For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe.
The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity.
Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin, must be authenticated, authorized, and continuously validated before access is granted.
The Dual Nature of Identity#
Identity is a broad concept with a dual reality. On the one hand, people need access to their email and calendar, and some (software engineers in particular) privileged access to a server or database to do their work. The industry has been perfecting managing these identities over the past 20 years as employees join, gain privileges for certain systems, and eventually leave the enterprise.
On the other hand, we have another type of identity: machine identities, also referenced as non-human identities (NHIs), which account for the vast majority of all identities (it's estimated they outnumber human identities at least by a factor of 45 to 1).
Unlike their human counterparts, NHIs—ranging from servers, apps, or processes —are not tied to individuals and therefore pose a whole different problem:
- They lack traditional security measures because, unlike human users, we can't simply apply MFA to a server or an API key.
- They can be created at any moment by anyone in the enterprise (think Marketing connecting their CRM to the email client) with little to no supervision. They are scattered across a diversity of tools, which makes managing them incredibly complex.
- They are overwhelmingly over-privileged and very often 'stale': unlike human identities, NHIs are much more likely to stay long after they have been used. This creates a high-risk situation where over-provisioned credentials with broad permissions remain even after their intended use has ended.
All this combined presents the perfect storm for large enterprises grappling with sprawling cloud environments and intricate software supply chains. It's not surprising that mismanaged identities— of which secrets sprawl is a symptom—are now the root cause of most security incidents affecting businesses worldwide.
