NHIs may be your biggest — and most neglected — security hole

Non-human identities (NHIs) have been a staple of enterprise IT for decades. Giving digital components credentials to access IT networks and devices, as IT would a human user, is key to ensuring complex IT systems can operate.

But as the number of NHIs have soared in the past few years, the threat landscape NHIs present has become orders of magnitude larger. And the biggest cybersecurity nightmare about NHIs is not just that their numbers have skyrocketed. The much larger problem is that they now exist in environments where cybersecurity teams typically have zero control and just as little visibility. 

NHIs lurk deeply within all kinds of clouds, authorized, shadow, SaaS, AI, or otherwise. They proliferate across remote sites (home offices in particular), throughout IoT/IIoT networks, and via third-party partners, mobile devices, and backup/disaster recovery services, to name just a few domains where NHIs are steeply rising, in many cases where cybersecurity teams can’t fully track them.

“We have decided that humans are the weakest link, so we have begun to transfer more responsibility to the robots/NHI,” says Brian Levine, managing director at Ernst & Young for cybersecurity strategies. “As we do that, however, the bigger prize becomes compromising the robots, so the criminals shift their focus as well.”

Levine says that this “weaponization of the authenticated agent” is problematic because it “already has access to every single file on the network.” Also, the typical defense mechanisms — such as sharply shrinking session durations — are proving to be ineffective as we approach 2025.

“It doesn’t take very long for these guys — the attackers — to do what they need to do,” he says.

NHIs present escalating security issues and practical dilemmas

Dwayne McDaniel, developer advocate at GitGuardian, argues that the speed of new NHIs being deployed in enterprise environments is easily overwhelming existing defenses. He estimates that for many enterprises, NHIs outnumber human identities 45 to 1 — a ratio all but certain to become even more lopsided.

“We are not putting out new governance models nearly fast enough to manage all of these credentials. Today, the easiest way to move laterally is discovering these hardened plaintext credentials. And the problem is getting exponentially worse,” McDaniel says. “Scripts designed to find these hardcoded credentials, that isthe playbook for 2024 [cyberattacks]. We are making it much easier for an attacker to literally own everything.”

Many have argued that the only clean fix for NHI is implementing true zero trust across the enterprise’s global threat landscape. Realistically, that goal is many years away, assuming it happens at all.

But any near-term fix must deal with the inherent contradiction of locking down mechanisms that need to effortlessly interact with one another. Every effort to boost NHI security, some have argued, interferes or even blocks the NHI’s ability to do its job.

“Modern applications must allow intersystem communication to function,” McDaniel says. “Addressing machine identities … can’t mean completely locking down systems and developers’ ability to allow machine-to-machine interactions. After all, the A in the CIA triad stands for availability. Disrupting build pipelines in the name of security means we are doing it wrong.”

“While Zero Trust is a great buzzword,” he adds, “we really must balance this ideal with the reality of the business: The app running in the first place overrides security — every time.”

Worse, the volume of NHIs is changing so quickly that security teams often cannot keep up. McDaniel says that when his team alerts an enterprise that an NHI has been compromised, “the reality is that 90% of them are still valid five days after we report it.”

One easy fix, McDaniel says, is for CISOs and CIOs to stop treating NHI policies the same as human policies. The nature of NHI means that far more stringent authentication can be applied compared to rules for human end-users.

“Humans hate changing passwords. Machines don’t care,” he says.

Most cybersecurity specialists were never meaningfully trained in protecting NHI or defending against NHI-fueled attacks, adds Michael Isbitski, a security consultant and former Gartner analyst.

“Security principles tend to be taught around human identities,” Isbitski says, adding that NHI attacks are generally two-phase. “There is the initial attack vector and then there is the pivot attack, often via lateral movement. They tend to rabbit hole in secrets management, certificates, API keys. It’s a tough problem.”

The credential conundrum

“Attackers know that logs contain all types of sensitive data. Regulated data exposure such as health records or financial records are certainly a treasure trove. But so too are the credentials or secrets used to authenticate users and machines, including API integrations,” Isbitski points out. “If an attacker can’t find those pieces of data, then session identifiers can be just as handy for session hijacking/replay attacks.”

Here, Isbitski says that implementing MFA is a best practice — but that it’s “incredibly difficult at scale.”

“For human identities, [MFA] creates usability challenges; for machine identities, it creates integration challenges,” he says. “What do you use for an additional challenge in machine flows and how do you automate authentication and authorization? Implementations often end up using hardcoded secrets like API keys or digital certificates that are still vulnerable to compromise.”

Cloud environments — in all their various forms — are another big part of the NHI problem, both in terms of lack of control as well as lack of visibility. And the farther removed clouds are from direct IT control, such as SaaS and third-party partners’ clouds, the worse the NHI problem gets.

The NHI problem is “more challenging in cloud environments, with third-party interactions, IoT deployments, and at remote sites,” said Michael Tsai, the head of product at SaaS management platform Zluri. “The nature of these distributed environments makes it hard to keep centralized control and visibility over NHIs. Third-party NHIs might not be under your direct control, which makes consistent access policies difficult to enforce.”

IoT devices, for example, often offer limited options for access controls, Tsai points out. Moreover, NHIs local to remote sites may be hard to monitor from a central location.

“To address these challenges, organizations can implement additional measures like centrally managing and frequently rotating NHI credentials, closely monitoring authentication attempts and access patterns to detect anomalies, segmenting networks to isolate high-risk NHIs and limit lateral movement if compromised, and extending PoLP [principle of least privilege] and auditing practices to third-party and remote NHIs as much as possible,” he says.

Doing so, however, is going to force IT to make some difficult decisions, such as limiting the time-saving nature of leveraging NHIs to help network management. 

“We often put our mental focus on the wrong thing. It’s not just, ‘How do I rotate keys and API tokens?’ It’s, ‘How do I use them and keep them safe? How do I secure the keys while maintaining usability?’” says Mike Wiacek, CEO of threat detection platform Stairwell. “Maybe I should not be running this script as sysadmin? Maybe it should be running as a cloud virtual machine — and even then, only for 30 seconds at a time?”

Another problem is that an NHI is often unknown to much of the network and security staff. In other words, if an unrecognized NHI is discovered by staff, many are hesitant to do anything because they don’t know what it is supposed to be doing.

“They are scared to delete it because they have no idea what will break if they do,” says Morey Haber, chief security advisor for identity management vendor BeyondTrust.

Can third-party NHI be controlled?

Tomer Filiba, CTO at Sweet Security, says the blind spots around NHI use is the real problem.

“Consider a developer that connects some third-party SaaS integration to your organization’s GitHub repository, or a productivity tool that’s granted permission to access your Google Drive. In these cases, a new NHI in the form of an access token would have been created, which delegates access on behalf of the human user. CISOs will have no knowledge of this,” Filiba says.

“Now consider this third-party provider has a data breach and these access tokens get stolen. The threat actor may now connect to your GitHub or Google Drive, on behalf of the employee that granted the access, and leak all your code or documents,” he explains. “Sure, some access tokens are short lived — valid for several hours or days — but some are not and CISOs have no control over that. It’s up to the third-party provider and GitHub to determine how long the token is valid for.” 

As a result, getting a handle on your exposure once a third-party provider is breached is critical, Filiba says. “You can revoke access for certain users or services, to prevent threat actors from making use of their stolen credentials, but you risk breaking production systems — revoking GitHub tokens might break your CI/CD pipelines — and given the sheer number of access tokens in circulation, even the best players might miss one.”

Another popular NHI defense is network segmentation, but John Cunningham, CISO of identity protection platform Silverfort, argues that network segmentation rarely works anymore.

“Network segmentation is not enough because both human and non-human identities bridge network segments, effectively negating the intended goal of segmentation. Whitelist how and when NHI identities can access sensitive resources,” Cunningham says. “This should be based on factors such as isolating access based on source and destination IP addresses, network segments (VLANS), time, and other heuristic factors. From there, teams should actively monitor for deviations. Unlike user accounts, NHI should be highly predictable. There should be a well-known pattern of access.”

Sometimes, powerful NHIs are given far fewer restrictions than their human counterparts. As observed by Anusha Iyer, CEO of API security management vendor Corsha: “We know that static passwords are insufficient proxies for identity when it comes to humans, so why do we default and accept that with NHI?”