The increasing problem of leaked credentials is becoming a critical issue for businesses, particularly with non-human identities (NHIs) like microservices and Kubernetes workloads, which now outnumber human identities 45:1. Research by GitGuardian and CyberArk reveals that 79% of IT decision-makers have experienced secrets leaks, with over 12.7 million hardcoded credentials exposed on public platforms like GitHub. Alarmingly, 90% of these leaked secrets remain valid for more than five days, highlighting the significant delays in remediating exposed credentials—on average, it takes organizations 27 days.
The Complex Challenge of Credentials Management
One of the main reasons remediation takes so long is the lack of clarity around permissions management. Permissions are crucial as they define what tasks an identity (human or non-human) can perform. However, over-permissioned, long-lived credentials exacerbate the risk, as only 2% of granted permissions are actually used, often leading to vulnerabilities.
Developers face pressure to deliver features quickly, and security best practices for permissions can fall by the wayside. Managing permissions, especially in complex environments like AWS or GitHub, is a daunting task due to the intricate access policies and varied credential types. This results in a misalignment between security teams, who monitor these credentials, and developers, who possess the granular knowledge needed to manage them effectively.
Shared Responsibility: A Path Forward
A shared responsibility model between developers and security teams is the solution to this problem. Developers must play a bigger role in documenting and managing permissions, while security teams focus on automating credential rotation and ensuring proper tools for managing secrets. This collaboration could significantly reduce remediation times and lower the risk of prolonged exposure to threats.
By working together, both teams can streamline permissions management, ensure that credentials are securely rotated, and prevent unnecessary risks. The sooner organizations adopt this approach, the better prepared they’ll be to handle the escalating machine identity crisis.