Non-Human Identities and Identity Visibility

Introduction 

Credential based breaches and the realization that there might be identities which are not being governed because they are ‘not visible’ was the original trigger for Non-Human Identity Management as a concept. These identities do not represent a human and can be created within any system by the developer, administrator, application owner and now the AI agents.  The Discovery of Non-Human Identities is thus often the recommended starting point of a Non-Human Identity Management program. 
With SaaS and Cloud Service Providers (CSP) proliferation in the last decade and subsequently the API driven approaches, the machine-to-machine unsupervised interactions went up. Credentials of all forms have multiplied.  

A few commonly used ones are -  

• Passkeys,  

• API keys, 

• Service accounts, 

• OAuth tokens, 

• Certificates, 

• Short-lived, workload-bound credentials. 

With the dynamic nature of tech work and further evolution of coding and infrastructure moving to CI/CD, Infrastructure as Code (IaaC), the credentials continue to multiply and evolve. The AI agents being the latest identities needing all kinds of access to work independently and carry out tasks. 

​
The Risk 
​
Security risk 

Identities created in this process are typically not strongly governed and have access assigned arbitrarily. As such, the organizations run a huge risk with excess privileges assigned and a possibility of exposure. It affects the overall Cyber Security Posture. 

Compliance 

Discovery of identities of any kind with unauthorized access leads to audit findings and compliance issues. This increases the existing security teams’ workload with discovery and closures of such findings taking months to complete. 

Solution Approach 

The primary goal of the Non-Human identity program is to start with the discovery of such identities. Once discovered, known intelligence inputs can be implemented to classify the identities based on access risk. Once discovered and categorized, remediation can be initiated as part of the Risk management process. 

​A mature solution approach is essential to planning on how to identify and aggregate Non-Human Identities into a central repository. A suitable technical solution can be selected from the available vendors. The NHIM vendors specialize in connecting to targets using connectors which are purpose built for scanning and locating such identities. A typical Identity Governance and Administration tool might have limitations here because they are purpose built for importing identities from sources like the HR system, supplier system or other third-party contractor onboarding tools. 

Step 1 – Identify/Discover ​

• Launch an enterprise-wide program that engages the key stakeholders.
  
• Highlight the risk and how the Non-Human Identities pose an enterprise-wide threat to the organization. 
• Identify the application and infra landscape by holding interviews with respective application and infra owners and the security teams.
  
• Deploy the chosen vendor solution with respective connectors and run scans to identify Non-Human Identities that exist in the Applications, APIs and Infrastructure. 
• Ensure the discovery is heterogeneous in nature – it should be able to connect with the existing Directory services, cloud platforms like Entra, CMDB’s and ITSM platforms, existing deployed IAM tools – IGA, SSO, PAM etc. 

The initial data collection should be rich to help enable correlation and accurate risk assignments at a later stage. ​

Step 2 – Categorize

• Use rules and intelligence to categorize based on relationships and access risk. Implement rules to classify NHIs based on the application risk, application entitlements or roles,  ownership, network, locations etc. 
• Context is an important part in categorization of any type of identities and hence it needs be clearly worked out between business, security teams, consultants and the technical implementation team. 
• Engage with experienced consultants to lay out a strategy for classification based on the unique organisation requirements on compliance and security. ​

Step 3 – Visualize & Report 

A key element to understanding the cyber security risk posed by the NHIs is to understand the access they have to various applications via various means – developers, code, API tools, Vaults, manual access, Remote Desktops, etc. 
During product evaluation, identify tools that can create mappings and present them in a easy to identify interfaces like charts, maps or flow diagrams. 
Also look for ready-made reporting for various compliance requirements that you might be looking for. Out-of-the-box reporting can identify and generate the most appropriate compliance reporting that can be used to govern the NHIs. ​

Conclusion 
​
Discovery and classification of Non-Human Identities is the first step in a Non-Human Identity Management program. 
A suitable tool and a strong program intent combined with process will ensure that a reliable repository of NHIs is built as a foundation. 
Categorization ensures that the high risk NHIs can be taken up first for remediation and risk reduction.