Am I Human or Non-Human

Golf Balls vs Non-Human Identities

Following on from the fun article I wrote on Pot Holes & Non-Human Identities, I thought I would create another fun/interesting articles on NHIs, based on my extensive 25 year plus experience in managing NHIs at an enterprise level, so folks get a sense the challenges that can be faced.

The Famous Golf Ball Mtg – I meet up with the new head of IAM at a Global Investment Bank many years ago :

• We discuss PAM and Identity Management – I highlight that for some accounts e.g. on databases we can’t tell whether some accounts are human or non-human
• Head of IAM says, so if we have an account called “Golf Ball” are you saying we don’t know what it is i.e. it could be human or a non-human account.
• I explained due to weak controls around naming standards for human accounts, it’s was the wild-west, where folks could call their account anything (for both human and non-human)
• I went onto explain that the Non-Human accounts have no clear ownership in a central inventory system i.e. we don’t know which application is responsible for that account e.g. to drive accountability for control compliance, remediation, hygiene activities
• Developing a centralised identity/account management system to manage these accounts would be a major undertaking, both from a capability delivery and claiming/ownership standpoint, as identifying owners retrospectively is very challenging – many accounts would be unknown given they were setup years ago, could be dormant or being used by upstream/downstream applications.

This was a major lightbulb moment for the head of IAM, who was new to the Non-Human Identity space.

In summary Golf Balls are like Non-Human Identities – you have a good handle on some of them, many are unknown/lost (hiding in the sand / grass / bushes / water) and each one of them is a risk, that needs to be identified, claimed or removed – if the unknown/lost ones get discovered, someone can steal them and use them.

Further details on these challenges and how to go about addressing them can be found in my white paper on managing Non-Human Identities.

PotHoles and Non-Human Identites

Let’s have some fun. This is a photo of a Pothole outside my house.

Let’s compare Potholes to Non-Human Identities (NHIs) :

• The number of Potholes on this UK road are similar to the number of Non-Human Identities vs Human Identities i.e. 50:1
• People try to avoid Potholes and NHIs, but they catch you out in the end
• Discovering Potholes and NHIs can be challenging, especially if you have weak visibility
• Even though you know they exist you choose to leave them exposed
• Once someone has gone into one it’s game over
• In many cases you don’t know the risk/damage the Pothole and NHI can cause i.e. how deep and wide is the hole/access
• It can be very expensive and take a long time to repair the damage caused
• Putting band aid solutions will cause the issues to resurface

Hope you enjoyed my comparison of Potholes and NHIs – any other comparisons you would like to share?

Who Says We Have A Secret Sprawl Problem

25 years ago at a Global Investment bank :

• we had the opposite to the current Secrets Sprawl problem
• we had just one Non-Human Identity (NHI) for the whole division
• everyone in the department had access to the NHI over 1,000 people
• we ended up with a major audit finding as result

So what did we do ?

• each application ended up having its own set of NHIs
• we segregated NHIs – one per environment to to prevent lateral movement between environments
• each account had an environment post-fix e.g. o trading_prod, trading_qa, tradingl_dev

25 years on, we still see :

• many accounts are still shared across environments
• many accounts are still shared across applications
• many plain-text credentials are found in source code repos etc
• organisations are still struggling to Cycle NHI credentials

Oh I Wish We Could Go Back To One NHI And Avoid the Secrets Sprawl Problem