Poll – What NHI Use Case Concerns You The Most?

The Non-Human Identity Management Group launched a Poll on LinkedIn asking what type of Non-Human Identity use case concerns the most from a Security Risk Standpoint.

Very interesting results on what is the most concerning use case from a security risk standpoint :

• Service Accounts – 57%
• API Keys/Tokens – 28%
• NHIs in Robotic RPA Bots – 8%
• NHIs in IoT Devices – 7%

No surprise to see Service Accounts taking top spot given this is the most prevalent NHI that we have in the industry.

We would have thought API Keys/Tokens would have got a much higher vote, given many breaches involve them.

Surprising that IoT Devices in particular, did not get a bigger share of the vote, clearly showing this is an under represented or less understood area, but one that is increasingly becoming a big threat vector for organisations.

Poll – Should Non-Human Identity and Human Identity Products Converge

The Non-Human Identity Management Group launched a Poll on LinkedIn asking should Non-Human Identity Products and Human Identity Products be kept Separate or Converge?

• This was a huge poll with close to 330 security practitioners voting across 200 organisations
• Keeping Non-Human Identity Products Separate from Human Identity Products seemed to win the day – 55% to 45%
• A lot of passionate views on both sides based on the voting and the amazing set of comments For and Against
• Overall whilst it was a very close vote, I think the reality is that some of the folks who voted Converge, want this to be an ideal end state view, but clearly see there is a valid case for keeping the focus on NHI Risks Separate for now
• The Challenges and Approach to Addressing Non-Human Identity risks vs Human Identity risks are very different e.g. hardcoded passwords in source-code and how you go about fixing these risks, so these clearly need more vertically focussed solutions to help address

Poll – Do you Fully Understand How to Address NHI Risks?

The Non-Human Identity Management Group launched a Poll on LinkedIn asking if folks know how to fully address Non-Human Identity / Machine Identity / Workload Identity Risks, one of the primary attack vectors by Cyber/Insider Threat Actors.

• 150+ votes – vast majority (68%) either don’t know or partially know how to fully address the risks
• 25% don’t know how to fully address the risks
• 43% partially know how to fully address the risks
• 32% know how to fully address the risks ❓ some of these folks probably also don’t fully know 😉

Clearly there is a major gap in the industry in understanding the risks around Non-Human Identities / Machine Identities / Workload Identities and how to fully address them.

Poll – Non-Human Identity or Machine Identity ?

The Non-Human Identity Management Group launched a Poll on LinkedIn asking the industry how we classify Service Accounts, System Accounts, API Keys, OAuth Tokens, Certificates, Secrets etc.

• 200+ votes – it was a very close race, with Non-Human Identity just edging ahead of Machine Identity

• Non-Human Identity actually won by a large margin, if we look at unique votes per organisation
• We had approx. 80 companies vote, so a very broad vote and opinions from the industry

So does it really matter what term we use?

• The vast majority of Vendors seem to use the Non-Human Identity (NHI) term – is there a VC play here?
• Gartner / Microsoft / CSA seem to use Machine Identity / Workload Identity Terms, but :
• CSA have just launched a survey about Non-Human Identities
• Gartner mentioned Non-Human Identities in Security & Risk Summit 2023

So are we ever going to converge on a common term?

• Very unlikely – the main thing is we focus on helping customers solve their Non-Human Identity / Machine Identity / Workload Identity risks.
• The debate rages on !!!