Ultimately, the goal of creating a trusted environment around all digital assets and devices is about modernizing the way you do business.

Alex Simons, Corporate VP, Product Management, Microsoft Identity and Network Access

October 14, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

In today's digital world, threats are around every corner. The technology behind attacks is increasingly sophisticated. Actors include criminal organizations seeking big payouts and nation-states conducting espionage and looking for opportunities to create chaos.  

At the same time, the world continues to transform rapidly around us. With artificial intelligence (AI), we're about to go through the biggest business transformation since the widespread adoption of the Internet, and the bad guys are also exploring how they can use AI for harm.  

In a mobile, cloud-first, AI-driven world, companies must be ready to use world-class technology and processes to protect themselves, their data, and their people, wherever they go.  

Today, those technologies are coalescing around a modern vision for what is, at its heart, one of our most ancient security solutions: our own unique identity. Let's take a look at how a modern version of this ancient solution can help protect our digital lives.  

**Your Castle Walls Have Fallen. What Now? **

Fifteen years ago, the world's security best practice was a "moat-and-castle" model. Organizations kept their most important resources inside their office networks and wrapped a firewall around them.  

As long as their people and resources were inside the wall, everybody could connect to everything as the entire estate was trusted and contained. Your biggest concerns were insider threats or invaders trying to storm your firewall.  

Today, many employees are embracing hybrid and mobile workstyles. We're also adding cloud-scale AI that, by design, is not inside the firewall, while highly mobile workers use VPNs to access applications while outside the network. All this makes the old moat-and-castle security paradigm terribly outdated.  

Additionally, in many ways, companies are becoming cloud services — as their partners, suppliers and customers increasingly interact with them through digital experiences for product discovery, ordering, payment, invoicing, customer service, and customer loyalty programs.  

**Since Data and People Are Always in Transit, Security Should Flow Wherever They Go**

In a world where every organization is a cloud service that needs to securely interact with everybody and everything, companies must ensure that all of their connections are secure and that only the right people, software, devices, and networks are allowed access.  

This is known as a zero-trust model. In a zero-trust environment, every time a user, a device, or a workload wants to access your digital assets and services, they have to prove that they, their software, and the network they're using are all trustworthy. This is why identity plays such an important role in this new security model. By default, all access to everything is closed off until you have a strong proof of the identity and authenticity of the person and of their device. 

Designing, deploying, and running this kind of identity powered zero-trust enterprise environment can be challenging. It requires having a coordinated strategy across multiple teams to design, deploy, and run a security solution that brings together user and workload accounts, device management, device protection, network state, and an inventory of digital resources and permissions, and enables the enforcement of adaptive, granular access policies across the enterprises entire digital estate. 

**Identity: Even More Important in the Era of AI **

If your organization doesn't have this kind of identity-centric zero-trust model in place today, moving to an AI future is going to be risky and challenging. When you deploy a large language model (LLM) assistant, it becomes incredibly easy for employees to find content from across all your  documents and files, even the ones you didn’t know they had rights to access.  

And that also means an intruder could use the AI assistant to run queries for assets that they never should be able to find. Where organizations used to have the benefit of obscure file hierarchies to waste an attacker's time, today's super-smart AI engines make it incredibly easy to quickly find information anywhere it's stored.  

The solution is something called "workload identities." A workload identity is the identity your software systems use to get things done. Having your co-pilot or your LLM use a workload identity with well-managed permissions means that it can only get to the specific documents and files you allow it to access, which enables you to govern and secure the LLM's access just like you would for any user.  

**Modern Security Benefits Everyone**

Ultimately, creating a trusted environment can modernize the way you do business. Now, employees can work from anywhere. The company can hire talent it wouldn't have access to before. The company can work directly with customers and suppliers digitally. And you can do all that in a world of cloud, AI, and mobile resources that can easily scale up and down.  

Employees, partners, and customers all get a seamless experience on the devices they choose, wherever they want to work. And chief information security officers (CISOs) can be confident that it's happening with security omnipresent.  

And it's all made possible by focusing on the oldest access solution of all — your own unique identity.  

**About the Author**

Corporate VP, Product Management, Microsoft Identity and Network Access

Alex Simons is corporate vice president, product management, Microsoft Identity and Network Access Division. He is responsible for driving the vision and strategy, product roadmap, and feature design of the Microsoft Entra Suite. He prides himself on being deeply connected to customers and has direct relationships with many of Microsoft’s largest enterprise customers. In addition to managing his own team, Alex is responsible for partnering with teams across Office, Windows, Azure, Visual Studio, Dynamics, Xbox, and LinkedIn to deliver world-class identity experiences and security and compliance controls.

Why Your Identity Is the Key to Modernizing Cybersecurity

Companies are putting "AI" in just about all of their products, which opens up new security holes. LLM SecOps and ML SecOps are becoming must-have skills.

Source: Designer491 via Alamy Stock Photo

In a sign of the growing importance of assessing the risks of artificial language to corporate assets, organizations are increasingly looking for job candidates with skills in machine learning and large language models to fill cybersecurity jobs. In ISACA's 2024 State of Cybersecurity report, just under a quarter of respondents (24%) named LLM SecOps and ML SecOps as the biggest skill gaps they see in cybersecurity. Soft skills — communication, flexibility, and leadership — continue to be the biggest category of skills that cybersecurity professionals are missing, according to 51% of respondents.

**Wanted: LLM, ML Skills**

Both LLM SecOps and ML SecOps are fairly new skill sets, but, like the technologies they secure, they now seem to be everywhere.

MLSecOps is the discipline of integrating security into the development and deployment of machine learning systems. It covers ML-specific processes like securing the data used to train a model and preventing bias through transparency, as well as applying standard security operations tasks such as secure coding, threat modeling, security audits, and incident response to ML systems.

LLM SecOps refers to securing the entire lifecycle of LLMs, from data preparation to incident response. LLM SecOps covers concerns as varied as ethics reviews in the design phase, data sanitization of training data, analyzing why the system made the decisions it did during training, blocking the generation of harmful content, and monitoring the model once it is deployed.

There is a growing list of resources for security professionals to build up their skills. For ML SecOps, Benjamin Kereopa-Yorke, a a senior information security specialist and AI security researcher at telecommunications provider Telstra maintains a GitHub repository of resources and trainings, with courses categorized by prior ML knowledge required and classified as vendor-agnostic or vendor-centric. Open Worldwide Application Security Project (OWASP) has a draft Machine Learning Security Top Ten list describing how ML attacks such as data poisoning or member inference work and how to counter them. OWASP also maintains the OWASP Top Ten for LLMs, which covers topics relevant to LLM SecOps such as prompt injection, sensitive information disclosure, and model theft.

Organizations are looking for specific skills to fill open cybersecurity positions. After soft skills, cloud computing was the second biggest skill gap (42%), followed by security controls implementation (35%), and software development (28%).

With so much of the organization's workload now residing in the cloud, it makes sense that organizations need cybersecurity professionals with cloud computing skills. Securing cloud assets require a different mindset and technical skillset than traditional networking, and cloud providers handle certain tasks differently, requiring specialized knowledge.

Security controls implementation refers to protecting endpoints, networks, and applications. The skills gap in software development was not coding related, but rather things such as testing and deployment. Again, this highlights the challenges organizations are having securing their software development pipelines and integrations.

AI Hype Drives Demand For ML SecOps Skills

Threat detection tools yield too many false positives, security pros say, leading to burnout and resentment.

Source: ZUMA Press, Inc. via Alamy Stock Photo

Security operations center (SOC) practitioners are struggling, thanks to an overwhelming volume of false alarms from their security tools.

A Vectra survey of hundreds of cybersecurity professionals revealed a serious gripe that SOC teams have with their software vendors. The overwhelming volume of false positives their tools yield is causing burnout, they say, and allowing real threats to slip through the noise.

"There wasn't that much of a change from last year's results, and honestly it wasn't much of a surprise," says Mark Wojtasiak, vice president of research and strategy at Vectra AI. "SOC practitioners are clearly still frustrated with threat detection tools. And, really, what the data tells us is that, more than a threat detection problem, SOC teams have an attack signal problem. The promise of consolidation and platformization have yet to take hold, and what SOC teams really need is an accurate attack signal."

**What Does the SOCs Say? Ding Ding Ding**

SOCs ingest an average of 3,832 security alerts per day. For a sense of just how unmanageable that might be, consider that an average SOC might be staffed by a few dozen people, or just a few, depending on the size of the organization and its investment in security.

The result: 81% of SOC staffers spend at least two hours a day simply sifting through and triaging security alerts. It's no wonder, then, that 54% of Vectra respondents said that, rather than making their lives easier, the tools they work with increase their daily workloads, and that 62% of security alerts ultimately just get ignored.

Of course, SOC operators are aware of the implications of ignored security warnings. A full 71% reported worrying every week that they'll miss an attack buried in a flood of less important alerts. And 50% went so far as to say that their threat detection tools are "more hindrance than help" in spotting real attacks.

The conflict between what operators are dealing with, and what they can handle, is fostering genuine resentment toward vendors. Around 60% of respondents reported that they've been buying security software mostly just to tick a compliance box, and 47% don't trust these programs outright. A similar percentage (62%) believe that vendors are intentionally, cynically flooding them with alerts so that when a breach occurs, they're more likely to be able to say: We warned you!

A majority (71%) of SOC practitioners say that vendors need to take more responsibility in failing to prevent breaches.

**How AI Can Make SOCs More Efficient**

The most attainable, practical promise of artificial intelligence (AI) is that it will reduce the tedium associated with repetitive jobs, and bolster productivity. And more so than most, SOC staffers stand to benefit from exactly that.

In fact, Wojtasiak says, AI is the path to a whole mindset shift. "Security thinks in terms of individual attack surfaces: I have a network, endpoints, identities, email, now generative AI (GenAI). OK. I'm going to go buy tools to do threat detection across those siloed attack surfaces, then ask a human being to make sense of it all. That's how security thinking has fundamentally been for the past 10 years," he says.

"Modern attackers," he continues, "just see one, giant attack surface that they can move around in. So why isn't security thinking the same way? Why aren't we looking at threats holistically across the entire attack surface, using AI to piece together detections that are indicative of attacker behavior, correlating those detections, and then giving one integrated signal to the SOC analyst?"

Plenty of SOCs are already starting to do just that. About 67% of Vectra survey respondents found that AI is already improving their ability to identify and defend against threats, and 73% claimed that that's helped ease their feelings of burnout. Nearly nine in 10 respondents have already boosted their investments in AI, and are planning to go further.

"I'm \[already\] hearing about the positive outcomes they're experiencing as they introduce these new tools — reduced workloads, less burnout, and less sprawl," Wojtasiak reports. "The hope is that current frustrations will ease as siloed legacy tools are replaced by AI-powered tools capable of delivering an accurate attack signal."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

SOC Teams: Threat Detection Tools Are Stifling Us

PRESS RELEASE

New York, United States, Oct. 10, 2024 (GLOBE NEWSWIRE) -- The Certificate Authority (CA) market is the industry dedicated to the issuing, management, and renewal of digital certificates. These digital certificates are used to authenticate the identification of entities such as websites, organizations, or individuals, as well as to secure network interactions with encryption. CAs are trusted third-party organizations that verify entities' identities and provide certificates to establish secure connections, such as SSL/TLS certificates for websites. This market is essential to the overall cybersecurity ecosystem as it maintains the security, integrity, and trustworthiness of digital communications and transactions on the Internet.

Download Free Sample Report PDF @ https://straitsresearch.com/report/certificate-authority-market/request-sample 

Market Dynamics

Focus on Cybersecurity Integration drives the global certificate authority market.

Certificate Authorities (CAs) are expanding their services to include broader cybersecurity solutions such as threat detection and identity management, resulting in more comprehensive security offerings. They collaborate with cybersecurity firms to integrate certificate management with other important security services, giving organizations an integrated and effective protection approach.

*   For instance, on 10 October 2023, DigiCert expanded its capabilities by integrating its certificate management services with Acronis' cybersecurity and data protection solutions.
    

The emergence of Blockchain Technology creates opportunities for the global certificate authority market.

Blockchain technology's decentralized and tamper-proof mechanism improves the security and transparency of digital certificate issuance and maintenance. This significant development has the potential to eliminate fraud, increase trust, and alter the certification authority market by developing more secure and efficient certificate management systems.

*   For instance, in March 2024, Tezos introduced a blockchain-based certificate management system known as Tezos DigiSign.
    

Regional Analysis

North America is the dominating region in the global certificate authority market shareholder and is anticipated to exhibit a CAGR of XX% during the forecast period. North America dominates the certificate authority market due to its modern IT infrastructure, high cybersecurity awareness, stringent regulatory environment, and the presence of major CA providers such as DigiCert and GlobalSign, which offer a wide range of digital certificate solutions. This region has strong adoption rates of digital certificates, particularly in finance, healthcare, and government.

The United States and Canada are the primary contributors to the North American certificate authority market, benefitting from their strong economies and a significant focus on cybersecurity in sectors such as banking, healthcare, e-commerce, and government services.

The Asia-Pacific (APAC) region is the fastest-growing market for certificate authorities, driven by rapid digitalization, cloud adoption, government initiatives, and significant investments in cybersecurity. Governments in China, India, and Japan are implementing policies and regulations to improve secure communication and protect sensitive data, such as China's security law, National Cyber Security Policy, and Japan's Act on the Protection of Personal Information, which is driving demand for certificate authority (CA) solutions.

These countries are major players in the APAC region, with both local and global CA providers such as CNNIC, e-Mudhra, JPRS, and DigiCert catering to a wide range of demands. The region's diverse legal frameworks and cybersecurity practices have an impact on digital certificate adoption.

Europe's certificate authority market is influenced by a wide range of regulatory standards, and a strong focus on data protection, particularly under GDPR. The market includes a mix of local and international CA providers like Entrust and Sectigo, and increasing adoption in industries including banking, telecommunications, and e-commerce. The region is distinguished for its diverse regulatory environment.

The certificate authority market in Latin America is rising and growing, due to increased digital transformation initiatives in a variety of sectors. Rising cybersecurity concerns and regulatory demands are driving the region's adoption of digital certificates.

The Middle East and Africa region is experiencing an increase in the adoption of digital certificates as businesses and governments seek to improve their cybersecurity posture. Rising digital transactions, legal restrictions, and increased data protection awareness drive the market.

To Gather Additional Insights on the Regional Analysis of the Certificate Authority Market @ https://straitsresearch.com/report/certificate-authority-market/request-sample 

Competitive Players

5.  Entrust Datacard Corporation
    

10.  WISeKey International Holding AG
    

Recent Developments

*   On 12 April 2023, Entrust Launched Zero Trust Ready Solutions for Passwordless Authentication, Next-Generation HSM, and Multi-Cloud Key Compliance
    
*   On 9 May 2023, DigiCert announced a partnership with Oracle to make DigiCert ONE, the platform for digital trust, available on Oracle Cloud Infrastructure (OCI).
    
*   On 7 March 2023, GlobalSign announced a technology partnership with essendi it to integrate Essendi's xc certificate lifecycle management (CLM) software with GlobalSign’s certificate platform, Atlas.
    
*   on 10 October 2023, DigiCert expanded its capabilities by integrating its certificate management services with Acronis' cybersecurity and data protection solutions.
    
*   In January 2023, DigiCert launched the DigiCert Trust Lifecycle Manager, a comprehensive digital trust solution designed to unify certificate management and public key infrastructure (PKI) services.
    

Segmentation

2.  By Certificate Validation Type 
    

Get Detailed Market Segmentation @ https://straitsresearch.com/report/certificate-authority-market/segmentation 

About Straits Research Pvt. Ltd.

Straits Research is a market intelligence company providing global business information reports and services. Our exclusive blend of quantitative forecasting and trends analysis provides forward-looking insight for thousands of decision-makers. Straits Research Pvt. Ltd. provides actionable market research data, especially designed and presented for decision making and ROI.

Whether you are looking at business sectors in the next town or crosswise over continents, we understand the significance of being acquainted with the client’s purchase. We overcome our clients’ issues by recognizing and deciphering the target group and generating leads with utmost precision. We seek to collaborate with our clients to deliver a broad spectrum of results through a blend of market and business research approaches.

Certificate Authority Market Size to Surpass $485M by 2033

PRESS RELEASE

SAN FRANCISCO, Oct. 10, 2024 /PRNewswire/ -- Relyance AI, the leading AI-powered data governance platform that provides complete visibility and control over enterprise-wide data, today announced a $32.1 million Series B funding round to scale operations and meet the needs of the exploding use of artificial intelligence in the enterprise. Thomvest Ventures led the round. M12, Microsoft Ventures Fund, also participated in addition to Cheyenne Ventures and existing investors Menlo Ventures and Unusual Ventures.

As demand for AI surges in the enterprise, global regulators are mandating data protection safeguards that companies find impossible to implement. At the same time, legal, security, and engineering teams are grappling with endless questions about how customer data is being used to train AI models. The impact? Executives are stifled by their inability to realize AI's innovation potential, and according to KPMG, more than two-thirds (76%) of enterprises are worried about data privacy and security when they partner with third parties. The result could be catastrophic: more than a quarter of the Fortune 500 identified AI regulation as a risk in annual reports to the SEC, and many continue to struggle with established data privacy regulations such as GDPR, which led to a record €2.1 billion in fines in 2023.

This has become a business-critical problem for all enterprises that was impossible to solve before Relyance AI's fully integrated governance platform. Until now, privacy and security have been seen as separate challenges, with one woefully unaware of the other. Privacy teams didn't know if their commitments to regulations and customers were being met, and security teams didn't know what data should be in AI models. Relyance AI marries the two into one joint solution, which is the only way to enable innovation while ensuring compliance in a rapidly evolving regulatory landscape.

"The era of accepting subpar privacy, DSPM, and AI governance solutions is over. Relyance AI sets a new standard where data protection and innovation are not mutually exclusive," said Abhi Sharma, CEO and co-founder of Relyance AI. "It's impossible to keep up with the current state of regulations, especially when GDPR, HIPAA, the EU's AI Act, and a mosaic of local U.S. privacy laws are all different and sometimes at odds. We're making it possible to demystify this and embolden the C-suite, engineers, and legal teams to urgently green-light AI in the enterprise with an integrated governance approach." 

Relyance AI safeguards businesses from fines and reputation damage while boosting customer trust to accelerate business growth. The platform provides complete visibility into enterprise-wide data processing and compares it against contractual commitments, global privacy regulations, and compliance frameworks. The company has scaled significantly to meet recent demand for these capabilities. In the first half alone, Relyance AI increased its enterprise customer base by 30%, and the company is projected to double its annual recurring revenue in 2024. Its client list now includes Coinbase, Fivetran, Verkada, Snowflake, Logitech, Plaid, and Notion.

"We're thrilled to lead the investment in Relyance AI, a unique, automated data governance platform that addresses the urgent need for real-time data visibility and compliance in a world of explosive data growth and emerging regulations," said Umesh Padval, Managing Director, Thomvest Ventures. "Relyance AI empowers Chief Privacy, Security, and Information Officers to manage data privacy and compliance, avoiding costly penalties while driving safe and responsible AI adoption. We are excited to partner with CEO Abhi Sharmaand his team, who have built a solution that transforms compliance into a competitive advantage, enabling businesses to scale AI with trust and transparency."

"The future of AI governance isn't about compliance alone – it's about building trust, transparency, and accountability into every layer of your technology," said Todd Graham, Managing Partner at M12. "Relyance AI is the catalyst for that transformation, paving the way for AI implementation that is both compliant and incredibly fast."

"With Relyance AI, we established enhanced visibility of data processing activities, seeing an impressive increase of 1,660% within three weeks of deployment," said Deborah Usry, Senior Privacy and Product Counsel at NextRoll. "What used to be a time-consuming manual process is now an automated task that produces a robust record of our processing activities."

The funding will further develop Relyance AI's platform and scale its go-to-market efforts in response to significant recent momentum. Learn more here.

About Relyance AI  
Relyance AI is the new standard for organizations trust and data governance infrastructure. Relyance AI is the only platform providing real-time visibility into how and where data is being used compared to customer agreements, global privacy regulations, and compliance frameworks. Companies of all industries and sizes – including Coinbase, Snowflake, Logitech, Plaid, Notion, and more – trust Relyance AI to safeguard businesses from fines and reputational damage and to deliver the most complete customer trust experiences.

Relyance AI Raises $32M Series B Funding to Safeguard AI Innovation in the Enterprise

The hotel giant will be held to higher security standards in a series of proposed requirements, including implementing a new annually reviewed security program.

Source: Wdnet Studio via Alamy Stock Photo

Marriott and its subsidiary Starwood Hotels have agreed to pay $52 million in fines and create a revamped information security program, in an Federal Trade Commission (FTC)-led settlement with 344 million customers who were impacted by three data breaches occurring between 2014 and 2020.

The hotel giant also agreed to provide its US customers with a way to request deletion of their personal information associated with their loyalty rewards account number or email address. In addition, they must implement a policy to retain the personal information of its customer only for as long as necessary to fulfill its purpose. Marriott also will be required to review loyalty rewards accounts upon request, and also reimburse stolen loyalty points.

 "The FTC's action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe," said Samuel Levine, director of the FTC's Bureau of Consumer Protection.

The first breach began in June 2014 and involved the payment card information of more than 40,000 Starwood customers; it went undetected for 14 months, until November 2015.

Starwood faced its second breach in July 2014. That intrusion went undetected for years — until 2018, when 339 million Starwood guest accounts were revealed to have been accessed by malicious actors, exposing various data, including 5 million unencrypted passport numbers. 

And finally, Marriott was breached again in 2018, a breach that went undetected until February 2020. In that incident, 5.2 million guest records were accessed, nearly 2 million of them belonging to Americans. 

Going forward, Marriott and Starwood will have to certify compliance with the FTC annually for 20 years, and undergo independent third-party assessments every two years.

Marriott &amp; Starwood Face $52M Settlement After Security Breaches

The company is beginning to bring its systems back online, though the investigation wages on.

Source: Amanda Ahn via Alamy Stock Photo

American Water, the largest regulated water and wastewater utility company in the US, is now reconnecting its infrastructures, after taking its systems offline due to a cybersecurity incident it reported on Oct. 7.

The company provides drinking water and sewer services to more than 14 million people across 14 states and 18 military installations. In an update on Oct. 10, it reported that there is no evidence to support that the cyber incident impacted its water or wastewater facilities. It also noted that while its customers will not face any late fees for the time its systems were unavailable, its customer portal, MyWater, is now operational once more, and standard billing processes will resume.

Systems are being reactivated in coordination with the company's cyber incident response protocols, after its internal security team, as well as external parties, confirmed that the systems are secure, it said.

"American Water takes the cybersecurity of its systems and related data with utmost seriousness and has taken additional steps to strengthen the cybersecurity of its systems," said the company in its update to the US Securities and Exchange Commission (SEC).

This incident only adds to the rising concerns regarding critical infrastructure being a prime victim for cyberattacks.

"This attack highlights the vulnerability of water treatment facilities and other critical infrastructure to cyberattacks, especially when cybersecurity is underfunded or overlooked," said Nick Creath, senior global product manager at Rockwell Automation, in an emailed statement to Dark Reading. "Operators must recognize that even newer facilities, with advanced technologies, are not immune to attacks. This incident serves as a wake-up call for operators to ensure that cybersecurity is integrated into both new and legacy systems to prevent service disruptions or more severe consequences."

**About the Author**

American Water Reconnects Its Network Taps After Cyber Incident

The future of cybersecurity will be shaped by how well we manage the explosion of NHIs.

Source: Brain light via Alamy Stock Photo

COMMENTARY

Imagine a vast and invisible army silently infiltrating your organization's digital defenses. No, this isn't the plot of a sci-fi thriller — it's the reality of non-human identities (NHIs) in today's cybersecurity landscape. As a seasoned security architect, I've watched this hidden force grow from a manageable contingent to a sprawling, often ungoverned multitude that's keeping chief information security officers (CISOs) awake at night. 

In my journey across startups and Fortune 500 companies, I've witnessed firsthand the mixed effects of NHIs. They keep our digital machinery running smoothly — but they are also a potential treasure trove for attackers looking to exploit our blind spots. It's time to shine a light on this invisible army and develop strategies to harness its power while mitigating its risks. 

**The Scale of the Problem**

Consider this: For every 1,000 human users in your organization, you likely have 10,000 non-human connections or credentials. Some estimates suggest the ratio could be as high as 45-to-1. These NHIs include service accounts, system accounts, API keys, tokens, and other forms of machine-based authentication that facilitate the complex web of interactions in our modern digital ecosystem. 

**Why NHIs Matter**

1.  Attack surface expansion: Each NHI represents a potential entry point for attackers. With their often-elevated privileges and lack of human oversight, compromised NHIs can be a goldmine for malicious actors. 
    
2.  Visibility challenges: Unlike human users, NHIs often operate in the background, created by developers or systems without proper governance. This lack of visibility makes them a significant blind spot for many security teams. 
    
3.  Privilege sprawl: Studies show that only 2% of permissions granted for NHIs are actually used. This massive overprovisioning of access rights creates an unnecessary risk landscape. 
    
4.  Third-party risk: NHIs often facilitate connections to external services and partners. When these third parties experience a breach, your organization's NHIs become a potential vector for lateral movement. 
    

**Real-World Implications**

The importance of securing NHIs is more than just theoretical. Recent high-profile incidents underscore their critical role in modern attacks. 

Nation-state actors have demonstrated proficiency in abusing OAuth applications to move laterally across cloud environments. At the same time, major software companies like Microsoft and Okta have fallen victim to attacks leveraging compromised machine identities. In a recent Securities and Exchange Commission (SEC) filing, even Dropbox disclosed a material incident involving a compromised service account. 

**Practical Steps for Mitigation**

1.  Discovery and inventory: You can't secure what you can't see. Implement tools and processes to continuously discover and catalog NHIs across all environments, including software-as-a-service (SaaS) applications. 
    
2.  Posture management: Go beyond simple inventory. Understand the permissions associated with each NHI, their usage patterns, and the potential risk they pose. 
    

**A Call to Action**

The explosion of NHIs represents both a challenge and an opportunity for the cybersecurity community. While the scale of the problem can seem daunting, we're ahead of the curve compared to where we were with human identity access management (IAM) decades ago. 

In my conversations with CISOs and security leaders, I've started to see a shift in mindset. There's a growing recognition that NHI security needs to be elevated to a top-tier priority, on par with traditional IAM and network security initiatives. 

As we move forward, I'm cautiously optimistic. The technology and practices to secure NHIs are evolving rapidly. We can turn the tide on this silent tsunami of risk with the right mix of visibility, automation, and a security-first culture. 

The future of cybersecurity will be shaped by how well we manage the explosion of non-human identities. As security professionals, it's our responsibility to lead the charge in this new frontier of identity security. Are you ready to meet the challenge? 

**About the Author**

Partner Solutions Architect

Vaibhav Malik has more than 14 years of experience in networking and security. He collaborates with global partners to create and deploy robust security solutions for enterprise clients. Malik is a recognized thought leader and expert in zero-trust security architecture. His previous roles at large service providers and security companies involved assisting Fortune 500 clients with network, security, and cloud transformation projects. He champions an identity and data-centric approach to security and is a popular speaker at industry events. With a master's in telecommunication from the University of Colorado Boulder and an MBA from the University of Illinois Urbana-Champaign, Malik's extensive expertise and hands-on experience make him an invaluable asset for organizations aiming to strengthen their cybersecurity posture in today's complex threat landscape.

The Invisible Army of Non-Human Identities

CISOs in consumer and retail organizations appear to accept greater risks to allow for more innovation, which could be a model for future growth.

Source: FOTOGRIN via Shutterstock

Chief information security officers (CISOs) have long borne the reputation of blocking innovation to keep their organization and all its data safe and sound.

However, those competing priorities appear to be shifting, especially in the retail and consumer sectors. While the majority of CISOs (59%) across all sectors see themselves as "enablers" — as opposed to just managers of cyber-risk — nearly all (97%) CISOs in the retail segment view their role as an enabler, according to a survey of more than 1,000 global CISOs conducted by cybersecurity firm Netskope. As a result, CISOs' acceptance of risk has grown, with the majority of all CISOs ready to take on more risk compared with five years ago. For the retail sector, the share of risk-embracing CISOs is even higher (74%).

The pressure on companies to innovate — and CISOs' understanding of their role in making that happen — are driving CISOs to become risk-takers, Netskope CISO James Robinson says.

"Typically, you had someone who was really, really technical, and they were working through things, but they really didn't have that business side of the brain — knowing the business metrics and data," he says. "CISOs have moved from the need to say no and maybe even taken it a step further — saying the answer is always, "Yes, just how do we get there?'"

From gift-card scams to brand hijacking for phishing attacks to devastating ransomware, retailers are a popular target for cybercriminals and fraudsters. At the same time, the retail sector has had to weather the chaos caused by the pandemic and supply-chain disruptions, which led to demand fluctuations and a loss of brand loyalty. The subsequent spike in inflation over the past two years left many consumers prioritizing price. Most retail executives (67%) expect consumers to purchase fewer products in 2024, and so retailers are increasingly focused on winning loyalty, according to consultancy Deloitte's "2024 US Retail Industry Outlook" report.

**Security in the Era of Amazon and AI**

With all those disruptive forces in the market, retailers have had to transform themselves to compete, morphing from just focused on selling products to becoming data companies. Consequently, CISOs at retail companies can no longer afford to focus solely on putting a wall around their information, says Netskope's Robinson.

Like other members of the C-suite, CISOs have to be thinking about the business more holistically, Robinson says.

"Retailers now have to ask, 'What's the next innovation? What's the next thing we have to do?'" he says. "And all of those decisions are data driven ... they're being led by this wealth of data that they're collecting, so that they can have targeted experiences for their customers."

Artificial intelligence is one obvious way to innovate. A great deal of the pressure to change over the past two years has come from the development of AI capabilities and businesses' fear of missing out on any innovations — and competitive advantages. In-store cameras paired with AI analysis can determine consumer interest in products, ecommerce platforms can better predict inventory, and stores can even use recognition of facial expressions to gauge consumer sentiment.

While most companies have slowly tested the waters of AI, many will be putting their first AI-powered applications into product in the next 12 months, Robinson says.

"This is the first year also that we're really seeing GenAI projects kick off, and in the next year, we'll start to really see kind of the value of some of these projects," he says. "So I think that's probably what's shaping it even more."

**The Business-Focused CISO**

Yet, AI and cybersecurity are two technology areas that are least likely to have positive returns on investments for retailers, according to consultancy KPMG's 2023 "US Consumer and Retail Sector Insights Report." Only 46% of survey respondents noted an increase in profitability or performance due to AI — and 45% from cybersecurity. But the consumer and retail sector fell even short of that threshold, with 38% and 37% of respondents, respectively, in those industries seeing a return on investment from AI or cybersecurity.

"For many consumer and retail organizations, getting data right is still a work in progress," KPMG stated in the report.

Understandably, there are still some risks where CISOs are unwilling to compromise. Sharing information with outside parties or third parties without the proper review and without the proper agreement in place — a threat becoming more common in the era of AI — is just not possible, says Robinson.

"We knew how to data warehouse, and it's got business value — even more now with the development of GenAI," he says. "I think all of those things have kind of started to come together at this point, allowing the retail CISO to really have a leg to stand on. Now they just also have kind of the business knowledge, because they're being brought into more of these conversations at this point."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Retail CISOs Take on More Risk to Foster Innovation

The bug is already being exploited in the wild, but Firefox has provided patches for those who may be vulnerable.

Source: 2020WEB via Alamy Stock Photo

Mozilla has patched a critical security vulnerability in its Firefox Web browser that's being actively exploited in the wild.

Tracked as CVE-2024-9680, the vulnerability is a use-after-free issue in Animation timelines, with attackers exploiting it to execute arbitrary code, according to Mozilla's advisory. It carries a CVSSv3 vulnerability-severity rating of 9.8 out of 10 and a low attack complexity (no privileges or user interaction is needed to successfully exploit the flaw), and translates into high risk in the event of a successful attack.

Critical bugs in Firefox, which is used by around 178 million people worldwide, are few and far between. The Web browser hasn't had to offer patches for such a severe flaw since March, and only a small number have been discovered in the past few years.

The disclosure sparked a flurry of alerts from international cyber agencies, including Dutch national cyber center Nationaal Cyber Security Centrum, and the cybersecurity centers of Canada and Italy.

The Web browser vulnerability affects Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Users should upgrade to version 131.0.2 in Firefox and to versions 115.16.1 or 128.3.1 for Firefox ESR to fix the vulnerability and thwart potential exploitation.

**About the Author**

Source

DARKReading