Non-Human Identities (NHIs) are an emerging focus for Security Operations Centers (SOCs) in the age of automation and autonomous tooling. With many of the most recent cyber-attacks focused on compromising NHIs such as secrets, machine identities, and OAuth tokens, securing NHIs has become a forefront concern when protecting confidential information and other digital assets.

The Problem

Findings from recent research from Entro Labs indicate NHIs outnumber human identities in modern enterprises by over 92:1, requiring more extensive visibility and investigation throughout the enterprise to secure than ever before. The rapid proliferation of Non-Human Identities throughout modern enterprises has standardized security exposure as a de-facto practice of most organizations - While Identity Access Management (IAM) tools and Identity Governance and Administration (IGA) processes safeguard human identities and manage their lifecycles (onboarding, offboarding, role changes, etc…), NHI management workflows lack in-line enforcement subjugation, governance, and administrative focus. As such, a majority of enterprises fail to secure this incredible exposure surface, often forgoing attempting to do so entirely!

Ghosts in the Machine

Non-human identities are created, stored, and used in disparate places, often with little to no discernment or planning. This generally means that when their human counterparts leave the organization to move on in their careers, they leave behind orphaned 'ghost' Non-Human identities that while inactive can easily be exploited, providing bad actors with very real access. With the amount of NHIs created relative to each human employee, ghost NHIs can quickly outnumber real and valid NHIs actively in use, unnecessarily increasing the complexity and cost of other administrative costs associated with NHI management.

Secret Rotation and NHI security

Secrets serve as encryption keys and identity placeholders for NHIs. In cases of legitimate valid Non-Human Identities actively used for business activities, a common best practice is to rotate the secrets used to encrypt communications periodically, minimizing the amount of exposure if a secret or NHI is compromised. With an average rotation frequency of 627 days, many enterprises struggle with secrets rotation, so even in enterprises where expired NHIs are cleaned up, significant risk and exposure often exists.

Additionally, a majority of these NHIs are over-used (used in more than one place and/or for more than one purpose), increasing both the complication of secret rotation as well as the exposure risk and magnitude of compromisation during an attack. IBM noted in its 2024 Threat Research Report that after identification the average time to contain an incident was over 64 days! Exploitation of a single secret can provide access to critical systems, allowing for the exploitation of additional NHIs, and further expanding the scope of compromisation - all prior to the initial exploit's detection!

You need to look everywhere

Gaining visibility into the historical context and behaviors of individual NHIs across all platforms and services throughout the enterprise is necessary to identify exposure risks as well as previously compromised NHIs - according to IBM's 2024 Threat research, the Mean Time to Identify compromised credentials is 292 days - 34 days longer than the MTTIC for other types of cybersecurity attacks. With historical context, SOC teams can identify previously compromised NHIs, NHIs with secrets that have not been rotated per policy or industry-specific compliance requirements, over-permissive NHIs (NHIs with more privileges than they actually use to perform their functions), and more.

Start with the Past

An NHI is created to serve and lives its life focused on routineness of performing a function for an intended purpose. Given their historical context, anomalies and aberrant behavior beyond the initial intended scope of an NHI's function are readily apparent, but absent of that historical context a single compromised NHI could routinely cripple an organization without a trace.

Learn what you can

It's therefore imperative to start the journey of securing NHIs with an emphasis on Discovery - and it's not enough to simply obtain a composite inventory of all the NHIs within the organization. Successfully securing NHIs means knowing they exist, what their intended functions are, and comparing this context with their historical and real-time behaviors. Additionally, a least-privilege approach to permissioning should be taken accordingly to restrict NHI privileges and capabilities solely to the function they intend to perform.

Through the discovery of these identities and comparison of their behaviors with their respective histories, anomalies from established behavioral baselines and best practices throughout the environment can be determined, and a more proactive approach can be taken. For example, a Non-human identity that has been used for 5 years to fetch a specific data set can never "change its mind" and fetch something else without external intervention from another human or non-human identity. Such aberrant behavior is indicative of compromisation by a bad actor.

Understand what you know

In some cases a non-human identity may be over-permissive. Such identities can easily be discovered given historical context by identifying the set of tasks the identity has carried out in the past, and restricting the permission scope of the identity to these tasks. Restricting NHIs to their historical functions effectively enforces a least-privileged Zero Trust approach to permission scoping, similar to the access restrictions enforced by an IAM on a human identity.

When such contextual awareness is coupled with existing orchestration and automation tooling, the simpler anomalies can be identified and responded to instantly so SOC teams can focus more on forensics and analysis of more complicated incidents. This is where contextual awareness is even more critical given the nature of an identity's "one-to-many" interaction capabilities. Multiple compromised NHIs can "collaborate" to compromise additional assets, obscuring their interactions beyond a singular sequential linear timeline of events associated with a single NHI incident.

Plan for the future

Securing Non-Human Identities is particularly critical and difficult for businesses with global continuity requirements, compliance requirements, uptime requirements, and rapidly scaling development teams like those in fast-growth tech companies. It's important to keep in mind that while these challenges magnify the complexity of delivering a successful security program for Non-Human Identities, regardless of complexity or scale the same steps need to be taken to secure any enterprise:

  1. Perform an enterprise-wide discovery and identification project to determine visibility across all platforms where NHIs and Secrets can be created, shared, stored, or used.
  2. Conduct a risk assessment analysis to determine existing exposure scope.
  3. Determine NHI governance and administration processes to significantly reduce future risk
  4. Integrate existing tooling and assets to minimize the additional scope of work for Security Operations to monitor and respond to ongoing threats.

With such a platformized approach to securing Non-Human Identities throughout the organization organizations can minimize or eliminate a majority of their attack surfaces.

Itzik Alvas — Co-founder & CEO Entro Security https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIqVxrIeh5SoywUswnzcXY39pdBWpDztqDhxNLMu9ToPICj-I26VdoupDFUAkhhis5KC1vux7BAL_ljTl24FIEoAPXtqav7rPJOBOIGDi_mJ5cto5RcdB1ZHpqs1VQ_3FUc3YgVV4xXlwB1FfOZHcbOh9TZ8bDWq1folPLBvdpamSYktAd6Y8elXungZ0/s728-rw-e365/Itzik.png
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.