The challenges of managing non-human identities [Q&A]

Non-human identities (NHIs) outnumber human identities by between 10 and 50 times, but the industry lacks solutions to properly address this hole in the security perimeter.

Traditional IAM solutions and best practices aren't sufficient when it comes to managing NHIs, as evidenced by some recent breaches that have stemmed from exploitation of NHIs.

We spoke to Danny Brickman, CEO and co-founder of Oasis Security, to learn more about NHIs and how enterprises can manage them effectively.

BN: What are non-human identities and what role do they play in enterprises today?

DB: An NHI is a digital construct that describes the credentialed access leveraged for machine-to-machine communication. These identities include service accounts, tokens, access keys, API keys, and more. NHIs are critical components of modern business operations across all sectors and industries. Take the financial services industry, for example: NHIs play a fundamental role across all major technology priorities, like AI, fintech, blockchain and open banking, enabling secure access to application and data across distributed systems. As organizations adopt more cloud services and automation, the number of NHIs grows exponentially. In an average enterprise environment, today, NHIs outnumber human identities on average by a factor of 20x, according to recent ESG research. NHI is the most rapidly expanding type of identity and the least governed attack surface for organizations.

BN: What are some of the top challenges when it comes to managing NHIs? Why do traditional identity and access management solutions and best practices fall short?

DB: While human identities are typically managed through well-established governance processes and mature IGA and Privileged Access Management (PAM) systems, NHIs often fly under the radar. Created by developers and DevOps teams directly within cloud platforms, SaaS applications, Kubernetes clusters, and CI/CD pipelines, NHIs frequently bypass standard IT workflows and security checks.

Traditional security tools, like PAM systems designed for human users, cannot track NHIs throughout their lifecycle or understand their relationships with applications, data, and other resources. PAM and Identity and Access Management (IAM) solutions cannot address the scale, ephemerality, and distributed nature of NHIs. Adding to this risk? NHIs are often privileged service accounts, used to access sensitive data and cannot be protected with Multi-Factor Authentication. With traditional identity & access management solutions and best practices rendered obsolete, and NHIs proliferating every day, the industry needs solutions to properly secure this massive attack surface. That's where Oasis Security comes in.

BN: What are the security risks when it comes to improper management of NHIs, and what are some real-world examples of those risks turning into security incidents?

DB: The rapid and widespread creation of NHIs, combined with the lack of centralized tracking systems, leads to significant governance issues. This can result in severe security risks like data leaks and unauthorized access. Lack of NHI management leaves misconfigurations, unrotated secrets, and over privileged access vulnerabilities exposed to unauthorized access, data exfiltration, and ultimately, costly cyberattacks.

Unmanaged NHIs are a critical security weakness that malicious cyber attackers consistently exploit. ESG research indicates that over 46 percent have been subject to an NHI breach in the last 12 months. NHIs have massively expanded the enterprise perimeter. Notable high-profile cyber incidents have underscored how compromised NHIs can lead to significant security breaches, highlighting why a robust NHI management framework is a strategic imperative for sustaining business operations in our interconnected world. For example, exploitation of NHIs has led to high-profile breaches like the Dropbox security incident, and others from Okta, Slack, and Microsoft. Modern NHI management solutions are pivotal in addressing these challenges and helping organizations prevent potentially devastating cyberattacks.

BN: Against this backdrop, what are the best practices for securing and managing NHIs?

DB: Until recently, identity security was synonymous with governance and access management for human identities. This is no longer the case as NHIs have massively expanded the enterprise perimeter. Modern NHI management solutions are pivotal in helping organizations prevent potentially devastating cyberattacks.

Now is the time for enterprises and midmarket organizations alike to incorporate comprehensive NHI management into their security and identity programs. Core best practices for managing NHIs include:

• Maintain a comprehensive and up-to-date inventory of all NHIs within the organization
• Understand the business context and owners of each NHI
• Apply the principle of least privilege
• Monitor the environment continuously to detect and respond to suspicious activities involving NHIs
• Define governance policies and implement them via automation
• Prioritize secret rotation
• Decommission stale and orphaned service accounts

NHI management is a security, operational and governance challenge. To effectively address it, organizations need a purpose-built enterprise platform that solves all three. Successful NHI management requires not only discovering NHIs in real time and without prior knowledge of them, but also understanding their individual business context (usage, consumers, owners, authentication methods, entitlements, resources, risk factors, behavior, etc.). In order to achieve this, modern NHI management solutions must be able to ingest vast amounts of data from a wide range of sources (audit logs, IDP, Vaults, DSPMs, ASPMs, etc.) and continuously analyze it with advanced AI/ML, Large Language Models (LLMs) and behavioral analytics techniques.

BN: GenAI is among the hottest topics in technology and cybersecurity today. Where do NHIs fit in when it comes to challenges and opportunities?

DB: GenAI has rapidly become a game-changer, transforming industries -- particularly in technology and cybersecurity -- as companies rush to unlock its potential. Retrieval-Augmented Generation (RAG) architecture, which combines the power of LLMs with domain-specific data to power chat or Q&A-based applications, is becoming the go-to foundation for enterprise GenAI implementations. With a RAG framework, companies can build applications that are highly customized to their workflows.

Despite the benefits, this comes with challenges when it comes to data privacy, integrity, and security. One overlooked, yet fundamental best practice to follow is proper NHI management and governance.

Data sources -- and the corresponding access methods -- are at the heart of many risks when it comes to NHIs and RAG. Storage accounts are often used as a repository for unstructured data, and leveraged in the implementation of RAG architecture-based applications. Exploring some of the access methods leveraged for storage accounts in cloud environments highlight the potential risks. For example, Azure blob storage allows many forms of identity and access management, SAS tokens, service principals (Entra ID), and access keys. When configuring any of these access methods, it's critical to apply the principle of least privilege and adhere to accepted best practices. Yet, it is common to see very old and unrotated (full access by default) access keys, SAS tokens with privileged access and very long time-to-live (TTL), or service principals whose usage is stale and secrets are unrotated.

Secrets used to assume non-human identities (like those described above) are sometimes stolen, accidentally exposed, or kept by former employees upon exit. The resulting risk to an application is multi-pronged. Data privacy for any AI training data is a priority; sensitive data and the identities used to access it should be locked down, monitored, and their lifecycle managed properly. Improper hygiene of NHI can lead to data leakage, evidenced by recent high-profile security incidents.

Data poisoning also poses a unique risk in RAG architectures, where cloud-based data sources can be edited via NHIs. Ensuring the integrity of training data is crucial, as unauthorized additions or modifications can lead to incorrect or harmful outputs. Users increasingly rely on AI to complete day-to-day tasks; decision-making based on responses generated from poisoned data could have devastating and far-reaching consequences.

Credential mismanagement is another critical issue. A study by the Ponemon Institute found that 60 percent of organizations do not regularly rotate credentials for non-human identities, such as service accounts and API keys. This lack of credential rotation significantly increases the risk of unauthorized access and security breaches. When credentials are not rotated regularly, they become vulnerable to exploitation by malicious actors who can use them to gain unauthorized access to systems and data. This can lead to data theft, system compromise, and other security issues.

Image credit: BiancoBlue/Dreamstime.com