The Identity Blog

Background image

Easy RPA, IoT Device, and Bot Identity and Access Lifecycle Management

SecZetta introduces a new capability to its Third-Party Identity Risk solution to mitigate the risk that “non-human” workers present.   

The term “non-human worker” refers to robotic process automation (RPAs)IoT devicesand bots (chat and transactionalwhich have access to an organizations systems and data. While non-human workers increase efficiency across industries such as healthcare, financialmanufacturinginsurance, and retail they also dramatically increase an organization’s attack surface. Just as with their human counterparts, bad actors will try to exploit non-human worker identities especially those that have become orphaned, are unmanaged, and or have outdated credentials. These attacks can lead to compromised critical systems, IP loss, or leached PII.  

Like a traditional worker, a non-human worker needs to have their identity and access lifecycle (onboarding, offboarding, and maintenance) managed.  Organizations successfully track and manage human worker (employees, vendors, contractors, etc.) access to accounts and systems, but few organizations dedicate the necessary time and resources to do the same relative for non-human workers despite the fact that the majority have privileged access. Some organizations have taken the approach to assign ownership of the non-human worker to a human worker, but if the human worker leaves the organization, or is transferred, oftentimes the non-human identity is left unmanaged.  An orphaned account, with its privileged access intact, can become a prime access point for bad actors.  In addition to cyber riskif a non-human account related to safety and manufacturing enablement RPAs and IoT devices which need to be updated and identified to function properly and also to ensure they aren’t accidentally disabled critical business processes could be disrupted causing serious impediments to the business  

SecZetta’s new capability enables organizations to determine the status and purpose of non-human entities in order to assign their access and account privileges. It also provides the information for the maintenance of non-human entities (authoritative entity details like device status or ownership) which allows for the proper access governance of the bot, device, or application. This is crucial since, as the non-human ages, the organization will be able to determine if a non-human entity’s access is still appropriate or necessary.  

SecZetta non-human identity management feature:  

  • Enables organizations to manage the lifecycle, including onboarding, providing the proper access, and offboarding, of non-human workers in a timely manner to mitigate risk and compliance issues. 
  • Creates an authoritative source of identities which allows an organization to keep up with regulatory complianceaudit requests, and identifies which “non-human” devices control safety or critical systems or can access PII.  
  • Allows identified vendors or categorized workers to be quickly denied access to support incident response actions. 

A complete non-human identity and access management (IAM) system includes SecZetta alongside an IGA, Access Management, and/or PAM solution to enable account provisioning and credential management. 

Click here to learn how SecZetta can help close the identity and risk gap in non-human worker management in a solution brief.  

 

Other resources: 

Why non-human workers can increase security issues in your business – Tech Republic 

Minimizing cyberattacks by managing the lifecycle of non-human workers – Help Net Security  

The Lifecycle of Non-Human Workers – White paper