Derisking the nonhuman identities crisis

Authored by: Anastasia Lou Regen and Prakhar Arora

Failing to secure nonhuman identities (NHIs) can broaden an organization’s attack surface, expose the business and magnify risk in an escalating cybersecurity environment.

In brief 

• In an increasingly technology-dependent world, the proliferation of nonhuman identities (NHIs) is creating opportunities for threat actors looking to access organizations and steal data.
• Undersecured NHIs can create vulnerabilities, but putting policies and strategies in place to secure NHIs and service accounts can reduce risk. 
• Learn more about the risks and opportunities organizations face when securing their NHIs to stay a step ahead as the cyber landscape continues to evolve.

They’re out there, everywhere. Authenticating services and resources. Carrying on silent conversations. Executing tasks and supporting workflows. Often designed to resemble or behave like us, they’re “less than human” enough to not raise alarms while lurking comfortably in the shadows. 

Far from sinister, however, nonhuman identities (NHIs) have been a boon to businesses navigating a changing world. With the evolution and proliferation of operational technologies — from cloud-based platforms, AI and DevOps automation and integration to the Internet of Things (IoT) — consumer and manufacturing organizations are relying increasingly on digital “workers” to automate, streamline, deliver quickly and reliably, and drive collaboration and communication between teams, operations and consumers. 

From service accounts and scripts to APIs, bots and smart devices, NHIs are increasingly functioning like digital employees. In today’s grocery and retail experiences, for example, NHIs help track real-time inventory across multiple vendors, suggest product substitutes, manage personalized shopping lists and coordinate delivery logistics. To do this well, they require broad and continuous access to sensitive systems and data — often more than a human user.

When it comes to modern business operations, NHIs are everywhere — and seemingly nowhere at the same time. But every time your website talks to a payment gateway, your mobile app connects to a product database or your AI engine runs — there’s a digital identity at work. Each has its own login, key, token or certificate validating credentials and approving access to vital information. 

Often unnoticed and rarely tracked or reviewed, they can stay active for years, with more widespread and privileged access than most organizations would care to admit. When poorly secured, the thousands of NHI touchpoints create vulnerable blind spots and easier targets for threat actors to penetrate. It only takes one compromise, a single uncredentialled or undetected opening — like a leaked API key, an expired certificate or an account that hasn’t been password managed in years — to open the floodgates of unauthorized access and initiate a data breach or system outage. That one incident can have serious and long-term effects on your reputation and your customers’ trust. 

According to a recent study, NHIs outnumber human identities 50 to ¹.  The same study reveals that 40% of cloud NHIs don’t have an identified owner, and only 5.7% of organizations have a clear picture of all NHIs in their environment.²  These stats make it clear that NHIs are underobserved, underprotected and overprivileged.³  

Whether working with an AI stylist to find the best clothes for your shape or colouring or allowing a behind-the-scenes bot to track your purchases, exchanged or available items with an online retailer, security from intrusion today and into the future will be of paramount importance.

Compromised NHIs — especially service accounts — play a crucial role in lateral movement within a network. Attackers use these accounts to gain access to multiple machines and execute ransomware payload. For example, a ransomware gang called Hellcat exposed NHI credentials for a retail company. 

Securing your NHIs has become as critical as safeguarding access by your employees. 

In a recent executive survey by SailPoint, 54% of executives polled admitted that inappropriate access granted to a nonemployee or nonhuman resulted in a severe security issue, including the loss of control of the company’s resources, data loss, compromised intellectual property or a direct security breach.⁴  

To protect data and operations going forward, it will be critical that NHIs be detectable, closely monitored and securely managed. If they’re not, the impacts of leaks and extortionist demands may very well start to feel apocalyptic.

Rapid innovation, smart controls

As NHIs become central to the digital backbone of consumer products and retail organizations, those who move early to secure them will define the new benchmark in trust, resilience and operational agility. 

To help organizations turn identity risk into a strategic advantage, we recommend the following six-pillar playbook to shrink attack surfaces, harden vulnerable points and bring NHIs under intelligent control: 

1. Define with purpose

Craft a clear, organization-wide strategy that manages NHIs and nonuser credentials — one that goes beyond policy and embeds security into every digital interaction. This includes assessing your current state, defining the desired end state and building a transformation roadmap to get you where you want to be.

2. Illuminate the shadows

Most consumer products and retail organizations don’t know what they can’t see. Uncover and map privileged credentials and NHIs across hybrid and multi-cloud ecosystems, including those hidden in third-party integrations, API connections and edge platforms like PoS, where attackers are already lurking.

3. Rethink risk

Not all NHIs can be rotated or managed, but all can be protected. Design tailored, risk-based treatments for difficult-to-manage accounts using compensating controls, segmentation, behavioural triggers and usage intelligence.

4. Automate at scale

Manual management is the enemy of speed and security. Implement scalable automation to govern the lifecycle of NHIs — provisioning, rotation, decommissioning — with a sharp focus on reducing overprovisioning, superuser sprawl and policy drift.

5. Govern like humans

While NHIs aren’t people, they need governance as if they are. Build in ongoing access reviews, monitoring and least-privilege enforcement so NHIs only do what they’re meant to do and nothing more.

6. Embed compliance by design

Keep your organization’s identity governance up to speed with industry-specific regulatory requirements, such as PCI DSS, by baking continuous controls monitoring, audit readiness and cross-functional accountability into governance frameworks.