Employee offboarding: What about their NHIs?
When employees leave, most organizations either manually remove their access or, in more mature setups, use IGA or IdP platforms integrated with HR systems.
But there’s a problem: IGA and IDP solutions focus on human identities. Even if they handle some workflows for service accounts tied to the employee, it’s not enough. Employees create and connect a variety of non-human identities like API keys, SSH keys, OAuth tokens and service accounts across engineering and business environments. These NHIs play a critical role in operational processes, but also create significant security vulnerabilities if left unmonitored.
The challenge: Offboard, transfer, or rotate (and how)?
It’s no news that NHIs are the enablers of all communication between between services and machines. They are everywhere, and employees create them regularly as part of their daily tasks.
Engineers create various types of secrets to authenticate services, build automations, and drive innovation.
Marketing, sales, BA or other departments connect different apps and tools to corporate systems through NHIs like OAuth tokens and service accounts.
So what do you do when the employee that created these identities, or even just uses them and has access to them, leaves? Do you manually look for every NHI they ever created and blindly remove them? Do you transfer ownership to their colleague? How do you ensure operational continuity, but also avoid security risks?
A research by CSA & Astrix reveals that only 19% of organizations have automated processes for offboarding API keys.
Offboarding employees’ associated NHIs presents a two-fold challenge: operational and security-related.
On the operational side, NHIs that get automatically offboarded with the employee, such as OAuth tokens and SSH keys, or ones that are incorrectly removed, can disrupt and break critical processes.
On the security side, NHIs that are not removed after an employee leaves become a vulnerability. These orphaned NHIs, often with sensitive permissions and no expiry, expand your attack surface and can become prime targets for exploitation.
3 use cases of employee & NHI offboarding to consider
Operational disruption: Business analyst’s OAuth tokens
A business analyst connects a third-party tool via OAuth to automate data collection. When they leave, the OAuth token is revoked, causing the tool to lose access and breaking critical workflows. This can result in data loss and operational disruption.
Insider threat: Engineer’s secrets
An engineer, just before leaving, retrieves secrets like API keys. Without proper offboarding and rotation, they could use these secrets to access sensitive systems post-departure, posing a significant insider threat.
External threat: Orphaned NHIs exploited
Unmonitored orphaned NHIs, such as API keys or service accounts, can be exploited by attackers. A real-world example is the SolarWinds breach, where an orphaned secret allowed attackers to compromise thousands of systems.
A research by CSA & Astrix shows that 68% of tokens in GitHub have no expiry. Moreover, 45% of security incidents are caused by lack of credential rotation, some can be attributed to offboarded employees.
Automating employee NHI offboarding with Astrix
Properly offboarding, rotating, or transferring an employee’s NHIs requires knowing what they are, what they’re used for, which processes rely on them, and who uses them. This is exactly what Astrix delivers and automates.
First, you need visibility and context:
- NHI mapping Get an inventory of all NHIs associated with an employee, and understand what kind of access they have (eg. if they created them, have access to credentials via vaults, or can create new credentials).
- Technical and operational context Astrix provides deep technical context around how each NHI is used. This includes what systems are relying on specific NHIs (e.g., an SSH key used by a critical server or an API key consumed by multiple services), hidden or indirect dependencies, the NHI’s privileges, blast radius and more.
- Reassign ownership Prevent operational disruptions by automatically transferring necessary NHIs from a departing employee to another. View the users of each NHI to quickly determine the best candidate for new ownership.
Then, you need to reduce your attack surface and monitor for ongoing risk:
- Remove redundant NHIs Quickly reduce your attack surface by eliminating stale or unused NHIs linked to offboarded employees.
- Respond to potential threats Threat detection engines identify anomalous behavior or policy deviations, preventing insider threats and potential exploits. By detecting unusual actions, such as an employee accessing secrets in a vault just before leaving, Astrix allows you to catch potential risks before they escalate.
Lastly, you have to automate & integrate to do it at scale:
- Integrate with your IdP & IGA Astrix integrates with your existing Identity Governance and Administration (IGA) or Identity Provider (IdP) platforms to streamline deprovisioning workflows. This allows you to automatically trigger workflows to reassign or revoke access tied to offboarded employees, reducing overhead.
- Automate with workflows Astrix allows you to set up automated workflows for revoking or transferring NHIs. This ensures that NHIs tied to a departing employee are handled efficiently and at scale, reducing manual effort.
To learn more about employee offboarding and NHIs, schedule a time with our experts.