Introduction

In the rapidly evolving landscape of enterprise security, the lines between human and non-human identities are increasingly blurred. Traditionally, disciplines like Identity and Access Management (IAM), Identity Governance and Administration (IGA), and identity security have focused on protecting human identities—employees, customers, and partners. However, with the proliferation of applications and other enterprise workloads leveraging service accounts, service principles, and the like, the scope of “identity products” must also expand. This shift necessitates a comprehensive approach to identity security that addresses both human and non-human identities, recognizing their overlaps and unique challenges. Only platforms that integrate both facets can meet the needs of modern enterprises.

There are five key drivers why NHIs and human identities need a comprehensive solution:

1. NHI and Human Identities Blend Together

NHIs often simply use accounts intended for humans, leading to challenges in understanding your environment or the extent of the risk. Identifying these “shadow NHIs” usually depends on the specific practices in an organization and may change over time depending on the processes in place when the service account came into use. Naming conventions, for example, are one of the most widely used identifiers. Sometimes, deeper contextual analysis is required, focusing on characteristic behavioral patterns and the absence of standard security practices like MFA, which are often deactivated for service accounts because of requirements around human interaction at authentication time.

Segmenting identities into human or non-human is not a simple problem. For example, knowing that an account is tied to the HR system gives a very high level of confidence that it is, in fact, a human identity. Developing solutions solely for NHIs requires a deep understanding of human identities to properly exclude them from the NHI scope. This challenge highlights the interconnected nature of human and non-human identities within enterprise security frameworks.

2. NHIs Need Human Owners

Assigning human owners to NHIs is vital for effective governance and security. This practice ensures accountability for security programs like access reviews and ensures a responsible party to shepherd any potential operational impact from key rotation for the NHI. In turn, the owner’s lifecycle status is critical to know- what if the owner is no longer employed at the company or has taken a leave of absence?  

3. Humans are often “upstream” of NHIs

Humans are often the ultimate consumers and potentially editors of data accessed by NHIs. For example, a service account might access data on behalf of a business intelligence (BI) application like Tableau or Looker, and then be viewed by human users via the BI application. Chains of access get even more complicated with permissions for OAuth delegated access. In these cases, understanding and managing the full chain of access, all the way from data to human user is critical from an identity security perspective; stopping at the NHI would provide an incomplete picture. This underscores the need for a unified security approach that encompasses both human and non-human identities to ensure comprehensive protection.

4. Common Tools and Processes

Similarities in the NHI/Human Access Review Process
Conducting access reviews for NHIs is similar to those for human accounts, focusing on NHI owners rather than managers. These reviews help ensure that NHIs have appropriate permissions and that their level of access aligns with security policies and least privilege.

Similarities in the NHI/Human Access Request Process
Requesting the creation and access to NHIs often ideally mirrors the process for human accounts. Standardizing these processes across both types of identities reduces complexity and ensures consistency across both operations and security.

5. Optimizing the NHI Process for Engineers- the Foundation to Securing NHIs

Streamlining the process of creating and using NHIs for engineers is essential to securing NHIs. Depending on your process and culture, engineers might be creating service accounts directly, or there might be a more centralized process to drive better consistency and security. When a service account is used, is the credential being embedded in the code, or is a Secrets Vault being used? Is the account ownership being recorded for future management and governance? Is there a process to ensure that the right schedule of key rotation can be automated or at least performed with a minimum of manual steps?

Engineers always find ways around inefficiencies; if there is an easier path to getting something working that’s outside the approved process, you should expect it to occur, probably often. If simply provisioning a human account and using it as a service account is the easiest thing, it will happen. 

On the other hand, if the secure path is ALSO the easier path, you’ve designed a good process.

• The best approach is clearly to simplify the process of secure NHI provisioning to encourage adherence to security protocols. In most organizations, developer productivity is king.
• This may need to be supplemented with ensuring that the broader needs of the business are fulfilled in the initial service account provisioning process. Although it might be simpler for engineers, should they be permitted to create service accounts directly? Secure development practices don’t fall by the wayside just because they’re inconvenient.

In total, productivity must be balanced with security and compliance requirements to ensure that engineers can perform their duties without compromising security and adding unacceptable risk for the organization. Assigning the right level of human permissions for your engineers is critical to ensuring a secure process of creating NHIs.

Conclusion

The convergence of Non-Human Identity (NHI) and Human Identities is essential for modern enterprise identity security. By recognizing the overlap and interdependencies between these types of identities, organizations can develop comprehensive processes that address both facets. This approach not only enhances security but also simplifies identity management and ensures robust protection against evolving threats. Embracing a unified strategy is crucial for safeguarding assets, data, and operations in an increasingly interconnected digital landscape.