Recent CSA survey data shows that organizations are struggling to manage permissions and API keys. (API keys are the codes used to authenticate users and applications.) Keep in mind that API keys are also a type of non-human identity (NHI). An NHI is a digital construct used for machine-to-machine access and authentication. NHIs present unique security challenges that traditional Identity and Access Management (IAM) guidance often overlooks.
Astrix commissioned CSA to develop the above-mentioned survey and a subsequent report. The goal was to better understand the industry’s knowledge, attitudes, and opinions regarding NHI security and its challenges. CSA conducted the survey in June 2024 and received 818 responses from IT and security professionals.
Shockingly, CSA found that only 20% of the surveyed organizations have formal processes for offboarding and revoking API keys. Even fewer have procedures for rotating them. Additionally, nearly 40% of organizations take weeks or more to offboard keys.
Below, get more insights into organizations' current challenges with managing access and security.
Reactive Permission Reviews Lead to Security Gaps
Only 22% of the surveyed organizations review permissions for service accounts yearly, while 19% do so randomly, when needed. Organizations are likely addressing service account permissions only to prepare for an audit or upon request. The manual and tedious nature of this process further complicates proactive management, increasing the risk of oversights.
Organizations need to move away from “point-in-time” assurance to more proactive measures. CSA recommends continuous monitoring and automated management. These measures are crucial for identifying and mitigating risks promptly. Without robust, automated solutions and systematic review processes, organizations remain vulnerable to security incidents and face significant challenges in securing their NHIs effectively.
Difficulties with Service Accounts and Tech Debt
Survey data reveals that managing permissions is notably easier if the service account is new. Only 9% of organizations find it highly difficult to manage permissions on new accounts. On the other hand, 22% of organizations find it highly difficult for existing accounts.
This disparity highlights the issue of tech debt. Retroactive changes to permissions are more cumbersome and error-prone compared to initial setups. Such difficulties often lead to gaps in security.
Managing and Offboarding API Keys
The management of API keys is another critical area where organizations falter. Only 20% of the surveyed organizations have a formal process for offboarding and revoking API keys. Even fewer have a process for rotating or rolling them back.
This lack of formalized procedures means that individuals often skip steps or do not strictly follow outlined processes. This can result in a redundant attack surface. Additionally, when organizations do not properly offboard, revoke, or rotate API keys, the keys can remain active and potentially exploitable.
Manually Offboarding API Keys Leads to Long Timelines
Only 19% of the surveyed organizations have automated processes for offboarding API keys. Only 16% have automated processes for rotating or rolling them back. With manual handling, organizations may not know the full impact of changes. This leads to many uncertainties about what might break or what systems might be affected.
Additionally, the survey shows that nearly 40% of organizations take weeks or more to offboard API keys. Similarly, 24% take days and 18% take weeks to rotate or roll them back. Only a small fraction of organizations can handle these processes automatically or immediately.
Organizations need to adhere to formalized, automated processes for managing permissions and API keys. This creates more efficient processes and reduces human error. Without such measures, organizations remain inefficient and vulnerable to potential security breaches.
Read the full survey report to get crucial insights into NHI security gaps and recommendations. Besides permissions and API keys, the report covers:
- Perceptions around NHIs and their security risks
- Current security efforts, policies, and management of NHIs
- Challenges with connecting to third-party vendors