2024 ESG Report: Managing Non-Human Identities

Oasis Security & ESG

Oasis Security - 2024 ESG Report - Managing Non-human Identities for an Effective Cybersecurity Program

Research Objectives

Enterprise IT cybersecurity and operations teams are recognizing the risk associated with the large and growing volume of non-human identities (NHIs). Modern application architectures with complex relationships and ephemeral resources have resulted in a proliferation of non-human access to communicate and exchange data. NHI management is an emerging space with unique characteristics and lifecycle requirements when compared with the more established human identity and access management (IAM) domain. Inadequate security for non-human identities poses significant security risks given the significant access and privileges provided to non-human identity infrastructure. Specifically, poor security for NHIs can lead to data breaches, operational disruptions, and compliance violations. As cloud adoption and automation continue to grow, effective non-human identity management has become essential for maintaining security, facilitating business operations, and supporting digital transformation initiatives.

To gain further insight into these trends and issues, TechTarget’s Enterprise Strategy Group surveyed cybersecurity, and DevOps, platform, and cybersecurity engineering professionals at organizations in North America (US and Canada) involved with or responsible for the technologies and processes that secure non-human identities and machine workloads.

The Study Sought To :

  • Assess the state of the market for locating, securing, and managing non-human identities.

  • Understand the challenges in gaining visibility and lifecycle control over non-human identities.

  • Explore the consequences of inadequate visibility and security for non-human identities.

  • Determine how enterprises intend to invest to address risks associated with non-human identity management and security.

Key Findings

  1. Non-human identity volume is large and increasing quickly

    • Non-human Identities Significantly Outnumber Human Identities and This Volume Is Expected to Increase - the average organisation estimated that number to be 20x larger and more than half the organisations expect the total number of NHIs to increase by more than 20% over the next 12 months.

    • Non-human Identities Are Perceived to Be Insufficiently Secured - the average organization believes that more than one in five of their non-human identities are insufficiently secured. Not only is the number of non-human identities growing, but organizations also recognize them as a vulnerable part of the attack surface.

  2. Enterprises typically deploy multiple solutions for each NHI problem area

    • Most Enterprises Invest in Multiple Solutions for the Various Aspects of Non-human Identity Management - practically all organizations leverage at least one non-human identity management solution, and many have multiple solutions in place. While this does suggest a defense-in-depth approach, it also reveals a lack of motion toward platform unification at this point.

    • Avoiding Operational Interruptions and Visibility Are Leading Concerns - Operational risk and a lack of visibility are most commonly cited, but compliance and other security concerns, such as identity and zero-trust alignment and certificate rotation, are not far behind.

  3. Enterprises typically endure multiple Non-human Identity compromise events

    • Nearly Three in Four Enterprises Suspect They Have Exposed NHIs

      • Nearly half (46%) of respondents know their organization has experienced a breach of non-human identities, and another 26% suspect that they have had NHI accounts or credentials compromised.

      • Enterprises that have experienced a compromised NHI have averaged 2.7 instances in the past 12 months.

    • Multiple Factors Lead to Non-human Identity Compromises

      • At least one-quarter of organizations cited weak encryption algorithms, exposed keys or secrets, and/or loosely managed service accounts.

    • Compromised NHI Accounts Frequently Lead to Successful Cyberattacks With Multiple Ripple Effects

      • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter of enterprises encountering multiple attacks.

      • Businesses suffer manifold impacts as a result of successful cyberattacks spawned from NHI compromises, from reputational damage through compliance fines to more expensive cyber insurance rates.

      • Security teams frequently see increased budgets and investment but can also encounter leadership changes as a result of successful cyberattacks.

  4. Non-human identity management has diverse constituents and compromises get board level attention

    • Diverse Constituency of Decision-makers, but Security Is Well-represented as Budget Holder

      • Technology teams in DevOps, cloud security, SecOps, and cloud applications contribute to evaluating, recommending, and purchasing solutions, but the security personas (32%) are the most common budget holders.

      • Senior management and executive teams continue to be highly frequent influencers and budget holders since cybersecurity has gained more visibility in the C-suite and with boards of directors in the wake of high-profile incidents and their adverse impacts on business operations.

    • Non-human Identity Security: The Board Will See You Now

      • Non-human identity compromise has the potential to be significantly disruptive to business operations. Indeed, a majority (57%) of non-human identity compromises definitively got board-level attention, while 37% of respondents indicated their organization’s board may have delved into the details of the incident.

  5. Enterprises are investing disproportionately to solve Non-human identity security

    • Non-human Identity Security Spending Is Primed to Increase

      • A notable 83% of organizations expect to spend relatively more on non-human identity security, with nearly one in five expecting to spend significantly more.

      • Enterprises invest in solutions to solve specific problems, and non-human identity management involves diverse problems. More than four in ten organizations expect to increase spending on identity threat detection and response solutions, while 39% will prioritize investments in technologies designed to address visibility, monitoring, and remediation for non-human identities.

Download the Full Report

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024