The number of non-human workers is growing, particularly as global organizations increasingly prioritize cloud computing, DevOps, IoT devices, and other digital transformation initiatives. Yet, organizations frequently only apply access controls to humans (employees, contractors, etc.), despite the risks associated with cyberattacks and data breaches linked to non-human workers and their privileged access to sensitive information.
Further, when a human worker leaves an organization, the organization generally has set processes to revoke that employee’s access to systems and data, eliminating the risk that access to these systems and data remains available.
But what happens when a non-human worker is no longer needed? For many organizations, often that non-human worker’s access privileges remain intact. This presents opportunities for cybercriminals to exploit the orphaned accounts for unauthorized access and initiate cyberattacks.
Organizations must track and manage the lifecycle approach to non-human workers. Otherwise, cybercriminals can launch cyberattacks that wreak havoc across an organization.
With the proper approach to the monitoring and management of the lifecycle of non-human workers, organizations can improve operational efficiencies while at the same time reducing the attack surface and stopping cyberattacks, data breaches, and compliance issues associated with these entities and their access.
A service account is generally used in operating systems to execute applications or run programs. It can also be utilized to launch programs on Unix and Linux. Service accounts belong to specific services and applications rather than end-users.
Common types of service accounts include (among others):
- Administrative (e.g., that provide access to local hosts or instances or all workstations and servers across a specified domain)
- Application (e.g., that let applications access databases, perform batch jobs, run scripts, and access other applications)
- Non-interactive (e.g., ones used for a system process or service like running automated scripts for scheduling tasks)
- Robotic Process Automation (RPA) (e.g., the technology that enables end-users to configure computer software, aka a “robot,” that emulates and integrates the human actions involved in using digital systems to execute business processes)
Service account mismanagement is a major problem for global organizations. Consider the following statistics from a recent service account security report: 73% of organizations do not audit, remove, or modify default service accounts before they move applications to production; 70% are unable to fully discover their accounts, 40% do not attempt to find these accounts; and 20% have never changed their account passwords.
RPA, in particular, inadvertently creates a new cyberattack surface for human and non-human workers alike. Bots used for RPA software require privileged access to log in to an ERP, CRM, or other business systems to perform tasks. As such, privileged credentials are usually hard-coded directly into a script or rules-based process used by a bot to complete these tasks.
Or, an RPA bot script may retrieve credentials from a commercial-off-the-shelf (COTS) application configuration file or another unsecure location. At the same time, human employees may share database RPA credentials, so these credentials can easily be used repeatedly by multiple workers.
If RPA accounts and credentials remain unchanged for long periods of time and are not secured properly, cybercriminals can launch attacks to steal them. Once cybercriminals obtain these accounts and credentials, they can use them to elevate privileges and move laterally to access organizational applications, data, and systems.
IoT devices let organizations wirelessly connect to networks and transfer data without human or computer intervention. They drive automation, productivity, and efficiency, and are becoming exceedingly valuable for organizations in a wide range of industries, including financial services, healthcare, higher education, manufacturing and retail.
Business data can be stored on IoT devices and these devices also can have access to sensitive company and personal data, which makes them prone to data compromises if they fall into the hands of cybercriminals. IoT devices can also be critical to the operation of manufacturing machinery and safety systems, and their identity and access must be known, so they are not inadvertently disabled.
There is also the risk of IoT device credentials not being updated regularly or revoked once a non-human worker is no longer required, which can make them susceptible to cyberattacks and data breaches. Also, if an IoT device’s virtual assistant is compromised, the information collected by the assistant can be retrieved by cybercriminals.
Bots: Chat and transactional
A chatbot uses AI to simulate conversations with end-users in natural language. This type of bot may be used on a website, messaging application, or mobile app, and it fosters communication between machines and humans.
Cybercriminals can transform a chatbot into an “evil bot” and use it to scan an organization’s network for other security vulnerabilities that could be exploited at a future date. With an evil bot at their disposal, cybercriminals can steal an organization’s data and use it for malicious purposes. An evil bot can also disguise itself as a legitimate human user and gain access to another user’s data. Over time, the bot can be used to accumulate data about a targeted victim from public sources and the dark web.
A transactional bot acts on behalf of a human and lets a customer make a transaction within the context of a conversation. The bot cannot understand information outside the conversation – instead, the bot serves one specific purpose, and it provides a customer the ability to quickly and conveniently complete a transaction.
Transactional bots are likewise not hacker-proof. If cybercriminals access a transactional bot, they can use it to collect customer data. They can also use the bot to conduct fraudulent transactions or prevent an organization from utilizing the bot to respond to customer concerns, questions, and requests.
Adopting a comprehensive lifecycle approach to non-human workers
Having an end-to-end approach to the lifecycle of non-human workers ensures an organization can simultaneously drive digital transformation and secure its IT environment. It is imperative for organizations that are trying to scale their operations across on-premise, hybrid, and cloud infrastructures.
To secure the lifecycle approach related to non-human workers, an organization must first identify them. This requires an organization to consider:
- Who makes up my workforce, including employees, end-users, and vendors?
- Which IoT devices must be managed?
- What bots are being used?
- What RPAs are used to manage repetitive activities?
- What service accounts need to be monitored?
- Are there compliance mandates that must be followed?
- How is account and system access tracked and managed?
- Are validation processes in place to verify the presence of non-human workers and how are identities and accounts associated with these workers being used?
- With what frequency do non-human workers and their identities need to be audited and revalidated?
Next, an organization must establish processes, procedures, and systems to verify all non-human workers are correctly assigned the appropriate access privileges. This requires an organization to:
- Identify non-human workers for accounts and systems
- Create processes, procedures, and systems to ensure all non-human workers and the identities associated with them are closely monitored and managed
- Avoid privileged groups, as account misuse can be difficult to detect if accounts are placed into groups with built-in, shared privileges
- Perform regular audits to understand how, when, and why non-human workers and their identities are being used
- Create reports and review them regularly; this ensures reports can be used to identify and address anomalous non-human worker patterns
- Develop a non-human worker deprovisioning and offboarding process; this mitigates the risk of orphaned, unmanaged, and outdated non-human accounts
- Leverage access rights management software to ensure non-human worker access privileges are properly set up and appropriate permissions are granted
Finally, an organization must establish and maintain an authoritative record for all non-human workers, at the worker level as opposed to the access level. This system serves as a unified source for managing and monitoring the lifecycle of the non-human worker. It also reduces the risk of human errors, security risks, and compliance violations.
There’s no doubt non-human workers provide value and will only continue to become widely adopted across IT environments. But how an organization monitors and manages non-human worker identities is key. With a proactive approach, an organization can continuously monitor and manage its non-human worker identities, improving operational efficiencies, and making it well-prepared to prevent costly cyberattacks and data breaches before they happen.
Furthermore, organizations can easily manage key identity lifecycle stages for non-human workers and conduct audits as needed. Best of all, the organization can close the gap on the non-human worker lifecycle and ensure privileged access is only granted when needed and then immediately removed when that need no longer exists — without exception.