The rise of non-human identities

Chih Feng Ku, Director, Solution Engineering, Asia-Pacific and Japan, has a chat with Enterprise IT News about identities and identity solutions.

EITN: Can you elaborate on the significance of rising non-human identities in the APAC landscape?

Feng Ku: When considering identity management in an enterprise setting, people are only one part of the equation, and people are becoming a smaller part of the equation. As cloud adoption accelerates, there’s been an explosion in non-human identities.

These non-human identities – specifically IoT devices – are saddled by weak credential controls, making them the primary target as the point of entry for most cyberattacks.

Non-human identities play an integral role in driving digital transformation, helping businesses scale their workloads and increase productivity at the speed of agile DevOps. Yet, the upsurge in non-human identities increases risk – a recent trend that requires new ways of managing risk. Non-human identities are the blind spot of cybersecurity, as software bots, physical robots, and IoT devices are plugged into the enterprise infrastructure.

These non-human identities – specifically IoT devices – are saddled by weak credential controls, making them the primary target as the point of entry for most cyberattacks.

While companies have grown adept at applying proper access controls for human users tapping into their networks, non-human identities present a new challenge, and companies need to begin taking proactive measures, dig deep, and understand their effective end-to-end permissions to protect data and ensure operational stability.

In our recent “The Horizons of Identity” research report – where we surveyed over 300 global cybersecurity executives for their insights – we found that machine identities make up 43% of all identities for the average enterprise, and are among the top two identity categories to grow the fastest over the next 3 – 5 years. On top of that, the total number of identities is projected to grow by 14% over the same span.

This is significant – and worrying – because machine identities are often linked with privileged accounts, and they usually have a much bigger footprint than traditional human privileged accounts within modern IT infrastructures. These often pose a blind spot, since a machine, IoT, service account, and application identities are often overlooked when establishing security controls.

As the threat surface increases with IoT devices alongside on-premise tools and the undergirding network, APAC businesses – including those in Malaysia – can no longer continue to lag in their identity security journeys. Our survey found that 45% of companies are still at the beginning of their identity journey, which reveals room for businesses to rely more extensively on AI/ML-driven tools to automate identity security management and have integrated controls across all environments.

EITN: What is the impact of non-human identities on Malaysia which already relies heavily on Industrial 4.0 strategies to realise its ambitions of being a manufacturing hub?

Feng Ku: Manufacturers modernising operations to keep pace with Industry 4.0 technologies need to reassess existing cybersecurity strategies, and it is paramount that cybersecurity becomes a key focus moving forward. Factories have long been enticing targets for industrial espionage, intellectual property theft, and even production sabotage.

As the line between digital and physical processes intersect and blurs, the threat of attack in this industry grows more real every day, with devastating consequences. With almost 25% of Malaysia’s GDP contributed by the manufacturing sector, disrupted operations are a risk that businesses here cannot afford to take.

Operational Technology (OT) reliant industries – such as the industrial and manufacturing sectors – play a vital role in Malaysia’s economic transformation under the Industry 4WRD policy. However, it is also a prime target for cybercriminals. Additionally, at the core of Industry 4.0 is the non-human element, with non-human identities taking over processes and automation software to manage time-consuming manual tasks.

An identity security solution with automated access provisioning would assist in ensuring only the right users have access, while also providing identity teams with a complete and continuous view of all user permissions. Even when it concerns non-human identities, identity security solutions can alert the team immediately to potentially risky or abnormal access.

Being further along in the digital transformation and identity journeys has its advantages, as companies then become more capable of securing identities across hybrid technology environments. This includes the IT and OT convergence in manufacturing and OT reliant industries. Companies further along can operate in more complex environments, enabling them to focus on governing access to hybrid environments.

Depending on the company’s capabilities, they will fall under different Horizons, with each layer having separate concerns and challenges. For example, 58% at Horizon 1 and 46% at Horizon 2, compared to 29% at Horizon 4 are concerned over the ease of deployment of an identity program, while 32% of respondents in Horizon 4 say they need tools that can scale quickly across the breadth of operations, compared to 17% of those at Horizon 1. Understanding where they are in their identity journey can help companies identify which of the five horizons they are moving through as they adopt and mature their approach, with companies already familiar with its tools and processes more capable of leapfrogging their progress, scaling up quicker to have their identity programs be a cornerstone and a strategic enabler for business transformation.

In this new reality, the importance of identity security – control over who has access to which data and systems and how – cannot be overstated.

Placing identity security at the core of a cyber security strategy pays the utmost dividend for Southeast Asia’s digital economy: freeing businesses to focus on innovation, collaboration, and efficiency, while reducing overall security risks and maximising investments in technology.

EITN: What differentiates laggards from the leapfrogs in identity security maturity?

Feng Ku: For the 45% of global companies that are still in the beginning of their identity journeys, identity is a fragmented experience and highly manual, and adoption spans only a few pockets of the organisation. While some companies are lagging in their identity programs, the scope of identities is expanding to include the broader B2B network and machine identities, which can improve security and deliver value in other ways.

This effort also prepares companies for paradigm shifts as identity becomes ever more critical as a business enabler. With the right set of identity technology and supporting enablers, building a future proof scalable identity program is certainly achievable.

However, companies that can rationalise its tools and processes – including legacy tools embedded in infrastructure – can leapfrog its growth. Organisations that implement a robust identity security solution that spans on-premise, cloud, SaaS and hybrid environments, and is built with AI/ML technologies that offer intelligence and insights into access privileges and potential risks, and automation in enforcing access controls, can see success in their identity journey.

This effort also prepares companies for paradigm shifts as identity becomes ever more critical as a business enabler. With the right set of identity technology and supporting enablers, building a future proof scalable identity program is certainly achievable.

With over 20,000 cases of cybercrime reported in 2021, and the country losing an unprecedented RM560 million to attacks, businesses need to look towards strengthening their identity security strategy to set themselves up for success, focusing on driving incremental change, or leapfrogging through the Horizons, depending on how far along they are in their digital journey, as they navigate the challenges in transitioning to a digital workplace.

EITN: What are some challenges faced by businesses in maturing, particularly SMEs?

Feng Ku: Across APAC, SMEs are tempting targets for cybercriminals. Despite their smaller size, SMEs can still offer a big payoff for attackers, thanks to the valuable data they store or the operations they conduct. Employees of small businesses – typically with less than 100 employees – are more likely to receive more social engineering and online manipulation attacks than the average employee of a larger enterprise.

While large businesses typically have the resources to invest in robust cyber security measures, SMEs often don’t have the same budget or expertise. In fact, for SMEs, cyber security can be a daunting task. There are different threats to protect against, and the cost of implementing a robust security strategy can be prohibitive.

It is crucial for SMEs in Malaysia to adopt a stronger security posture, as they are the backbone of the Malaysian economy, accounting for 97.2% of total business establishments, generating 38% of GDP and providing employment for 70% of the country’s workforce. MDEC has reported that 84% of SMEs in Malaysia have been affected by cyber threat incidents and 76% have suffered more than one attack. With limited budget, resources, and knowledge in managing the complexity of cybersecurity operations, companies should look towards starting with a clean slate and building the correct capabilities from the outset, even if it is incremental. By focusing on a seamless digital and organisational transformation while ensuring their identity programs are clearly defined, planned, and communicated using a few capabilities, SMEs can be better prepared as they scale and grow.

Ultimately, companies – regardless of size or sector – that see identity management as an enabler of innovation and security rather than a checkmark in a compliance box can go farther in the process of maturing. As they grow, they can better leverage identity security as a key control point to reduce cybersecurity risk and deliver business value.

Through understanding and identifying cyber exposure and the weaknesses across people, processes, and technology, companies can then look towards implementing a program of continuous improvement and vigilance that combines technology, process, people controls, and risk transfer.  

EITN: How will leveraging AI/ML identity tools help businesses realise better ROI?

Feng Ku: Companies need to be ready to tackle their identity programs from a new, more predictive, automated, and adaptive lens. With the addition of AI and ML technologies, identity teams can move much more quickly when making important identity decisions, allowing them to stay ahead of the security curve.

With the barrage of threats companies face daily, they simply cannot afford the costly manpower load that comes with reliance on manual processes. Using AI/ML tools to approve low-risk activities when there are many more high-priority identity decisions to be made that require human manpower over AI/ML can free up resources for identity teams, allowing them to navigate security risks and loopholes often exploited by cyber attackers.

A stronger identity security perimeter through AI/ML enables companies to detect and respond to security threats 40% faster, while decreasing manually processed tickets by 85%, freeing up time to innovate.

With AI/ML tools, companies can automate the discovery, management, and control of all user access and provide users with the right access to the right resources at the right time. They can also automatically modify or terminate access based on changes to a user’s attributes or location, and automatically perform remediation actions when risky activity is detected.

Our survey found that leveraging AI/ML for identity security not only improves detection and threat remediation capabilities, but also creates business value. A stronger identity security perimeter through AI/ML enables companies to detect and respond to security threats 40% faster, while decreasing manually processed tickets by 85%, freeing up time to innovate.

Furthermore, automated practices can see companies save up to 2.7x the amount on compliance costs.

Digital transformation, the changing workforce, and an ongoing wave of compliance requirements have introduced so many users, points of access, applications, and data that it has become almost overwhelming to IT departments to keep up. A human-based identity security approach can only scale so much, and with it comes error in identifying risk. The time is now for organisations to adopt AI-driven identity security to stay ahead of security and compliance pitfalls.