Modern enterprise networks are extremely complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact safely and efficiently without the constant human surveillance of non-human identity (NHI). NHI has exploded in recent years, including application secrets, API keys, service accounts and OAUTH tokens. In some companies, NHIS currently outperforms human identity by up to 50:1.
However, NHIS introduces its own risks and management challenges that are making security leaders a high alert. According to a recent report from the Enterprise Strategy Group, 46% of organizations have experienced compromises in their NHI accounts or credentials, with an additional 26% suspected.
It is no wonder that the difficulty of NHIS in presenting monitoring, risk reduction and governance has become a recurring topic at OKTA’s CISO forum. Here we explore their rise, risks, and how CISOs and security leaders manage them today.
The epic rise of the NHIS
The rise in NHIS can stem from the increased use of cloud services, AI and automation, and digital workflows. More and more tasks are automated and humans are not part of the equation, so it is likely to continue.
NHIS allows apps to authenticate with each other, both within a specific domain and across third-party applications, such as cloud services. Because these secrets, keys, and tokens are as sensitive as the credentials used by humans, and in some cases, they can provide strong access to certain applications and services in the event of an enemy being leaked.
CISO is paying attention. In fact, more than 80% of organizations expect to increase spending on non-human identity security.
According to Mark Sutton, CISO at Bain Capital, “Nonhuman identity has become the focus of the team based on identity and the maturity of the access management program. With some resolution of user identity, it is becoming the next hot fire.
Simply put, once an organization has established strong protocols to ensure human identity, the logical next step is to tackle NHIS. “And also, non-human identities are part of the threat situation and where the attacker moves on.”
NHIS Secret Leakage and Other Risks
Like any other set of credentials, NHIs are sensitive and need to be protected. However, humans can employ robust security measures such as MFA and biometric authentication to protect sensitive credentials, but NHIS often relies on less secure means of authentication. This makes it easier to target attackers.
NHI’s secret leaks are also a serious concern. This can happen in a variety of ways, whether you hardcode it into your application’s source code or accidentally copy it and paste it into a public document. Secret leaks are a serious issue, and secrets often appear in public github repositories. In fact, security company Gitguardian discovered more than 27 million new secrets in a public repository last year. This creates even more problems when you consider that the NHI secrets are not spinning very often in most environments. Therefore, the useful life of leaked secrets can be quite long.
Additionally, because it often requires extensive permanent permissions to perform tasks, NHIS can accumulate excess privileges and increase the attack surface even further. All of this is a major target for NHIS and a major challenge for CISO and its security teams.
Three challenges CISOS faces in securing NHIS
The NHIS is currently on CISOS radar, but securing them is another story. Below are the three challenges we’ve been hearing from the CISO and how they manage them.
- Gain vision. The biggest hurdle to trying to secure and manage NHIS is actually finding them. Visibility into the locations of NHIS in the environment may be limited, and discovering all or most of them is a difficult task. Many organizations have thousands of NHIs that they didn’t even know existed. Here, the old saying, “I can’t ensure that I can’t guarantee that I can’t guarantee that I don’t know.” is true. This means that NHIS discovery and inventory are important. Implementing an Identity Security Astute Management Solution helps administrators and security experts identify NHIs across their organizations.
- Prioritizing and reducing risk. The next challenge is to prioritize risks related to the NHIS in the environment. Not all NHIs are created equally. Finding the most powerful NHIS and identifying privileged NHISs is an important step in ensuring these identities. Many service accounts and other NHIs have far more privileges than they actually need, creating risk for the organization. Identifying high-value NHIS and adjusting privileges and permits can help reduce that risk. “It’s about understanding the blast radius associated with each non-human identity and asking, “What is the risk?” Not all NHIs are harboring the same threat,” Sutton emphasized.
- Establishing governance. Today, so many NHIs are created, governance has become a real thorn on the part of the CISO. But if they are not properly governed, bad things can happen. For example, consider a series of Internet archive violations that were linked to indifferent tokens in October 2024. Understand who is creating NHIs, how they are creating them, and what purposes it is a good first step. Security teams must then establish a clear process for managing non-human identities so that they cannot be created at will. “We have to think about what our authentication and password policies are,” Sutton says. “For example, there may be many service accounts with weak static passwords that have not been spinning over many years. How do I make sure I manage these?”
Final Thoughts
Nonhuman identity is essential to today’s businesses and helps to automate processes, enable integration and ensure smooth operation. Challenges: They are difficult to secure and are attractive targets for threat actors. Because they are often unexpanded, lack MFA, use static credentials, and have excessive privileges.
After all, nonhuman identities and human identities may have different characteristics and needs, but both require an end-to-end approach to protect them. NHIS may not be a person, but they are more and more powerful actors in your environment. It allows them to be made urgent rather than optional.
Join the webcast on August 18th to learn how organizations reduce risk and complexity by managing all their identities (human or not) under one unified system.
