NHI Workshop – What Are NHIs, Criticality, Risks and Challenges

Introduction to NHIs and Industry Terminology

The session begins with Lalit Choda ‘MrNHI’ introducing the speakers, Kirby Fitch, Sr Product Manager at Sailpoint and Shashwat Sehgal, Co-Founder and CEO at P0 Security, who are experts in identity management and security. They emphasize the importance of understanding what NHI entails, including its criticality and associated risks.

Key points include

• Terminology varies across the industry: non-human identities, machine identities, workload identities, etc.
• There is no industry-wide consensus on terminology, leading to multiple terms being used interchangeably.
• Common terms discussed include machine identities, workload identities, service accounts, system accounts, and non-human identities.

Understanding these terms is crucial for establishing a common language and effective security practices.

Definitions and Categorization of NHIs

Kirby and Shashwan outline their group’s definition of NHIs, focusing on machines, devices, and software workloads used in automation without human intervention.

Types of non-human identities include

• Service accounts (used by services to communicate with other services).
• Technical accounts and admin accounts.
• System accounts (e.g., in cloud environments like AWS, Azure, GCP).
• Device identities (e.g., IoT devices).
• Software workloads (containers, virtual machines, APIs).

These identities are critical because they facilitate automation and system interactions but pose security challenges if not managed properly.

Importance of a Holistic NHIs Program

Both speakers stress the need for comprehensive programs that secure both identities and credentials, which include:

• Identity management (who owns what)
• Credential security (tokens, API keys, certificates)
• Lifecycle management (creation, rotation, decommission)

Such programs should be capable of understanding attack paths, lateral movement risks, and providing a holistic view of NHIs security posture.

Risks and Challenges of NHIs

Shashwan shares real-world examples illustrating the challenges:

1. Cloud Migration Risks – During left-and-shift migrations, security often takes a backseat, leading to proliferation of service accounts, static keys, and credentials without governance. Post-migration, organizations realize the need for better NHIs governance.
   
2. Lateral Movement Risks – Attackers can exploit NHIS to move across systems, accessing sensitive data via compromised credentials stored in repositories like GitHub or through misconfigured service accounts.
   
3. Visibility and Ownership Issues – Organizations struggle to inventory NHIs, identify owners, and determine if accounts are still needed. Turning off accounts temporarily (brownouts) helps identify owners and reduce overprivileged access.

Kirby highlights that a common initial challenge is the lack of visibility, leading to manual, error-prone inventory processes, and excessive privileges that increase lateral movement risks.

Differences Between Managing Human and Non-Human Identities

While there is an overlap in managing human and non-human identities, key differences include:

• Volume – NHIs can number in the hundreds of thousands or millions, especially with AI and automation growth.
• Lifecycle Management – Human identities have well-established lifecycle controls like HR systems, which are often missing for NHIs.
• Form Factor and Integration – NHIS are diverse, coming from various sources like logs, standards, and environments, making management more complex.

Despite similarities in use cases (inventory, ownership, privilege management), the scale and form factor of NHIs require different tools and approaches.

Security Risks: External and Internal Threats

External threats include hackers exploiting exposed API keys or credentials. However, internal threats are often overlooked but equally dangerous:

• Employees or contractors may bypass controls using NHIs, especially if PAM (Privileged Access Management) solutions slow them down.
• Internal misuse can lead to data leakage, operational disruptions, or security breaches.
• Organizations often see increased NHIs usage internally as a workaround for security controls, which can undermine security policies.

Effective internal controls and monitoring are essential to prevent misuse of NHIs by staff or contractors.

Management and Governance Challenges

Key issues include:

• Weak controls and the tendency to treat NHIs as an afterthought.
• Fragmentation across cloud environments and exponential growth in NHIs volume.
• Lack of authoritative sources for lifecycle management and review processes.

Organizations need to develop governance frameworks similar to those for human identities, including regular reviews, ownership assignments, and lifecycle policies.

Overlap and Differences in Managing Human vs. Non-Human Identities

Similarities

• Use cases like inventory, ownership, privilege management, and lifecycle control.
• Require visibility and security controls.

Differences

• Scale – NHIs are far more numerous and diverse.
• Form factor – Different sources, standards, and integration points.
• Lifecycle management – Less mature for NHIs, often lacking authoritative sources and review processes.

Kirby emphasizes that managing NHIs volume and establishing lifecycle controls are major challenges compared to human identities.

Final Thoughts and Recommendations

Lalit called out that Internal threats from staff using NHIs to bypass controls are significant and often underappreciated. Organizations should:

• Implement strict governance and lifecycle management for NHIs.
• Monitor internal usage and privilege escalation.
• Develop holistic security programs that include automation, credential rotation, and regular reviews.

Understanding and managing NHIs is critical for organizational security, especially as environments become more complex and automated.