machine identity, also referred to as non-human identities (NHI)which make up the vast majority of all identities (estimated to outnumber human identities at least at a ratio of 45 to 1).
Unlike their human counterparts, NHIs, ranging from servers, programs, and processes, are not tied to individuals and thus pose an entirely different problem:
- They are lack of traditional security measures because unlike users we can’t just apply MFA to the server or API key.
- They are can be created at any time by anyone in the enterprise (imagine marketing connecting their CRM to their email client) with virtually no control. They are scattered across different tools, making managing them incredibly difficult.
- They are overwhelmingly the over-privileged and very often “stale”: unlike human identities, NHIs are much more likely to persist long after their use. This creates a high-risk situation where overprovisioned credentials with broad permissions persist even after their intended use has ended.
All of this together represents a perfect storm for large enterprises struggling with vast cloud environments and complex software supply chains. Unsurprisingly, mismanaged identities – the symptom of which is proliferative secretions— are now the root cause of the majority of security incidents affecting businesses worldwide.
The high cost of inaction: real violations
The consequences of neglecting NHI security are not theoretical. There are many examples in the news of high-profile breaches where compromised NHIs served as an entry point for attackers, resulting in significant financial losses, reputational damage and undermining customer trust. Dropbox, Sisense, Microsoft and The New York Times are examples of companies that have admitted they were affected by a compromised NHI in 2024 alone.
Perhaps worst of all, these incidents have a ripple effect. In January 2024, Atlassian Cloudflare’s internal systems were breached because tokens and service accounts – in other words, NHI – were previously hacked on Okta, a leading identity platform. What’s particularly telling here is that Cloudflare quickly discovered the intrusion and responded by changing the suspect credentials. However, they later realized that some access tokens were not properly saved, giving attackers another chance to breach their infrastructure.
This is not an isolated story: 80% of organizations have experienced security breaches involving identity data, and in the 2024 edition of the DBIR, “Identity or Credential Compromise” was rated as the number one vector for cyber attacks.
Should you be concerned? Looking back at Cloudflare’s history, the effect is still unknown. However, the company disclosed that the remediation efforts included rotation everything 5000 production credentialsan extensive forensic triage and reboot of all company systems. Consider the time, resources, and financial burden such an incident would place on your organization. Can you afford such a risk?
Addressing misidentification issues, correcting both current exposure and future risks, is a long way to go. While there is no magic bullet, tackling one of the biggest and most complex security risks of our time is achievable. Organizations can reduce the risks associated with non-human entities by combining immediate actions with medium and long-term strategies.
Guiding Fortune 500 customers through this process for the past 7 years is what GitGuardian has done industry leader in security secrets.
Gaining control of NHIs starting with Secrets Security
Organizations must take a proactive and comprehensive approach to NHI security, starting with the security of secrets. Gaining control over NHIs starts with implementing effective secrets security capabilities:
1. Creating comprehensive and continuous visibility
You can’t defend what you don’t know. Secrets’ security starts with monitoring a wide range of assets at scale, from source code repositories to messaging systems and cloud storage. It’s critical to extend your monitoring beyond internal sources to detect any company-related secrets in high-risk areas like GitHub. Only then can organizations understand the extent of exposure to their sensitive information and take steps to remediate those vulnerabilities.
GitGuardian Secret Detection boasts the largest number of detectors and the widest range of monitored assets on the market, including all public GitHub activity for the past 5 years.
2. Optimizing recovery
Keeping secrets is not a one-time task, but an ongoing process. It must be integrated into software development and other workflows to find and remediate (revoke) hard-coded secrets and prevent the root cause of breaches. Timely and efficient remediation capabilities, limiting alert fatigue and streamlining the remediation process at scale are critical. This allows organizations to address issues before they can be exploited by attackers, effective and measurable risk reduction.
The GitGuardian Platform makes fixing the number one priority. Unified incident management, tailored remediation recommendations, and detailed incident information enable organizations to combat the threat of large-scale leaks.
3. Integration with identification and secret systems
Analyzing the context of a secret leak is critical to determining its sensitivity and associated risk. Integration with Identity and Access Management (IAM), Privileged Access Management (PAM) systems, and Secret Managers provides a more comprehensive view of NHI’s footprint and activity.
GitGuardian’s partnership with CyberArk Conjur, a leader in secret management and identity security, is an industry first. This partnership brings end-to-end security of secrets to the market, opening up new use cases such as automated open access detection, secret management policy enforcement, and automated post-leak rotation.
Changing Mindsets: From Perimeter to Secret Security
The rapid proliferation of non-human identities has created a complex and often overlooked security challenge. Traditional perimeter-based security measures are no longer sufficient in today’s distributed, cloud-centric environments. The risks associated with NHI mismanagement are real and potentially devastating, as evidenced by high-profile breaches that have resulted in significant financial and reputational damage.
However, there is hope. By shifting our focus to the security of secrets and adopting an integrated approach that includes robust detection, automated remediation, and integration with identity systems, organizations can significantly reduce the attack surface and strengthen their overall security posture.
It may sound complicated, but it’s a necessary evolution in our approach to cybersecurity. The time to act is now – the question is are you ready to accept security control of your secrets? Get started with GitGuardian today.
