A Practical Approach to Non-Human Identity

Anyone following recent trends in cybersecurity and identity management is aware of the surge of interest in non-human identity management. This comes as no surprise - as software integration and enterprise adoption of emergent technologies (like artificial intelligence) increases, non-human identities (“NHIs”) proliferate. At the same time, the associated risks grow - 85% of recent breaches have involved a non-human identity (1). When used appropriately, non-human identity can be a massive value and productivity driver for your organization. However, strong non-human identity management is imperative for you to reap these benefits without accepting compromised security or excessive operational burden.

Strong management requires an understanding of what NHIs exist, how they are being used and should be used. Foundational to this is knowing what constitutes a “non-human identity”. Non-human identity is a confusing term for many as it focuses more on what an identity is not rather than what it is. So what exactly is a non-human identity? A service account? A certificate? A pet? An alien? At Natoma, we look at all identities along two dimensions:

1. Human vs. Non-Human Actor - can the identity in question be definitively associated with a single individual or not

2. Interactive vs. Programmatic Behavior - does the identity in question operate using clicks (as a human typically interacts with software) or API calls (as a computer program might)

Non-human identity management focuses on any identity that cannot be associated with a single individual or behaves programmatically, atypical of most humans. Now, let’s take a closer look at how different identities fit into each of these categories.

Human-Driven Automation

While these identities are directly associated with an individual, they can also behave in a manner more typical of code than humans. For example, they may have an API key or personal access token that can be used to power automations or integrations between systems. OAuth delegated authorizations are another popular use case. A user giving an AI agent access to data or to perform actions on their behalf is a common example today.

Since an existing human identity is being reused, this is often the lowest friction way to introduce a new automation or software integration. However, this lack of friction compromises an organization’s security posture. All infrastructure powered by this identity, such as automations and integrations, relies on a human. If that individual leaves the organization, the infrastructure reliant on them will break and leave teams scrambling to pick up the pieces. Additionally, this approach is incompatible with a position of least privileged access. In the majority of scenarios, either the human identity or the integration will be granted excessive privileges, making this identity an attractive target.

Multi-Actor Access

These identities are associated with multiple individuals and typically only interact with software via UI. These are very common in software as many systems heavily use shared or break glass accounts. More than one individual may leverage this identity to perform maintenance tasks or troubleshoot urgent issues.

Often, these identities are intended for exceptional use and carry elevated privileges. Additionally, since most systems log activity at the account level, it is difficult to associate activity from these identities back to a specific individual. Given that the access is shared by multiple users, credentials often are often rotated infrequently to reduce friction. While these identities are necessary for business operations, if unprotected, they represent an exploitable vector for attackers and a potential blind spot for security teams.

System-Driven Automation

The final category, identities are not associated with a single individual and behave in a way atypical to humans. Many people immediately think of service accounts or integration users that power automated processes or software-to-software integration. For example, a service account may trigger processes in a CI / CD pipeline after a new PR is merged to a main repository in GitHub. However, this category also includes other digital credentials such as certificates, access keys, and other secrets used to authenticate machines, devices, and other non-human entities.

These identities often have sensitive standing permissions and lack high assurance authentication. They are a major vulnerability for organizations if not properly maintained.

Now that we understand the risks associated with each category of identity, how do you manage each type to keep your organization secure?

Human-Dependent Automation

Minimize any programmatic activity associated with individual human actors

Multi-Actor Access

Monitor access to these identities to ensure that it is secured appropriately and follows well-defined operating procedures (such as checking in and out of credentials, associated documentation of proposed activity, and session recording)

System-Driven Automation

Manage these identities according to the principles of zero trust. Ensure that permissions are minimized in size and time. Secure all credentials through strict access controls and periodic rotation. Leverage secure technologies like demonstrated proof of possession and transaction tokens.

This framework provides a mental model to approach non-human identity management. A robust non-human identity management solution must be easily operationalized within your organization, with capabilities including:

• Discovery - understand what non-human identities exist, as well as where and how they are being used

• Profiling - identify where best practices are not being followed, exposing your organization to risk

• Remediation - provide recommendations and automated actions to improve your security posture while integrating seamlessly with your existing business processes

Non-human identity is key to the productivity and success of any growing business. However, if approached haphazardly, it can expose you to major security risks. Use this framework as a mental model for how to safely and securely leverage NHIs.

If you would like to learn more about how Natoma’s solution can help, please review our other content, book a demo, or follow us on LinkedIn.