Encryption converts readable data into ciphertext so it cannot be understood without the correct key. In identity and governance terms, the important question is not only whether the data is encrypted, but which identities, services, and administrators can access the keys or decryption endpoint.
Expanded Definition
Encryption is the mechanism that protects data confidentiality by transforming readable information into ciphertext that can only be recovered with the correct key. In NHI security, the practical question is not merely whether encryption is enabled, but which identities can request decryption, where keys are stored, and how access to those keys is governed. That makes encryption a control over both data and authority.
For this reason, encryption must be treated alongside identity, not as a separate technical feature. A service account with broad access to a key management endpoint can defeat strong cryptography just as effectively as a stolen password. Guidance varies across vendors on how much operational responsibility should sit with application teams versus security teams, but no single standard changes the core requirement: limit key access, rotate credentials that protect encrypted workloads, and log every decryption path. The NIST Cybersecurity Framework 2.0 reinforces this operational view by tying protection to asset governance and access control rather than to encryption alone.
The most common misapplication is assuming data is secure because it is encrypted at rest, which occurs when decryption rights remain broadly available to service accounts, administrators, or CI/CD pipelines.
Examples and Use Cases
Implementing encryption rigorously often introduces key-management overhead, requiring organisations to weigh stronger confidentiality against added operational complexity and recovery risk.
- Database encryption protects records if storage media are exposed, but only if the decrypting application identity is tightly scoped and monitored.
- API payload encryption can reduce exposure in transit, yet it still depends on the receiver’s service identity being authorized to decrypt the payload.
- Secrets stored in a vault are encrypted, but the vault configuration must prevent overbroad access by administrators and automation. Misconfigured vaults are a major failure mode noted in the Ultimate Guide to NHIs.
- Certificate-based mutual TLS encrypts traffic between workloads and can strengthen service-to-service trust when paired with strict workload identity controls from the NIST Cybersecurity Framework 2.0.
- Encrypted backups help preserve confidentiality during storage or transit, but recovery procedures must ensure that only approved recovery identities can unlock the backup set.
In practice, encryption becomes most effective when paired with rotation, revocation, and least-privilege access over the decryption endpoint. NHIMG research shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, which makes cryptographic protection only one part of the control story.
Why It Matters in NHI Security
Encryption matters because NHI environments are full of machine-readable trust relationships: service accounts, API keys, certificates, and automation tokens frequently sit behind the systems that decrypt sensitive data. If those identities are overprivileged, encryption gives a false sense of safety while attackers simply move to the key path instead of the payload. The result is often lateral movement, token theft, or silent exposure of data that appeared protected.
This is especially important in environments where secrets are embedded in code, config files, or CI/CD tools. The Ultimate Guide to NHIs notes that 96% of organisations store secrets outside of secrets managers in vulnerable locations, and that 91.6% of secrets remain valid five days after notification. Those figures show why encryption alone does not close exposure windows.
Organisations typically encounter the consequence only after a key compromise, failed audit, or cloud incident, at which point encryption governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and key protection for non-human identities. |
| NIST CSF 2.0 | PR.AA | Addresses identity assurance and access control around protected assets. |
| NIST Zero Trust (SP 800-207) | Zero trust requires explicit authorization before any decryption or access. |
Treat every decrypt request as a policy decision and verify context each time.
Related resources from NHI Mgmt Group
- What is the difference between encryption and access control in AWS data protection?
- What is the difference between symmetric and asymmetric encryption for IAM use cases?
- What is the difference between TLS encryption and TLS authentication?
- How should security teams handle access keys differently from encryption keys?
