As the world
of Generative AI continues to explode, there is a new trend that will be emerging: The Non-Human Identity. You may be wondering what it is? Well here is a good definition of it:
“Non-human
identities (NHIs) are digital entities used to represent machines,
applications, and automated processes within an IT infrastructure. Unlike human
identities, tied to individual users, NHIs facilitate machine-to-machine
interactions and perform repetitive tasks without human intervention.”
(SOURCE: What
is a Non-Human Identity? | Silverfort Glossary)
Remember, I
have written about Digital Person before?
Essentially, this is an avatar, or even a chatbot that is given human-like
qualities in order to interact with you.
Instead of typing in a message, you can talk to it and have a conversation
with it.
One of the best
examples of this is its use in customer service. Instead of waiting on hold for hours on end to
speak with an actual human being, you can summon up the Digital Person within a
matter of seconds.
If you are
not satisfied with the answers, you can always request the Digital Person to be
referred to as an actual representative.
This is an example of a Non-Human Identity, or also known as “NHI” for short. While you can call the Digital Person by a
name, in the grand scheme of things, it really does not have any form of identification.
NHIs can be a
particularly useful tool to have around, especially when it comes to processing
automation and augmentation, when it comes to monitoring all the interconnections
that exist today in the world. In fact,
it has been estimated that for every 1,000 people, there are some 10,000 of
these kinds of connections. It is almost
impossible for any human being to keep close tabs on all of them, that is why
the NHI is so beneficial.
But despite
this, there are certain risks that are borne out by using this advancement in
Generative AI. Here is a sampling of some
of the major ones:
1)
Expansion
of the attack surface:
In
the world of Cybersecurity, mostly everybody that is in it has heard of this term. For example, if you have too many network
security devices, this can expand your attack surface. This goes in direct contradiction of the old
proverb that “more is better”. The same
can also be said of the NHI. While
deploying many of them could prove to be beneficial, in the intermediate and long
term, it also greatly expands the attack surface of all your interconnections. Since these are mostly powered by Generative
AI, there are still vulnerabilities in them that the Cyberattacker can exploit
very quickly.
2)
Hard
to see:
It
is important to note that many of the NHIs that are deployed tend to function and
operate in the background. As a result of
this, they tend to be forgotten about, especially when it comes to time to
upgrade and/or optimize them. This is
yet another blind spot that the Cyberattacker knows very well about and can
thus use it quickly launch a malicious payload into them. The net effect of this is a negative,
cascading effect across your entire IT/Network Infrastructure in just a matter
of sheer minutes.
3)
Violation
of PAM:
This
is an acronym that stands for “Privileged Access Management”. These are the rights, privileges, and
permissions that are assigned to super user accounts. An example of this would be a network or
database administrator. They will of
course have elevated access to keep the networks and databases running smoothly,
respectively. But these same types of PAMS
based accounts are also assigned to the NHI so that they can carry out automated
tasks without human intervention. But once
again, the IT Security team forgets about this as well, and the consequence of this
is that the Cyberattacked can gain very quick access to these accounts and gain
immediate access to anything that they want to.
4)
Third
parties:
In
today’s world, many businesses outsource many functions to a third-party
provider. And now, instead of having direct
contact with them, the entity that hired them now uses the NHI for this
communication. While this can save time
to focus on more pressing issues, there is also an inherent risk with this as well. For example, if the third-party supplier is
hit with a security breach, it will also impact the NHI that is connected to
it, and in turn, it will have an impact onto your business. This is yet another form of a Supply Chain
Attack, but on a different kind of level.
My Thoughts
on This:
Here are some
things I recommend that you can do to mitigate the risks of an NHI from being
an unintended threat to your business:
Ø
To
keep your attack surface as low as possible, deploy NHIs as you absolutely need
them. It is important to get away from
thinking that deploying a lot of them will make you more productive. They simply will not.
Ø
If
you have smaller NHIs, it will also make it easier for you to keep an eye on
them. But in the end, no matter how many
of them you have, you should have a stipulation in your security policy that a
constant level of visibility must be maintained on them.
Ø
Always
make sure that the Generative AI models that you are used to power your NHIs
are always updated with the latest security patches. If you have a Cloud based deployment, this
should be automatically taken care of for you.
Ø
Watch
the level of rights, permissions, and privileges that you assign to the NHIs. Just like you would for an actual human
employee, assign what is only needed, following the concepts of Least Privilege.
Ø
You
should always by thoroughly vetting your third-party suppliers, but in case you
use an NHI to communicate with them, make sure that they have at least the same
number of controls that you have for your own IT/Network Infrastructure. Also, share any security updates with them,
so that they can be on the same page as you as well.
The fundamental
key here is to always be as proactive as possible when using Generative
AI. The downside is that the models are evolving
so rapidly, this can be difficult to do.
But it is always important to do the best that you can in this regard.
No comments:
Post a Comment