Episode 078: 01‐14‐2025 The 2025 NHI Cybersecurity Landscape - GluuFederation/identerati-office-hours GitHub Wiki

Title: The 2025 NHI Cybersecurity Landscape

• Host: Mike Schwartz, Founder/CEO Gluu

• Guest: Lalit Choda, Founder of Non-Human Identity Mgmt Group

• Guest Healther Flanagan

• Linkedin Live

• Youtube Live

Description

Beware the threat of unmanaged Non-Human Identity! Join us for a discussion on what you need to know to survive the coming apocolyptic reckoning of unconstrained machine access!

• 🧑‍💻 What are Non-Human Identities
• ⏰ Why Now – Why Should You Be Concerned
• ♻️ Key Lifecycles Processes for managing NHI Risks
• ⚖️ Regulatory Perspective
• 📏 Standards e..g SPIFFE/SPIRE, WIMSE ...
• 📊 The NHI Market
• 🔮 2025 Outlook and Predictions

Homework

• ID-Pro article Revisiting Non-Human Identity by Heather Flanagan

• Understanding NHIs: Key Differences Between Human and Non-Human Identities by Heather Flanagan

• The Ultimate Guide To Non-Human Identities by Lalit Choda, NHI Mgmt Group

• Podcast: Non-Human Identities - The Silent Risk in Cloud Security | Access Granted: Episode 6

Takeaways

⚡Naming is unclear: the industry likes NHI--because it conveys the gravity and everyone sort of knows what you mean; but we also say "workload", "software", "ai agent", and other terms.

⚡Size of the challenge is unclear: no one has done a census of workload identities. If each app on each device is unique, the numbers start to add up quickly. Even more identities act on behalf of an enterprise versus a person.

⚡ Like for humans, non-human identity requires proofing ("has the software been changed and should I trust it to interact?"), authentication ("is this the same piece of software I proofed"), authorization ("what is the privilege level of this authenticated entity") and governance ("why does this NHI need this level of access"). There is little enterprise IT tooling to address these NHI challenges, but a number of cybersecurity startups and encumbents are coming to the rescue!

⚡ Assuming we properly proof and authenticate an NHI, it’s a real challenge for enterprises to understand what that NHI is entited to do, and WHY. Mike worries that there is a disconnect between what the company leadership expects and assumes about its cybersecurity posture, and the reality of the challenges faced by the IT team.

⚡ Standards are just evolving to address this challenge. OpenID Connect does a great job mapping person identity. OpenID is built on OAuth. But the OAuth WG can't address all the issues raised by software identity. So other entire workgroups are forming at the IETF to address workload identity (WIMSE), provenance (SCITT)and even how identity systems themselves should interoperate (SPICE).

⚡ Yes, AI adds a new existential dimension to NHI management. How will enteprises and people set the boundaries in which the AIs acting on their behalf may transact? This will put stress on all the joints of the NHI ecosystem--proofing, authentication, authorization and goverance.

⚡ "Attestation" is the esoteric word of the year in 2024. "Attestations" enable a workload to assert what's true about themselves: I'm this kind of workload, running on this hardware, presenting these JWTs that represent certain authorizations and information. And the attestation may also include a public key that allows me to authenticate if I return.

⚡ What is an identity? The derivation of the word is from the late "idem" meaning "same". So it's interesting that in the IT space, we use identity to mean uniqueness, when the rest of the world associates it with things that we share. And having an identifier does not mean you have an identity--my house has a unique address, but it doesn't have agency. So an identity is something that has a unique identifier, that transacts?

Livestream Audio Archive

Will be Here