The Invisible Army: How Unmanaged Digital Identities Are Undermining India's Critical Infrastructure
As India accelerates toward its $1 trillion digital economy goal by 2025, an unseen vulnerability threatens to derail this progress from within. While cybersecurity investments have surged by 27% annually since 2020, reaching ₹12,000 crore in 2024, organizations remain dangerously exposed—not through sophisticated zero-day exploits, but through the mundane neglect of digital identities that should no longer exist. These "ghost credentials" now account for 72% of initial access vectors in major breaches across India's financial, healthcare, and government sectors, according to CERT-In's 2024 threat assessment.
The Architecture of Neglect: Why Traditional Security Fails Against Ghost Identities
1. The Credential Explosion No One Is Tracking
The average Indian enterprise now maintains 3.4 million digital identities across its ecosystems—only 32% of which belong to actual employees. The remainder consists of:
- Service accounts (45% of total) – Used for automated processes like database backups or system monitoring
- API keys (28%) – Enabling communication between internal systems and third-party services
- OAuth tokens (15%) – Granting persistent access to cloud applications
- AI/ML agent credentials (12%) – The fastest-growing category, with privileges often exceeding human administrators
Unlike human accounts tied to HR systems, these identities proliferate without centralized oversight. A 2023 study by the Data Security Council of India (DSCI) found that 63% of Indian organizations cannot accurately inventory their non-human identities, let alone monitor their activity.
Case Study: The ₹87 Crore Ghost in Maharashtra's E-Governance System
In October 2023, cybercriminals exploited an abandoned service account from Maharashtra's 2018 smart city initiative to siphon ₹87 crore from municipal corporation funds. The account, created for a vendor that had been replaced in 2020, retained administrative privileges to the financial system. The breach went undetected for 112 days because:
- The account's activity patterns matched legitimate automated processes
- No human was associated with the account in access reviews
- Log monitoring focused on human user anomalies, not credential behavior
The incident forced the state to implement India's first Non-Human Identity Governance Framework in January 2024, now being adopted by six other states.
2. The Privilege Escalation Paradox
Ghost identities become particularly dangerous because they often retain elevated privileges long after their original purpose expires. Research from IIT Bombay's Cybersecurity Center reveals that:
- 89% of abandoned service accounts maintain their original permission levels
- 42% of these have privileges that exceed what current administrators possess
- 76% of critical infrastructure breaches in India (2021-2023) involved exploited legacy credentials
The problem stems from how these identities are created. Unlike human accounts that follow standardized onboarding workflows, non-human credentials are typically:
- Generated by developers during project sprints
- Created by vendors with temporary needs
- Automatically provisioned by cloud services with default high privileges
North East India's Unique Vulnerability
The region's rapid digital transformation—accelerated by central government initiatives like the North East Special Infrastructure Development Scheme (NESIDS)—has created a perfect storm for ghost identity exploitation:
- Skill gaps: 68% of IT staff in government projects are contractual, leading to poor knowledge transfer about legacy systems
- Vendor churn: High turnover among implementation partners leaves behind orphaned credentials
- Legacy system integration: New digital services often connect to 15-20 year old databases using hardcoded credentials
A 2024 audit of Assam's Orunudoi direct benefit transfer scheme found 2,300+ active credentials from vendors no longer associated with the program, 800 of which had access to beneficiary data.
The Economics of Inaction: Why Organizations Keep Ignoring the Problem
1. The "Not My Problem" Syndrome in IT Security
Organizational silos create blind spots where ghost identities thrive:
| Department | Role in Credential Lifecycle | Why They Don't Act |
|---|---|---|
| Development Teams | Create 80% of non-human identities | "Security will handle cleanup" |
| Security Teams | Responsible for governance | Lack tools to discover non-human identities |
| Procurement | Should trigger deprovisioning when vendors leave | No integration with IT systems |
| Audit Teams | Should flag unused credentials | Focus on financial controls, not technical debt |
2. The Cost Illusion: Why Cleanup Gets Deferred
Organizations systematically underestimate the cost of inaction while overestimating remediation expenses:
100 ghost identities
exploiting ghost credentials
unmanaged credentials
The Reserve Bank of India's 2024 Cyber Resilience Framework now requires banks to include non-human identity management in their audit scope after discovering that:
- 4 major private banks had 15,000+ orphaned API keys with access to customer data
- 2 public sector banks were using hardcoded credentials from 2012 core banking upgrades
- 1 payment processor had vendor credentials active 7 years after contract termination
Beyond Technical Fixes: The Organizational Culture Shift Needed
1. Redefining Identity Governance for the Machine Age
Traditional Identity and Access Management (IAM) frameworks fail because they treat non-human identities as exceptions rather than the majority. Progressive organizations are adopting:
- Credential Lifecycle Automation: Tools like CyberArk's Identity Security Platform or SailPoint's Non-Human Identity Manager that auto-discover and classify all identities
- Just-In-Time Privilege Models: Credentials activate only when needed (e.g., for specific API calls) and expire immediately after
- Behavioral Baselining: AI-driven monitoring that flags when a service account deviates from its historical patterns
How Tamil Nadu's E-Governance Agency Reduced Ghost Identities by 87%
After a 2023 breach attempt that exploited a 2019 vendor credential, the agency implemented:
- Quarterly credential audits tied to vendor contract renewals
- Automated deprovisioning triggered by procurement system updates
- Privilege time-bombing where all credentials expire after 90 days unless explicitly renewed
Result: Discovered and removed 12,000+ ghost identities in 6 months, reducing their attack surface by 63%.
2. The Vendor Accountability Gap
India's Digital Personal Data Protection Act 2023 introduces potential liabilities for organizations that fail to manage third-party credentials, but enforcement remains weak. Key challenges:
- Contractual ambiguity: Only 18% of Indian IT contracts specify credential cleanup responsibilities
- Offshore risks: 42% of ghost credentials in Indian systems originate from foreign vendors
- Legacy lock-in: Older systems often require hardcoded credentials that cannot be easily rotated
The National Informatics Centre (NIC) now mandates that all government IT projects include:
"Vendor credentials must be provisioned through a centralized identity vault with automatic expiration tied to contract duration. All credentials must support just-in-time activation with maximum 24-hour validity for production access."
The Regional Domino Effect: How Ghost Identities Threaten India's Digital Sovereignty
1. Critical Infrastructure as the Prime Target
India's 14 critical information infrastructure sectors (as defined by NCIIPC) face escalating risks:
The Power Grid Corporation of India discovered in 2023 that:
- 27% of their SCADA system credentials were from vendors no longer under contract
- 18% of these had privileges to issue grid control commands
- 4 credentials dated back to the 2012 grid modernization project
2. The Cross-Border Exploitation Vector
Ghost identities create ideal persistence mechanisms for state-sponsored actors. The Indian Computer Emergency Response Team (CERT-In) has tracked:
- APT groups using abandoned vendor credentials to maintain access for 12+ months
- Ransomware operators specifically targeting organizations with high ghost identity counts
- Supply chain attacks where compromised vendor credentials are used to infect multiple clients
North East's Geopolitical Exposure
The region's strategic importance and cross-border digital connections create unique risks:
- International bandwidth dependencies: 60% of internet traffic routes through Bangladesh and Myanmar, creating exposure to foreign surveillance
- China-linked APT activity: CERT