How does Non-Human Identity Complement Privileged Access Management for 360-degree security?

Marta Dern

Marta Dern

Product Marketing

Published on

April 25, 2024

As we engage with customers – across the board, from IAM professionals to CISOs —, a common question we come across is: "I use my Privileged Access Management (PAM) solution to manage administrator cloud accounts; why can't I use it for service accounts, too?". The short answer is that PAM solutions weren't originally designed with this dual purpose in mind. However, that oversimplifies things. The reality is more nuanced when considering the different requirements and use cases involved. Allow me to elaborate.

The role of PAM in the IAM Stack 

Privileged Access Management (PAM) solutions, offered by vendors such as CyberArk, BeyondTrust, and Delinea, are designed to secure, control, and monitor the activities of human privileged users, such as administrators, root users, and generic accounts with broad access rights, ensuring only authorized personnel can access sensitive data and infrastructure.  

At their core, PAM systems integrate with the organization's authoritative identity sources, such as Human Resources (HR) systems and Active Directory (AD), to comprehensively understand human identities and their associated privileges. By enforcing access policies, managing credentials, and providing granular auditing capabilities, PAM solutions mitigate the risk of insider threats and unauthorized access to sensitive data and infrastructure. Ultimately, PAM systems act as the centralized control plane for governing privileged human access across the enterprise environment. 

Privileged Access Management

Why can't NHIs be managed effectively by PAMs? 

Now that we understand the core architectural principles of PAM, it will be easy to understand why they cannot effectively handle non-human identities (NHIs) like service accounts, API keys, secrets, etc. TLDR: NHIs have fundamentally different characteristics and lifecycle compared to human identities for which PAMs were designed.  

With the shift towards cloud computing, the embrace of modern architectures, and the adoption of agile methodologies, the number of non-human identities has exploded, outpacing human identities by a factor of 10-50x. This exponential growth of NHIs has redrawn the boundaries of the identity perimeter, exposing a vast and rapidly expanding attack surface. The security implications are substantial. NHIs often possess privileged access yet lack robust authentication measures like multi-factor authentication (MFA), making them prime targets for adversaries seeking initial entry points and opportunities for lateral movement.  

Unlike human users who are provisioned from an authoritative source such as HR databases or Active Directory, NHIs lack a centralized record system. They are often created in an ad-hoc, distributed manner by developers and DevOps teams directly within cloud platforms, Kubernetes clusters, CI/CD pipelines, and other modern infrastructure. This distributed provisioning process results in NHIs being spun up on demand without going through standardized IT workflows. The lack of an authoritative source of truth, combined with how and by whom (developers) NHIs are created, fundamentally breaks the data model and governance frameworks upon which traditional PAM tools were built.  

As a result, PAM solutions struggle to gain full visibility into the NHI landscape, track their lifecycle, and understand the rich context around them – such as their relationships to applications, data, and other resources they access. Without this contextual awareness, PAM tools cannot effectively manage and secure the rapidly growing number of NHIs. 

Adding to the complexity is that NHIs often have multiple consumers, unlike human identities which are typically used by a single individual. Compounding the challenge is the lack of standardization of NHI types and formats across different cloud providers and technology stacks. AWS service accounts differ from Azure service principals, which differ from GCP service accounts, for example. PAM solutions designed around traditional data center resources struggle to natively understand and control this new cloud identity landscape. Furthermore, some NHIs function more like API keys—simple authentication mechanisms that may be used across a variety of platforms—adding another layer of diversity and complexity to their management.

Moreover, the ownership and relationships between NHIs and the business applications they access are often unknown or undocumented. An NHI may be bound to provide access to one microservice but then proliferate across teams to run batch jobs, utilities, and other processes. PAM solutions lack insight into these intricate dependencies and complex web of relationships that NHIs form across cloud infrastructure.  

Ultimately, PAM platforms were built on the assumption of managing dedicated, long-lived privileged accounts mapped to individual human identities and following well-structured provisioning workflows. In contrast, most NHIs are ephemeral, infused throughout dynamic infrastructure, and born outside of legacy identity processes. Their privileged nature and lack of centralized control make them invisible to PAM solutions. 

 

Complement your PAM tool with the Oasis platform for NHI Management  

To truly secure your expanding identity perimeter, you need a new approach - one that complements existing PAM investments with a purpose-built solution for Non-Human Identity Management (NHIM) like Oasis.  

Oasis is designed for NHIs from the ground up. In Oasis, NHIs are first class citizens, which results in drastically better visibility and more efficient operations. Because of the scale and dynamic nature of NHIs, Oasis has been built with powerful analytics that can process data from a wide range of systems (clouds, Paas, Saas, Secret managers, DSPM, ASPM...) to automatically discover all NHIs in your environment along with rich contextual metadata on consumers, resources, ownership, etc. To manage NHI efficiently at scale, automation is key. To make posture management actually possible, Oasis comes with a built-in Context Correlation Engine that automatically assesses and ranks issues according to configurable policies and provides tailored remediation plans that can be executed automatically.

The out-of-the-box automation coupled with the contextual visibility, allow to address complex use cases like secret rotation, stale accounts decommissioning and employee offboarding safely at scale without disrupting production availability. 

 

NHIM platforms like Oasis are complementary to your PAM solutions. They address a new set of requirements and should become a core component of your IAM program and stack. By layering Oasis into your IAM stack alongside PAM, you achieve complete coverage across your entire identity footprint - both human and non-human.  

More like this