Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities (NHIs) come in. NHIs — including application secrets, API keys, service accounts, and OAuth tokens — have exploded in recent years, thanks to an ever-expanding array of apps and services that must work together and identify one another on the fly. In some enterprises, NHIs now outnumber human identities by as much as 50-to-1.
However, NHIs introduce unique risks and management challenges that have security leaders on high alert. Forty-six percent of organizations have experienced compromises of NHI accounts or credentials over the past year, and another 26% suspect they have, according to a recent report from Enterprise Strategy Group.
It’s no wonder NHIs — and the difficulties they present with oversight, risk reduction, and governance — have been a recurring topic at Okta’s CISO Forum. Here, we’ll explore their rise, risks, and how CISOs and security leaders are managing them today.
The rise in NHIs can be traced to the increasing use of cloud services, AI and automation, and digital workflows. It’s a trend that’s likely to continue, as more and more tasks are automated and humans are less of a part of the equation.
NHIs allow apps to authenticate to one another, both inside a specific domain and with third-party applications like cloud services. Those secrets, keys, and tokens are just as sensitive as the credentials used by humans, and in some cases, even more so, as they can provide adversaries with powerful access to specific applications and services if they’re leaked.
CISOs are taking notice. In fact, over 80% of organizations expect to increase spending on non-human identity security.
According to Mark Sutton, CISO at Bain Capital, “Non-human identities have become a focus for teams based on the maturity of their identity and access management programs. It’s quickly becoming the next hottest fire because people have somewhat solved user identities. The natural progression is then to start looking at service accounts and machine-to-machine non-human identities, including APIs.”
Simply put, once organizations establish strong protocols for securing human identities, the logical next step is tackling NHIs. “That, and non-human identities are a part of the threat landscape, and it’s where attackers are going next.”
Like any other set of credentials, NHIs are sensitive and need to be protected. But while humans can employ robust security measures such as MFA or biometrics to protect sensitive credentials, NHIs often rely on less secure measures for authentication. That can make them easy targets for attackers.
Leakage of NHI secrets can also be a serious concern. This can happen in a number of ways, whether it’s through hard-coding them into an application’s source code or accidentally copying and pasting them into a public document. Secret leakage is a significant problem, and secrets often show up in public GitHub repositories. In fact, security firm GitGuardian found more than 27 million new secrets in public repositories last year. This poses an even larger problem when you consider that NHI secrets are not rotated very often in most environments, so the useful life of a leaked secret could be quite long.
And, because they often require broad and persistent permissions to perform tasks, NHIs can accumulate excessive permissions, further increasing the attack surface. All of this makes NHIs a prime target for attackers and a major challenge for CISOs and their security teams.
While NHIs are now on CISOs’ radar, securing them is another story. Here are three challenges we’re hearing from CISOs, and how they’re managing them:
Our mission is to educate our customer base, build capacity in every country we operate in and make cyber security affordable to all