The Invisible Army of Non-Human Identities

The future of cybersecurity will be shaped by how well we manage the explosion of NHIs.

Vaibhav Malik, Partner Solutions Architect

October 11, 2024

4 Min Read
Silhouette of a human head and side view of robot head
Source: Brain light via Alamy Stock Photo

COMMENTARY

Imagine a vast and invisible army silently infiltrating your organization's digital defenses. No, this isn't the plot of a sci-fi thriller — it's the reality of non-human identities (NHIs) in today's cybersecurity landscape. As a seasoned security architect, I've watched this hidden force grow from a manageable contingent to a sprawling, often ungoverned multitude that's keeping chief information security officers (CISOs) awake at night. 

In my journey across startups and Fortune 500 companies, I've witnessed firsthand the mixed effects of NHIs. They keep our digital machinery running smoothly — but they are also a potential treasure trove for attackers looking to exploit our blind spots. It's time to shine a light on this invisible army and develop strategies to harness its power while mitigating its risks. 

The Scale of the Problem

Consider this: For every 1,000 human users in your organization, you likely have 10,000 non-human connections or credentials. Some estimates suggest the ratio could be as high as 45-to-1. These NHIs include service accounts, system accounts, API keys, tokens, and other forms of machine-based authentication that facilitate the complex web of interactions in our modern digital ecosystem. 

Why NHIs Matter

  1. Attack surface expansion: Each NHI represents a potential entry point for attackers. With their often-elevated privileges and lack of human oversight, compromised NHIs can be a goldmine for malicious actors. 

  2. Visibility challenges: Unlike human users, NHIs often operate in the background, created by developers or systems without proper governance. This lack of visibility makes them a significant blind spot for many security teams. 

  3. Privilege sprawl: Studies show that only 2% of permissions granted for NHIs are actually used. This massive overprovisioning of access rights creates an unnecessary risk landscape. 

  4. Third-party risk: NHIs often facilitate connections to external services and partners. When these third parties experience a breach, your organization's NHIs become a potential vector for lateral movement. 

Real-World Implications

The importance of securing NHIs is more than just theoretical. Recent high-profile incidents underscore their critical role in modern attacks. 

Nation-state actors have demonstrated proficiency in abusing OAuth applications to move laterally across cloud environments. At the same time, major software companies like Microsoft and Okta have fallen victim to attacks leveraging compromised machine identities. In a recent Securities and Exchange Commission (SEC) filing, even Dropbox disclosed a material incident involving a compromised service account

Practical Steps for Mitigation

  1. Discovery and inventory: You can't secure what you can't see. Implement tools and processes to continuously discover and catalog NHIs across all environments, including software-as-a-service (SaaS) applications. 

  2. Posture management: Go beyond simple inventory. Understand the permissions associated with each NHI, their usage patterns, and the potential risk they pose. 

A Call to Action

The explosion of NHIs represents both a challenge and an opportunity for the cybersecurity community. While the scale of the problem can seem daunting, we're ahead of the curve compared to where we were with human identity access management (IAM) decades ago. 

In my conversations with CISOs and security leaders, I've started to see a shift in mindset. There's a growing recognition that NHI security needs to be elevated to a top-tier priority, on par with traditional IAM and network security initiatives. 

As we move forward, I'm cautiously optimistic. The technology and practices to secure NHIs are evolving rapidly. We can turn the tide on this silent tsunami of risk with the right mix of visibility, automation, and a security-first culture. 

The future of cybersecurity will be shaped by how well we manage the explosion of non-human identities. As security professionals, it's our responsibility to lead the charge in this new frontier of identity security. Are you ready to meet the challenge? 

About the Author

Vaibhav Malik

Vaibhav Malik

Partner Solutions Architect

Vaibhav Malik has more than 14 years of experience in networking and security. He collaborates with global partners to create and deploy robust security solutions for enterprise clients. Malik is a recognized thought leader and expert in zero-trust security architecture. His previous roles at large service providers and security companies involved assisting Fortune 500 clients with network, security, and cloud transformation projects. He champions an identity and data-centric approach to security and is a popular speaker at industry events. With a master's in telecommunication from the University of Colorado Boulder and an MBA from the University of Illinois Urbana-Champaign, Malik's extensive expertise and hands-on experience make him an invaluable asset for organizations aiming to strengthen their cybersecurity posture in today's complex threat landscape.

See more from Vaibhav Malik
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

A laptop on the table with software update progress bar on screen
Vulnerabilities & Threats
5 Zero-Days in Microsoft's October Update to Patch Immediately5 Zero-Days in Microsoft's October Update to Patch Immediately
byJai Vijayan, Contributing Writer
Oct 8, 2024
4 Min Read
Green mamba, Dendroaspis angusticeps
Cyberattacks & Data Breaches
Mamba 2FA Cybercrime Kit Targets Microsoft 365 UsersMamba 2FA Cybercrime Kit Targets Microsoft 365 Users
byTara Seals, Managing Editor, News, Dark Reading
Oct 9, 2024
1 Min Read
Glass salt shaker tipped over and spilling
Cyber Risk
Salt Typhoon APT Subverts Law Enforcement Wiretapping: ReportSalt Typhoon APT Subverts Law Enforcement Wiretapping: Report
byTara Seals, Managing Editor, News, Dark Reading
Oct 7, 2024
2 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events