We recently announced our 2023 State of Cloud Permissions Risks report, which laid out some interesting and eye-opening findings on not just the expansion of cloud environments, but the increase in identity types accessing critical cloud resources. The report reveals interesting findings on why securing workload identities has become more critical than ever:
The exorbitant number of inactive workload identities and credentials represents an opportunity for significant risk reduction, especially given how many have high privilege permissions and operate across clouds. Inactive identities and stale credentials make easier targets for compromise and can generally be removed without impact, while expiring credentials can create outages.
According to the whitepaper from Kuppinger Cole, Securing Non-human Identities, one significant change is the rapid growth in the number and types of non-human identities, including workload identities. It’s become increasingly difficult to ensure proper identity management to avoid exposure to business, security, and compliance risks.
To help resolve emerging issues with non-human identities, we launched Microsoft Entra Workload Identities in November 2022. It allows organizations to configure conditional access, identity protection, credential policies, and access reviews for workload identities. This helps detect and remediate risks of workloads that may be acting differently than users.
Easily recognizing which identities have risky configurations or should be removed altogether is becoming crucial, so we‘re excited to announce a new feature—app health recommendations—within Microsoft Entra Workload Identities.
With more than 80% of workload identities inactive, visibility on these apps and services is crucial. The app health recommendations capability in Microsoft Entra Workload Identities provides insights and actionable guidance to help you secure your environments and avoid outages with recommended best practices. For example- addressing applications that haven’t been used for more than 30 days, removing unused application credentials, and renewing credentials that expire soon.
Removing unused applications and unused app credentials improves the security posture of a workload identity portfolio and promotes good identity hygiene. It reduces the risk of compromise- for example, by a bad actor discovering an unused application and abusing it. Depending on the permissions granted to the unused identity, this could lead to exposure of sensitive organizational data or enable lateral movement to further the actor’s objectives.
These new capabilities are available in Azure AD recommendations. Each recommendation has a description of the issue, the benefits of taking action, and an action plan with step-by-step remediation instructions. The three app health recommendations initially offered as a part of Microsoft Entra Workload Identities are:
The Status of a recommendation can be updated manually or automatically by the system. If all resources are addressed according to the action plan, the recommendation status automatically changes to ‘Completed’ the next time the recommendations service runs.
To find this and determine your best course of action, follow these steps:
If you want to learn more about how to use Microsoft Graph with app health recommendations, please check out the documentation.
As workload identities accessing cloud infrastructure continue to increase, it’s critical that organizations closely monitor their posture to reduce their risk of attacks and outages.
Resources:
Jeff Sakowicz
Learn more about Microsoft identity:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.