The Ultimate Guide to Non-Human Identities Report

Top 10 Non-Human Identity Issues

Lalit Choda, NHI Mgmt Group

Here is our Top 10 Non-Human Identity (NHI) Issues :

1. Plain-Text / Unencrypted Credentials - organisations will find that many NHIs have been hard-coded into source-code repositories and therefore can be easily discovered by both External and Internal Threat Actors.

2. Full Inventory of Non-Human Accounts - obtaining an inventory of all NHIs is very challenging, as there could be many platforms, end-points, directory services, cloud integrations where these NHIs exist.

3. Stale / Inactive Accounts - due to weak lifecycle process, a lack of visibility of usage information and a lack of inventory, many NHIs end up inactive. This increases the attack surface area. We have found orgs where some accounts have not been used for 20+ years and in excess of 50% of the accounts are stale / inactive.

4. Lack of Account Ownership - after addressing inventory issues, the next key thing that needs to be done is ensuring we identify an owner for each NHI, so we know who to contact to drive hygiene/remediation activities or when an NHI account get's compromised

5. Humans Using Non-Human Accounts - humans using NHIs has always been a problem, as it has been very easy to bypass controls and use a NHI account to access assets/data. With the focus on Privilege Access Management (PAM), humans have started to lose permanent access to environments, in particular production - rather than use PAM controls they have shifted to using NHI accounts.

6. Excessive Privileges - NHIs in general are highly privileged accounts, but we see in many cases NHIs are given excessive privileges, when much lower permissions would suffice.

7. Lack of Credential Cycling - cycling / rotating NHIs is a very challenging for a number of reasons e.g. lack of passwordLastChange information, unknown dependencies that could cause operational impact, changes required to application code/config, lack of vaulting of credentials, lack of end-point cycling capabilities.

8. Lack of Environment Segregation - we see many cases where the same NHI is used in product and non-production environment, increasing the risk of lateral movement.

9. Sharing of Credentials across Apps - we see many examples where NHIs are shared across applications, which breaks principles of need-to-have and least-privilege. This also makes things like password cycling much more complex.

10. Non-Complex Passwords - NHI passwords have been found to be non-complex and therefore prone to password guessing attacks.

What's In Your Top-10 ?

Want to know more - view our white paper on Managing Non-Human Identity Risks that covers this risks in much more detail or watch our Animated Video above.

About Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is the #1 Authority for research and education on Non-Human Identity risks. We provide Independent guidance and expert advice to organizations, helping them understand, manage and secure these huge risks effectively.

Subscribe to our Newsletter

Subscribe

© 2024

Contact us if you would like to get some independent guidance and advice on how to start tackling Non-Human Identity Risks.