Abstract: Techniques for identifying an exposed credential that, if used, would provide access to a resource are disclosed. The techniques enable the resource to remain online while (i) a new credential is allocated for the resource, (ii) the resource is transitioned to using the new credential instead of the exposed credential, and (iii) the exposed credential is attempted to be invalidated. A credential is accessed. This credential is suspected of being in an exposed state. The credential is accessible from within an artifact and is determined to be in the exposed state. A new credential is generated. This new credential is designed to replace the exposed credential. An instruction is transmitted to the resource to cause it to transition from using the exposed credential to using the new credential. The exposed credential is then invalidated.

Abstract: Techniques are described herein that are capable of evaluating a result of enforcement of access control policies instead of enforcing the access control policies. For instance, a result of enforcement of an access control policy with regard to sign-in processes is evaluated instead of enforcing the access control policy with regard to the sign-in processes. The evaluation includes monitoring access requests that are received during the sign-in processes. Each access request requests access to a resource. The evaluation further includes comparing attributes of each access request against the access control policy that specifies criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request. Metadata associated with the sign-in processes is generated instead of enforcing the access control policy with regard to the sign-in processes.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums described herein are configured to detect anomalous post-authentication behavior/state change(s) with respect to a workload identity. For example, audit logs that specify actions performed with respect to the workload identity of a platform-based identity service, a causing state change(s), while another identity is authenticated with the platform-based identity service, are analyzed. The audit log(s) are analyzed via a model for anomaly prediction based on actions. The model generates an anomaly score indicating a probability whether a particular sequence of the actions is indicative of anomalous behavior/state change(s). A determination is made that an anomalous behavior has occurred based on the anomaly score, and when anomalous behavior has occurred, a mitigation action may be performed that mitigates the anomalous behavior.

Abstract: Some embodiments improve the security of service principals, service accounts, and other application identity accounts by detecting compromise of account credentials. Application identity accounts provide computational services with access to resources, as opposed to human identity accounts which operate on behalf of a particular person. Authentication attempt access data is submitted to a machine learning model which is trained specifically to detect application identity account anomalies. Heuristic rules are applied to the anomaly detection result to reduce false positives, yielding a compromise assessment suitable for access control mechanism usage. Embodiments reflect differences between application identity accounts and human identity accounts, in order to avoid inadvertent service interruptions, improve compromise detection for application identity accounts, and facilitate compromise containment and recovery efforts by focusing on credentials individually.

Abstract: A trained machine learning model distinguishes between human-driven accounts and machine-driven accounts by performing anomaly detection based on sign-in data and optionally also based on directory data. This machine versus human distinction supports security improvements that apply security controls and other risk management tools and techniques which are specifically tailored to the kind of account being secured. Formulation heuristics can improve account classification accuracy by supplementing a machine learning model anomaly detection result, e.g., based on directory information, kind of IP address, kind of authentication, or various sign-in source characteristics. Machine-driven accounts masquerading as human-driven may be identified as machine-driven. Reviewed classifications may serve as feedback to improve the model's accuracy. A precursor machine learning model may generate training data for training a production account classification machine learning model.

Abstract: Techniques are described herein that are capable of evaluating a result of enforcement of access control policies instead of enforcing the access control policies. For instance, a result of enforcement of an access control policy with regard to sign-in processes is evaluated instead of enforcing the access control policy with regard to the sign-in processes. The evaluation includes monitoring access requests that are received during the sign-in processes. Each access request requests access to a resource. The evaluation further includes comparing attributes of each access request against the access control policy that specifies criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request. Metadata associated with the sign-in processes is generated instead of enforcing the access control policy with regard to the sign-in processes.