The contents of this article are captured here and reflected back in response to an article posted on SailPoint’s Identity Quotient Blog article entitled “Third-Party Contractors: The Target Breach’s Bulls-eye.” I recommend reading that article to establish context for this article. Be sure to consume the comments in this article where I’ve updated my thoughts here for more modern solutions such as SailPoint‘s SaaS-Delivered Identity Security Cloud.
Update: This article was written almost 10 years ago when the problem was every bit as large as it is today, although with the cloud, this problem is growing at an exponential rate. The original title was “The Problem of Non-User IDs in Organizations Today” as that is what they were called then when I attacked the problem with a custom solution. The industry has now begun to standardize around the term “Non-Human Identities” or “NHI” for short. So when you read “Non-User IDs” or “NUIDs” think “Non-Human Identities” or “NHI.” The industry typically and unfortunately is still running a decade behind. The concepts here still apply. –CEO 12/16/2024
It is fairly well known and pretty much public knowledge that the Target breach took place leveraging 3rd party credentials that were phished from an associated Heating Venting and Air Conditioning (HVAC) vendor. This was the initial point of entry into the Target network.
Vendor Access Was Only the Beginning…
However, the HVAC credentials were primarily leveraged only for initial access. Credit card data was not being accessed and siphoned using that specific HVAC ID. Nevertheless, controls around the time of access and other metadata information that could be policy-driven within SailPoint IdentityIQ around that 3rd party access are still cogent to the discussion as per the aforementioned SailPoint article.
What isn’t mentioned in the article is that SailPoint IdentityIQ and ideally any IdM product could and should have a very big part to play in the gathering of and providing governance around Non-User IDs (NUIDs) — testing IDs, training IDs, B2B FTP IDs, generic admin IDs (that should be privileged access managed anyway), application IDs (huge!), etc.
Organizations typically have thousands, tens of thousands and yes, even millions of orphaned and ungoverned NUIDs, in terms of overall access, proliferated, orphaned and laying dormant on end-point servers and systems…
An ID is an ID is an ID
To an attacker, an ID is an ID is an ID. Any ID will suffice in order to establish a beachhead on a system and then begin trying to “walk” systems, ideally through the elevation of access. This is typically how deep penetration and spanning of internal networks has taken place in a lot of recent breaches. When attacking a system and attempting to establish access, it doesn’t matter to the attacker whether the initial ID used is technically a normal and established user ID (with or without governance around it) or a NUID that typically is not being properly tracked and governed within organizations. In fact, NUIDs represent an ideal target due to the fact they don’t have visibility and normal and established governance around them in many organizations.
NUIDs represent a bit of a governance challenge within Identity Management because ideally they should be associated with owners and then those IDs and owners become part of the joiner, leaver, mover lifecycle management, and access certification cycle along with any associated NUIDs. As owners move within an organization (which is quite common!) or leave, those associated NUIDs need to move with that owner or be assigned a new owner and possibly even re-certified and/or the password reset.
Most organizations have no optics into these NUIDs whatsoever, much less active governance around them. Not only do organizations not have good governance around them, they typically don’t have much governance around the creation of these IDs (an active NUID request and approval process) and so these IDs are very often handed out like candy in organizations with few questions asked.
Organizations Typically Have TONS of Non-User IDs. TONS.
Who wants to stand in the way of handing out and asking hard questions around an application ID that will enable a multi-million-dollar application for example?! (And it’s not uncommon for those application ID requests to come in a week before the application is supposed to go live, due to poor planning, and so there typically exists a lot of internal political pressure to make sure the necessary ID or IDs are established, even if an exception has to be made!) Or 15 training IDs necessary for the 15 highly paid rock stars your organization just hired?! So typically, few if any questions are ever asked when IDs of this sort need to be created that fall outside of the normal request and approval workflow processing. And consequentially are often still manually provisioned and deprovisioned by system administrators who may or may not consider provisioning these IDs in a least privileged fashion – with good password hygiene, setting password expirations, setting as non-interactive, if possible, etc.
To an attacker, an ID is an ID is an ID. Any ID will suffice in order to establish a beachhead on a system…
Governance around NUIDs is something that SailPoint IdentityIQ is very good at doing and every organization should initiate efforts to look into the gaps and exposures around NUIDs as again, very few organizations actually are and therefore there exists tremendous (and often invisible) risk within organizations that typically have thousands, tens of thousands and yes, even millions of orphaned and ungoverned NUIDs, in terms of overall access, proliferated, orphaned and laying dormant on end-point servers and systems.
With regard to SailPoint IdentityIQ, if you have access to SailPoint’s Community forum (formerly called Compass), be sure to check out the white paper SailPoint has written aimed directly at solving this problem of NUIDs using SailPoint IdentityIQ. If you aren’t using SailPoint IdentityIQ, be sure to start asking your Identity Management vendor some hard questions about how these IDs can be gathered, governed, tracked, and brought into a full lifecycle management and access certification or attestation cycle.
As always, feel free to engage me on Twitter @ChrisEOlive.
Just a quick update since this content was produced.
1. At the time I wrote this article, I was working for Thales Data Security.
2. The article to which I referred has been archived.
3. IdentityNow, SailPoint’s industry-only pure microservices-based SaaS solution has reached a very high level of maturity that once was only conceived as possible on-prem. (In reality, cloud service components from which SaaS solutions are built and especially cloud-based AI and ML platforms are unparalleled in terms of power, so the pendulum of power has clearly swung and swung rather hard in the direction of SaaS.) When reading “IdentityIQ” now think “Predictive Identity Platform” — whatever you need, on-prem or SaaS/Cloud, both solutions at SailPoint can cover the NUID use cases mentioned in the article.
4. Industry approaches to the problem of NUIDs has expanded from maintaining a “NUID Account to Owner” relationship, and is generally approached in one of roughly three ways:
A. Maintain NUID Account to Owner Relationship (as mentioned in the article).
B. Create Application, Resource or Asset Identities and correlate/associate Service Accounts (NUIDs) to those Top-Level A/R/S Identities.
C. Create NUIDs as Standalone, Top-Level Identities.
Maintaining a NUID Account to Owner relationship (essentially non-human to human) is difficult due to the fact the NUIDs are unlikely to undergo a Mover Lifecycle transition, whereas human identities are much more likely to move within organizations. So other options have been considered and implemented in the industry since my time helping clean up from the Target breach.