What are non-human identities and why do they matter?

Identity and access management (IAM) is so critical to cybersecurity that it has generated such universal axioms as “identity is the new perimeter” or “hackers don’t hack in, they log in” to underscore its importance.

That’s not surprising when reputable sources such as the Verizon Data Breach Investigations Report routinely name compromised credentials as a core attack vector for incidents and data breaches. Universal concern over IAM has led to an industry-wide push towards zero trust and the dissolution of the legacy network perimeter model in cybersecurity.

The discussion around IAM commonly focuses on securing usernames and passwords and identities associated with human users. But non-human identities (NHI) — digital and machine credentials associated with apps, devices, or other automated systems — have a vastly outsized access footprint compared to that of humans.

Non-human identities outnumber humans as much as 50 to 1​

Some organizations have found that for every 1,000 human users, organizations typically have 10,000 non-human connections or credentials — in some cases, NHIs can outnumber human identities a much as 50 to one.

NHIs may include identity types such as service accounts, system accounts, IAM roles, and other machine-based identities used to facilitate authentication activities in an enterprise and is oriented around API keys, tokens, certificates, and secrets.

We also know that secrets continue to be a rapidly growing challenge in the age of cloud-native environments and methodologies, with millions of secrets being detected in scans of public GitHub repositories and thousands exposed in data breaches, such as that suffered by Samsung.

This explosion in NHIs has been led by factors such as the push towards microservices, Kubernetes clusters and containers, cloud integrations and automation, and the proliferation of third-party SaaS services that organizations are consuming.