Severity: HIGH - East African Cloud-Connected Organizations

Source: The Hacker News | Threat Category: Identity & Access Management | Affected Sectors: Banking, Government, Telecom, Critical Infrastructure

The Threat

In 2024, 68% of cloud breaches were caused not by phishing or weak passwords, but by compromised non-human identities (NHIs) - service accounts, API tokens, machine credentials, and AI agent keys that were created, forgotten, and never decommissioned. Source: The Hacker News / thehackernews.com/2026/04/webinar-find-and-eliminate-orphaned-non.html.

For every single human employee in your organization, there are 40 to 50 automated credentials operating silently in the background. These include system-to-system API keys, cloud service accounts, CI/CD pipeline tokens, third-party integration credentials, and increasingly, AI agent identities. When a developer leaves, a project ends, or a vendor contract is terminated, those credentials almost never get revoked. They become orphaned - still active, still privileged, and completely unmonitored.

Attackers do not need to trick your staff. They simply find the forgotten door that nobody locked.

Why This Hits East African Organizations Hard

Kenya, Ethiopia, Somalia, and the broader Horn of Africa are in an accelerated cloud adoption phase. The CBK's guidance on cloud computing, Ethiopia's expanding digital government platforms, and Somalia's rapidly growing mobile money infrastructure have all pushed organizations to integrate dozens of cloud services - often faster than security governance can keep up.

This creates a specific and dangerous pattern across the region:

  • Kenyan banks and SACCOs connecting core banking systems to mobile money APIs (M-Pesa, Airtel Money) generate dozens of service-to-service credentials per integration - many of which outlive the projects that created them.
  • Government agencies in Kenya and Ethiopia running e-citizen portals and GovTech platforms routinely onboard system integrators who create service accounts that are never revoked when the contract ends.
  • Telcos and ISPs across the Horn of Africa running network automation and monitoring tools carry large inventories of machine credentials, the majority of which have never been formally audited.
  • Hospitals and healthcare systems adopting electronic health record (EHR) integrations in Tanzania and Rwanda are inheriting API keys embedded in vendor-supplied software with default or shared credentials.

Kenya's Data Protection Act 2019 and the CBK Cybersecurity Guidelines both require organizations to maintain strict access controls and audit trails. An orphaned service account with admin-level privileges is a direct and auditable compliance failure - and a potential regulatory liability under both frameworks.

Impact Assessment

The risk is not theoretical. An orphaned service account with standing cloud permissions can allow an attacker to:

  • Exfiltrate customer financial data from cloud-hosted banking systems without triggering traditional endpoint alerts
  • Move laterally across cloud environments - from a forgotten staging server to a live production database
  • Abuse AI agent credentials to manipulate automated workflows, approvals, or data pipelines
  • Establish persistent access that survives password resets, MFA rollouts, and even staff changes

Unlike phishing, these attacks generate no user interaction signals. Standard security awareness training and email filters offer zero protection. If your SOC is only watching human login events, it is blind to this entire attack surface.

Immediate Actions for East African IT and Security Teams

  • Run a full NHI inventory today. Document every service account, API key, OAuth token, and machine credential across your cloud environments (AWS, Azure, GCP, local cloud). If you cannot name the owner and active purpose of a credential, treat it as compromised until proven otherwise.
  • Apply the 30-day rule. Any credential that has not been used in 30 days should be flagged for immediate review and rotated or revoked. Dormant credentials are orphaned credentials.
  • Enforce least privilege on all NHIs. Service accounts should only hold the minimum permissions required for their specific function. A payment gateway API key has no business with read access to your HR database.
  • Integrate NHI monitoring into your SOC. Behavioral alerts on machine identities - unusual access times, unexpected geolocations, abnormal data volumes - must be treated with the same urgency as compromised user accounts.
  • Embed credential offboarding into vendor and project exit checklists. Every third-party integration agreement and internal project close-out must include a mandatory step to revoke all associated non-human credentials. Make this policy, not best practice.

DRONGO Recommendation

DRONGO's cloud security assessments include a dedicated Non-Human Identity audit - mapping every orphaned credential across your environment, scoring risk by privilege level, and delivering a prioritized remediation roadmap aligned to CBK guidelines and ISO 27001 controls. We work directly with your IT and DevOps teams, not around them.

Is your organization protected? Request a free security assessment.