Takeaways from the discussion on NHIs with Lalit Choda and Heather Flanagan on Episode 78 of Identerati Office Hours
⚡Naming is unclear: the industry likes NHI–because it conveys the gravity and everyone sort of knows what you mean; but we also say “workload”, “software”, “ai agent”, and other terms.
⚡Size of the challenge is unclear: no one has done a census of workload identities. If each app on each device is unique, the numbers start to add up quickly. Even more identities act on behalf of an enterprise versus a person.
⚡ Like for humans, non-human identity requires proofing (“has the software been changed and should I trust it to interact?”), authentication (“is this the same piece of software I proofed”), authorization (“what is the privilege level of this authenticated entity”) and governance (“why does this NHI need this level of access”). There is little enterprise IT tooling to address these NHI challenges, but a number of cybersecurity startups and encumbents are coming to the rescue!
⚡ Assuming we properly proof and authenticate an NHI, it’s a real challenge for enterprises to understand what that NHI is entited to do, and WHY. Mike worries that there is a disconnect between what the company leadership expects and assumes about its cybersecurity posture, and the reality of the challenges faced by the IT team.
⚡ Standards are just evolving to address this challenge. OpenID Connect does a great job mapping person identity. OpenID is built on OAuth. But the OAuth WG can’t address all the issues raised by software identity. So other entire workgroups are forming at the IETF to address workload identity (WIMSE), provenance (SCITT)and even how identity systems themselves should interoperate (SPICE).
⚡ Yes, AI adds a new existential dimension to NHI management. How will enteprises and people set the boundaries in which the AIs acting on their behalf may transact? This will put stress on all the joints of the NHI ecosystem–proofing, authentication, authorization and goverance.
⚡ “Attestation” is the esoteric word of the year in 2024. “Attestations” enable a workload to assert what’s true about themselves: I’m this kind of workload, running on this hardware, presenting these JWTs that represent certain authorizations and information. And the attestation may also include a public key that allows me to authenticate if I return.
⚡ What is an identity? The derivation of the word is from the late “idem” meaning “same”. So it’s interesting that in the IT space, we use identity to mean uniqueness, when the rest of the world associates it with things that we share. And having an identifier does not mean you have an identity–my house has a unique address, but it doesn’t have agency. So an identity is something that has a unique identifier, that transacts?
View the full podcast here.
