Identity

Why NHI lifecycle governance must start at provisioning: Secure access from day one

(Adobe Stock)

In this summary of a recent SC webcast, Hans Vargas-Silva, Data Protection Lead - Cybersecurity Governance at Marathon Petroleum Corporation, Shahar Zaguri, Director of Product Management at Oasis Security, and host Adrian Sanabria discuss the critical importance of automating lifecycle management for non-human identities, starting at the point of provisioning.

Understanding non-human identities

Non-human identities (NHIs) have become a critical component of organizational infrastructure. These digital identities represent software services, machines, and automated systems that operate without direct human intervention.

Vargas-Silva described NHIs as a growing phenomenon driven by automation and technological advancement. NHIs encompass a wide range of digital entities, including service accounts, API keys, bots, scripts, and agentic AI systems.

Zaguri explained that these identities are essential for authenticating and accessing resources, enabling complex technological processes.

For instance, a Google Cloud Platform service account might allow an application to read or write to a storage bucket, while a GitHub action workflow could use an API to deploy code to AWS.

Governance and security challenges

The proliferation of non-human identities presents significant governance and security challenges. With estimates suggesting up to 30 non-human identities for every human identity, organizations face unprecedented complexity in managing digital access and potential vulnerabilities.

From a cybersecurity perspective, these identities can be particularly problematic. Sanabria noted that from a penetration testing standpoint, non-human identities often represent potential entry points for malicious actors. The lack of direct human oversight means these accounts can become hidden pathways for unauthorized access.

Vargas-Silva emphasized the critical importance of visibility in NHI governance. Without proper monitoring and management, he said these digital identities can create significant security risks.

The key challenges include tracking, managing, and securing these accounts throughout their lifecycle.

As organizations continue to embrace automation and cloud technologies, understanding and effectively managing non-human identities will become increasingly crucial.

This requires a comprehensive approach that combines robust security protocols, continuous monitoring, and adaptive governance strategies.

The future of digital security lies in our ability to understand, control, and protect these complex non-human identity ecosystems.

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds