ODPR: A Framework for Securing Non-Human Identities

Over the last few months, there have been a number of newsworthy data breaches stemming from compromised session tokens, API keys, service accounts, secrets - digital credentials and permissions for automated systems now referred to as non-human identities (NHIs)

Cloudflare, Dropbox, Microsoft, and most recently Hugging Face have all been breached recently due to NHI misuse. While user identities have received plenty of protections in place such as multi-factor authentication, step-up authentication, SSO, and a number of different access control & authorization policies, NHIs simply don’t have the same protections and rigorous hygiene in place.

Years ago, CrowdStrike created the 1-10-60 framework for incident response: 1 minute to detect, 10 to investigate, and 60 minutes to isolate or remediate the incident. When it comes to identity-based threats, we lack the tools to protect companies before the attacker breaks out.

To help companies protect these highly-permissioned assets, SlashID has created a simple framework to follow: Observe, Detect, Prevent, & Remediate.

Observe

The surge in non-human identities (NHIs) has been driven by several factors, including the use of Kubernetes clusters and containers, the adoption of microservices, the integration of cloud services and automation, and the widespread use of third-party SaaS applications by organizations. Non-human identities outnumber humans as much as 50 to 1 at most enterprise companies. They’re created and used across a complex web of applications, APIs, and workloads owned by several different teams. As a result, companies struggle to piece together a complete view of these highly-permissioned assets, leaving them vulnerable to misuse.

Building a complete NHI inventory across cloud vendors, including over-privileged credentials and transitive trust relationships is the foundational piece of this framework. Centralizing visibility over NHIs not only removes uncertainty but also enables a standardized approach for all stakeholders - security teams, developers, risk & compliance - to follow rather than working across several different tools and platforms to complete their work.

Detect

Just because you now have visibility over all of your NHIs doesn’t mean they’re secure. Detecting threats in real time is the next piece of the framework. Static detection based on manual or periodic scans is no longer enough to prevent NHI misuse. Security teams need to be able to respond to threats quickly to reduce the mean time to detect and respond, and static detection leaves windows for threats to go undetected where a lot of damage can be done.

Additionally, not all threats are equal. It is important to be able to prioritize threats based on severity so security teams can act accordingly. SlashID detects threats against your NHI and allows you to customize their severity score based on your unique environment. The alerts can be consumed via a SIEM, email, slack, or custom notifications.

Prevent

Once you have complete visibility over your NHIs and the ability to detect threats in real time, the next stage of the framework is prevention. These efforts are focused on minimizing the surface handling key material and enforcing fine-grained authorization and least privilege access.

Starting with minimizing the surface handling key material, we recommend credential tokenization. By keeping secrets out of application code and configuration files, it reduces the risk of accidental exposure or deliberate theft of credentials.

After preventing accidental exposure of credentials, adopting OAuth2 scopes for fine-grained access control ensures that NHIs have only the necessary permissions for their tasks. This approach minimizes the risk of over-privileged credentials being misused.

Finally, enforcing conditional access controls minimizes the chances of unauthorized access by ensuring that only known-good systems have access to sensitive data.

Remediate

The first three steps of the ODPR framework should be viewed as layers of security to prevent a breach. However, it is necessary to “Assume Breach” and plan for that scenario: rotate or revoke stolen credentials and contain the blast radius at runtime. Remediation is a significant challenge for NHI, even for the most advanced companies. Consider Cloudflare’s November 2023 breach - responding to an initial breach, they missed rotating just 1 access token and 3 service account credentials out of thousands and as a result, hackers were able to access their entire Atlassian suite and a Bitbucket service account allowing access to the source code management system.

Remediation for NHI is about 3 core questions:

1. Can you rotate credentials quickly without downtime?
2. Can you drop a credential privilege before the attacker can move laterally?
3. Can you verify the attacker hasn’t achieved persistence in your environment?

Conclusion

The ODPR framework—Observe, Detect, Prevent, and Remediate—provides a robust strategy for securing non-human identities (NHIs) in complex digital environments. By ensuring comprehensive visibility, real-time threat detection, fine-grained authorization, and rapid remediation, organizations can mitigate the risks of data breaches. As NHIs continue to grow in number, implementing these measures is crucial for protecting critical assets and enhancing overall security. Adopting the ODPR framework helps companies maintain a strong defense against evolving threats.