Golf Balls vs Non-Human Identities

Lalit Choda, NHI Mgmt Group

Following on from the fun article I wrote on Pot Holes & Non-Human Identities, I thought I would create another fun/interesting articles on NHIs, based on my extensive 25 year plus experience in managing NHIs at an enterprise level, so folks get a sense the challenges that can be faced.

The Famous Golf Ball Mtg - I meet up with the new head of IAM at a Global Investment Bank many years ago :

  • We discuss PAM and Identity Management - I highlight that for some accounts e.g. on databases we can't tell whether some accounts are human or non-human

  • Head of IAM says, so if we have an account called "Golf Ball" are you saying we don't know what it is i.e. it could be human or a non-human account.

  • I explained due to weak controls around naming standards for human accounts, it's was the wild-west, where folks could call their account anything (for both human and non-human)

  • I went onto explain that the Non-Human accounts have no clear ownership in a central inventory system i.e. we don't know which application is responsible for that account e.g. to drive accountability for control compliance, remediation, hygiene activities

  • Developing a centralised identity/account management system to manage these accounts would be a major undertaking, both from a capability delivery and claiming/ownership standpoint, as identifying owners retrospectively is very challenging - many accounts would be unknown given they were setup years ago, could be dormant or being used by upstream/downstream applications.

This was a major lightbulb moment for the head of IAM, who was new to the Non-Human Identity space.

In summary Golf Balls are like Non-Human Identities - you have a good handle on some of them, many are unknown/lost (hiding in the sand / grass / bushes / water) and each one of them is a risk, that needs to be identified, claimed or removed - if the unknown/lost ones get discovered, someone can steal them and use them.

Further details on these challenges and how to go about addressing them can be found in my white paper on managing Non-Human Identities.

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024