Episode 066: 11‐19‐2024 Demystifying Non‐Human Identity Management - GluuFederation/identerati-office-hours GitHub Wiki
Title: Demystifying Non-Human Identity Management
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Ryan Bradley, Head of Product at Natoma
- Co-Host: Karl McGuiness, ex-Okta Chief Product Architect
Description
In today’s digital landscape, the rise of Cloud, SaaS, Generative AI, and data-driven automation has led to the proliferation of Non-Human Identities (NHIs) within organizations. These digital entities—such as service accounts, access keys, and API tokens—play a crucial role in driving business operations, but also introduce a growing attack vector. Mismanaged NHIs have contributed to 85% of security breaches, including ransomware attacks, where weak NHIs are exploited to access critical data. Organizations need an enterprise-wide Non-Human Identity strategy, without which they risk exposing themselves to security breaches or outages originating from inefficient administration of NHIs. Join the conversation to discuss best practices for discovering, securing, and managing the Non-Human Identities in your environment.
Homework
Two Natoma Blogs:
- Top 5 Questions About Non-Human Identities
- What are Non-Human Identities?
- Whitepaper: Machine-to-Machine Identity Maturity: A Model for Securing Non-Human Actors
Takeaways
⚡ IDM is an enterprise business process around managing access for a person (employee, contractor, etc). But no equivalent process exists for managing access for entities that have access, but are not human. And many of these "non-humans" are also "privileged". A large number of cybersecurity exploits involve a compromised non-human identity.
⚡ Natoma's maturity model does a nice job classifying where businesses are on this NHI management journey. Sharing account credentials in Skype? That's level 0. Using dynamic client registration, asymmetic authentication, and a spiffie_id in your MTLS certificate: level 4, be proud--your enterprise is a "Visionary".
⚡ It's important to rotate secrets--especially if you shared your NHI credentials with a third party but failed to revoke them when the relationship ended.
⚡ Identity Management includes technical details like how to identify an NHI (i.e. what identifier to use) and what kind of credentials the NHI uses to authenticate. But NHI management also includes how to govern use of the NHI and how to manage risk. Just like we need new tools to manage NHI, we also need new rules to limit the blast radius of a potential compromise.