Oasis Non-human Identity Management

Oasis Non-human Identity Management

Adam Ochayon

Solution Architect

Publish on

November 15, 2024

The management and security of non-human identities (NHIs) is a growing concern for organizations as the use of cloud services, automation, and DevOps practices accelerates. In this session, Todd Thiemann, Senior Analyst at the Enterprise Strategy Group (ESG), and Adam Ochayon, Solutions Architect at Oasis, explored the challenges and best practices surrounding NHIs. The conversation highlighted findings from ESG’s research, insights from customer interactions, and actionable strategies to address this evolving issue.

Transcript:


Todd Thiemann:

Hello, my name's Todd Thiemann. I'm a senior analyst with the Enterprise Strategy Group covering identity and access management, or you could call it identity security. And I'm here today with Adam Ohayon. Adam, could you introduce yourself?

Adam Ochayon:

Hey, Todd. It's good to be here. I'm Adam, a Solution Architect with Oasis. I've been back and forth between software engineering and cybersecurity for the past decade or so of my life, and I'm excited for this talk.

Todd Thiemann:

Fantastic. Thanks for that. Let me set the stage for the conversation. We're going to discuss security and management of non-human identities, and that's a big topic. The Enterprise Strategy Group performed some research in the middle of 2024 that was focused on non-human identity management and security. This new research covered some super interesting insights that I'm going to be sharing with you.

Now, for those of you watching, it should be super interesting because you can see what your peers are up to. This is the result of surveying of nearly 400 practitioners in the US and Canada. You can see what they're up to, what their priorities are.

Now, we're speaking the same language. When I say non-human identities, that's an umbrella term that covers everything from service accounts to secrets management to bots to OAuth tokens. Some folks might refer to this as machine identities, others as workload identities, but I'm not going to get religious around this. I'm just going to call it non-human identities for now.

The research showed that a plurality of practitioners, a plurality of respondents, actually said, "I prefer that phrase, non-human identities, over machine identities and workload identities."

Now, Adam, you interact with a bunch of enterprises, a bunch of practitioners. Could you explain or share how they're describing the challenges they're facing?

Adam Ochayon:

Absolutely. I'd say, first of all, the naming definitely caused some lively discussion in the industry and internally as well. I personally like non-human identities because I think it creates a pretty clean bisection that talks to the sheer size of the space. Any type of identity not used by a human for human access. And this can be application workload identity. It can be your RPA or your LLM API keys. It could be a token used to authenticate into a data store. I think the interesting distinction, really, that's really, in my opinion, the core of it is that the identity describes the access itself more than a specific workload or a clear entity in the human or workload case.

But to your question, Todd, about the challenges that customers are facing, I think one of the most interesting aspects of the problem is really the variety of challenges that we hear and the amount of different teams that tend to be involved in it from the IAM teams to cloud security or SOC. And each have their own interesting relevant challenges. Some focus on lack of visibility and context or the lack of the security tools they're used to or in controls that they're used to from a human. You can't MFA and NHI is something we hear a lot, which is a lovely kind of acronym after acronym, and then ownership.

Todd Thiemann:

Rolls right off the tongue.

Adam Ochayon:

Exactly. Rolls right off the tongue. And then ownership is another really tough one. As we kind of talked about, there isn't a clear ... These identities aren't mapped to a clear user or entity. They're mapped to access. When something needs to be done, who's the owner that is in charge of that? And I think if NHI is back into your business, is sometimes really difficult, especially if you lack that context, right?.

Todd Thiemann:

Especially if there's a compromise, and you want to get to that owner very quickly. If you don't know who they are, that's going to cause some consternation.

Let me provide some context on the size of the issue that we're dealing with. And this is ... I'm going to be sharing with you some of the results of the survey that we did. And you can see that on your screen. We asked a number of people, what's the ratio of human to non-human identities to gauge the size of the challenge? And I'll say upfront, any number that we come back with probably underestimates the magnitude of the problem because anybody answering the question ... And you can see the question down at the bottom. Approximately how many non-human identities does your organization support relative to human identities? Anybody looking at this is only looking at one slice of a bigger pie. One piece of a far bigger puzzle. Anything that I come up with, that's probably underestimating the challenge.

I've seen numbers like 45:1, a ratio of 45:1, out there. When we did this research, we found the ratio was about 20:1. But what's more, the non-human identities were growing at 20% year-on-year. Annually growing at 20%. The majority of that growth was actually in DevOps and cloud services is one of the piece of feedback we received in the survey.

Adam, is this consistent with what you're seeing?

Adam Ochayon:

I think the ratio itself definitely varies, and we've definitely seen companies with 20:1 and even closer to 50:1, as you said. There are a lot of different ratios that come across here.

We almost always see at least a 4:4 or 5:1 ratio. And as you said, there are two really important things to contextualize this information. One is it's growing over time, and it's growing faster than anything else in the identity space. And I think the second very important piece is the privilege that these identities have. They're inherently almost always more privileged than your equivalent human identity. And again, going back to what we mentioned earlier, you can't MFA and NHI. They often lack those compensating controls that we're used to.

Todd Thiemann:

Let me actually share with you some data. I think this is something that OASIS put together. Maybe you could talk to this data.

Adam Ochayon:

For sure. What we see here ... This is a result of one of an assessment that we recently ran with a Fortune 500 company. And again, what you can see here is the growth and just the sheer ... The number here is very large, and it's just getting worse year over year. In this case, over four years, over 100% growth. And it's not atypical to see that, right? That's something that is in line with a lot of what we see in other companies.

Todd Thiemann:

No, that absolutely makes a lot of sense. And that's good real-world data to share out there. Now, in the survey that the Enterprise Strategy Group did in that research, we probed on the greatest concerns that enterprises had around non-human identity security and non-human identity management. Now, the two of the top three responses were around visibility. Visibility is top of mind for anybody in this space.

What are you seeing in terms of those visibility dynamics?

Adam Ochayon:

That's a great point. And I'd say visibility is definitely the foundation. Understanding the scope and just discovering these accounts. When most clients start their journey, they usually don't even know how to answer the simple question of, "How many NHIs do I have?" Which, if you think about it, when you compare that to the traditional human identity space, that's usually a very easy thing to answer because there's typically one or maybe a couple sources of truth, the HR system, but the same organization will have often dozens of identity providers for NHIs, right? And so, finding a way to still be able to view all those different identities in one place is really key in order to be able to prioritize action. You can't secure what you can't see, as the mantra says.

I'd actually say, though, it's deeper than visibility because if you really want to be able answer questions and take corrective action, visibility without context ... It's almost meaningless, I'd even say, because it's more than just seeing an identity exist. You really need to understand what privileges it has, who or what's using it. And as much as you enrich that with your other tools around not just your IDP but also maybe, again, how does this tie to the business, what do I see in my CMDB, how does this tie to specific applications or data security, the better your understanding is of what exactly this identity is doing, how it ties to the business, and how you evaluate its risk.

For example, if you see things only from the entitlements perspective, or if you only focus on exposed secrets, you're not going to be able to see the full picture. And that's why at OASIS we've really chosen an identity-centric approach, and the core unit of management through the entire different data points is the identity, and that's what we stitch everything together through.

Todd Thiemann:

That makes a lot of sense. That makes a lot of sense. And absolutely, you can't really manage what you don't have visibility to. And if you want to judge the risk, you need that context.

In the research that Enterprise Strategy Group did, one of the things we found was ... We asked the question, how many non-human identities have you had exposed? Or, how many enterprises out there, excuse me, have had exposed non-human identities? 72% said, "Yes, we've had NHIs compromised, or maybe we've had NHIs compromised." That was a widespread problem.

Adam, given your perch, your perspective, any comments on what you're seeing in terms of the magnitude of the issue in terms of compromises that originate with non-human identities?

Adam Ochayon:

It's interesting because that's honestly almost a higher number than I'd expect. And the reason is many of these compromises ... They can just fly right under your radar.

I assume, or my guess is, that that number is probably related to leaked secrets, which is something that is already very present in a lot of people's minds and has led to some very high-profile breaches. I think the Mercedes-Benz one earlier this year comes to mind.

I'd say, in general, the prevalence of breaches related to NHI in the past year or so has really shone a spotlight on the importance of not only managing secrets and scanning for leaks, but also contextualize them, tying them back to the identity, and understanding how to respond. If a secret, for example, is exposed, you don't just want to yank it out at GitHub. You want to know how to safely rotate it. And for that, you need to tie it back to the identity. You need to have a safe rotation process that avoids breaking things.

Another breach example that comes to mind is the Collabera breach from late last year where it was really enough for four secrets out of, I think, over 5,000 that they had in their infrastructure that were forgotten and unrotated, and that was it. That's what caused the breach.

Todd Thiemann:

There's a question function on your interface for the people watching the webinar, but one of the questions that has come in, and thank you very much for asking this, is around ... The question is, should NHIs, non-human identities, be managed by security teams or identity teams? Any perspective on who owns this question? And as I asked of you, Adam, for those of you in the audience, if you could think about your questions, please plug them in, and we will answer them as promptly as we can. And if we don't get to those questions during this webinar, we'll subsequently follow up and provide answers.

But Adam, question being, should NHIs be managed by security teams or identity teams? Any thoughts on that?

Adam Ochayon:

It's really a great question, and it's one of those things that we've been seeing that is causing a lot of confusion lately because the problem is multifunctional. It's not going to be siloed in one team, and different organizations will treat it in different levels of severity or with different kind of, I'd say, root cause for them. Some organizations are going to be more maybe compliance oriented, and then it'll clearly gravitate more towards the identity team, where other organizations might be a bit more cloud heavy, farther on their cloud transformation journey, and a bit more oriented toward risk and security in the cloud, and then the cloud security team will take the lead.

But I think the important thing to, when you're thinking about this, which team should take the lead is ... Both teams should be involved. Even if you have one team taking the lead, the solution or the program is going to require collaboration because this is, again ... It's security, and it's compliance, and it's operational. There are a lot of problems hiding under this umbrella. No matter which team takes the lead, I'd say it's important to find a collaborative approach within your organization.

Todd Thiemann:

It's a many-faceted problem, different constituencies, different silos, if you will, and they need to all work together.

Let me go back to some of the research that ESG put together and share that with you. Give me a second as I locate that.

Is that showing on your screen? No, I don't think so, actually. Let me go back here.

Adam Ochayon:

Not yet.

Todd Thiemann:

It's coming. Give me a second. Boom.

There we are. We asked the question about what folks are planning to do in terms of budgets and spending. NHI management and security. It's a hot topic, not surprisingly. Folks are planning to spend more on NHI management and security compared to other spending priorities.

And one of the little nuances in this question is we asked, what are you planning to do relative to other security spending? And the answer was there's going to be relatively more spent here. While the overall security budget might be increasing, or maybe it's flat, the spending on NHI management and security is increasing compared to those other security line items.

When it comes to that spending, 83% of organizations expect to spend relatively more on non-human identity security, and 20% plan to spend significantly more.

Now, Adam, any comments or perspective on what you are seeing in terms of NHI management and security programs?

Adam Ochayon:

I'd say 2024 has been pretty interesting in this sense, especially because, when you think about it, most of our customers didn't necessarily even know what NHIs were a year ago or, really, the breadth of the problem. Maybe some knew system accounts or service accounts. But when you look at it holistically in your on-prem and your cloud and your SaaS, most organizations didn't have or didn't earmark a budget for NHI management.

But once we help them realize how large the problem is, and the way we typically start is by running a free assessment within their own environment ... And again, that simply reflects where they stand and the type of risks they're exposed to right now. Once we do that, many of the customers from this year manage to move around discretionary budget and apply it into NHI management.

But I think 2025, to your point ... It feels like it's a completely different market. More of our prospects have specific budget plan. They have programs kind of starting to build in their heads. And this again speaks to, A, how strongly this problem resonates but also, B, how quickly it is to move fast on it and apply solutions yesterday or today.

Todd Thiemann:

And one of the things that comes to mind is this was sort of in 2023, 2024. People were just beginning to get visibility to it, and now they realize what a significant chunk of their attack surface it represents, and the budgets are changing, and the priorities are changing to address that.

Adam Ochayon:

If you don't see it, it's easy to ignore it, but you can't unsee it once you understand the problem.

Todd Thiemann:

Ignorance is bliss. But once you see something, you got to do something about it.

Now, one question I had going into this research was how much attention the problem of non-human identity security got from management, and is it getting into the executive suite? And let me share with you one additional slide here that shows you ... I'm going to probably stir some interest out there. And the question here was ...

If there's a successful cyber attack, and the stuff hits the fan, does the issue get board-level attention?

The security team reports up to the CISO. CISO has got to inform people of material incidents. What this question indicated was, when stuff hits the fan, CISO has to report up. Does the board get informed? And the answer was emphatically yes. Nearly 60% said the board gets informed, and another 30% said maybe. Non-human identities are a newly recognized piece of that attack surface. But given the importance of digital transformation and securing that infrastructure, it is getting that board-level attention.

Adam, you've probably gone into some customers, some enterprises, where things have gone south. There's been exposures. Do you have any perspective on this data?

Adam Ochayon:

The numbers here are even a little higher than I'd expect, going back to what we talked about earlier, but I think, as you said, once it's ... It exactly ties to that. You can't unsee it. Once a massive breach happens, or once either within your own organization or in a similar organization to you, and you can really reflect yourself on it, I think it becomes harder to ignore. And to me, it feels like the tide is turning because people are waking up to these major consequences of unmanaged NHIs, where, in the past year or two, there have been more incidents than human breaches related to NHIs.

There've been obviously a couple of high-profile ones. I think I already mentioned some, but even just as recently as there was a leak for .env files in AWS public buckets in S3, and those actually created an attack path where they exposed non-human identities with their credentials, and that allowed attackers to wreak havoc in organization environments.

I think as that's happening, more and more organizations are waking up to this. And it looks like, again, in the numbers, CISOs are starting to pay attention as well. Right? I'd say another interesting.

Todd Thiemann:

Let me rewind to something you mentioned early on in terms of that seems high. In the data, the total number of respondents was just under 400, I think. These were the respondents. And you can see down at the bottom, the N for this question is 199. These are the folks that said, "I've had a compromise out there." I think when you or other folks are talking with enterprises, you're seeing one piece of the puzzle. This is a much broader set. This represents ... The data is what the data is, but it's representing a broader swath of the market. And that might explain some of the difference in terms of numbers you're seeing relative to the broader market that's out there.

Adam Ochayon:

Absolutely. Absolutely. I think there's one.

Todd Thiemann:

I got to defend my data.

Adam Ochayon:

No, for sure. For sure. And again, it's really interesting to see data that's very different. I think that's why these conversations are often very interesting to listen back to.

But one other interesting thing, one other interesting aspect, that could lead to these numbers, by the way, is something else we're seeing on the compliance and regulation side. Because while regulations and specific audit controls ... They're often a little slow moving and maybe a little slow to adapt sometimes, but I think it looks to us that they're starting to catch up to the problem NHIs pose as well. And I think the example that comes to my mind is PCI DSS 4.0, which actually is now, for the first time, specifying controls specific for ... I think they call them system and application accounts, which they're actually talking about NHIs, what we call in that umbrella term. And those controls are things like periodic attestation, periodic rotation, anomaly detection specifically for application and system accounts and not just for your usual human accounts.

Again, all in all, the trend here definitely is increase in urgency, increase in different motivations, for why this would come up at executive levels.

Todd Thiemann:

I think PCI DSS ... The operative phrase there is application and system accounts, but system accounts is sort of synonymous with service accounts. Is it not?

Adam Ochayon:

Yes, yes, yes. Exactly. Exactly.

Todd Thiemann:

Cool. Adam, given the wealth of experience you have with customers, could you explain why enterprises are going with OASIS to solve the NHI problem?

Adam Ochayon:

Of course. There are a couple of things I think make OASIS the NHI management platform of choice for many organizations. I think, first of all, it boils down to having that very strong visibility, contextual understanding, of each identity because that's necessary in order to identify and prioritize risk. We said it has to start with that because if you don't understand what you're seeing, or if you don't see it at all, you don't know where to begin. Having that system that helps you see things across your environment and prioritize is really important.

And I hinted at this earlier, but we make it our focus to operate across your entire environment. On-prem, cloud, and SaaS. We do this with taking an identity-centric approach. We tie in directly to the identity layer, wherever it is, and we're able to bring together all these different data points and create a full 360 view for each identity, which spans from usage to ownership to privilege. And that information ... It has to be the starting point because that makes triaging and investigation a more seamless process and allows you to actually take action.

But the second thing is taking action. You don't just want to see the problem. You want to be able to understand what you need to do. I think the second thing that's been resonating with our clients is our strong remediation capabilities. And we pride ourselves on not just stopping at posture, but really helping customers take that extra step, solving problems throughout the unique life cycle of non-human identities. And this creates another safety net that allows organizations to really move fast and be confident that they're not going to break things as they do that.

And I think the last thing, this really goes kind of like the one extra level, is our approach to building a program with our customers. Typically, what you'd want to do is you'd want to identify the low-hanging fruit and the highest-priority problems, fight the fires, close the critical gaps. But from there, you want to progress to proactively build controls. And so, OASIS ... We do this in a way that we plug into your existing business process, and we actually plug into your existing tools. We call this bring your own infrastructure, and we allow you as a business to define your policies in one place and, with OASIS, help inform them uniformly across your entire hybrid environment. And that drastically cuts down manual work and operational burden requiring to stay both compliant and secure.

Todd Thiemann:

You're avoiding bouncing between different consoles. It's sort of a holistic solution that fits into what you might already have. Correct?

Adam Ochayon:

As much as we can. Exactly. And we really think many organizations are already using tools that they sit under this umbrella. For example, secrets management. And we want to empower them to continue using those secret management tools. We don't necessarily want to replace every aspect of their process and tools. We want to help them use them more effectively and really gain the full benefit of a platform that helps you orchestrate across the whole thing.

Todd Thiemann:

Extract more value from what you got. Makes sense. As you and I have been chatting here, there have been a bunch of questions that have been queuing up. Let me go through some of those. And to the audience out there, please keep the questions going, but we're going to dig into some of those accumulated questions. And let me get Adam's comments on them because, as I'm scanning these, most of them, Adam, they want to hear from you.

The first question out there is, what are best practices in helping secure NHIs? Any comments on best practices in securing NHIs?

Adam Ochayon:

I'd say make sure you understand the context of the identity because that helps you really, on the one hand, understand where you should start. And also, on the other hand, understand how you can actually take action without breaking things or without fearing of things breaking. Because when we talk to clients, usually they're in the state they are because the lack of context leads to inaction. Something we see ... This is very common. We see often 20%, 30%, or upwards of accounts are actually stale. They haven't been used for months or even years sometimes.

And so, the question is, in terms of best practices, the best practice is you want to be able to understand how the identity is used so that you understand how to map it to what action you need to take place. It's hard to do that without having context.

Starting with visibility with that context is really essential. And understanding how to classify between that ... Each identity can be in its own state, or there can be categories of different problems. Set your goals, focus on the ones that are most important, gain the visibility, and start by tackling them one by one. Show traction. Show progress.

And once you do that, once you feel confident, as I kind of said, once you feel confident that your biggest gaps are getting plugged, then start understanding one year, two year, five years forward, what are the types of policies I want to be able to enforce? How do I start setting the controls to do that?

Todd Thiemann:

And it makes sense to have that sort of approach because, as we discussed earlier, this is a cross-functional problem, and you need to get your constituents bought into this. If you have low-hanging fruit, can get some successes. You can get momentum going and go onto future successes.

Adam Ochayon:

Absolutely. Absolutely. No, and that's just as important, right? As practitioners, a lot of your job is selling the value internally. By focusing on defining that these are the things I'm set out to do, these are the most important problems I need to solve in the next couple of months, and showing progress on that, you'll be able to get buy-in in your organization and move forward.

Todd Thiemann:

Makes sense. Onto the next question, and that is, how can we measure the effectiveness of our NHI security program? That question relates to metrics and how do you measure things. Any comments on that?

Adam Ochayon:

It's another good one. I think it really ties to the last one we talked about. I'd say the space is largely still a little immature. The lack of tooling is obviously a reason. We talked already a couple of times of if you can't see it, then how are you going to measure it? How do you understand if you're effective in governing or in your program?

It, again, has to start with visibility and posture. But I think it's really the focus on ... In terms of metrics, there are a couple of areas I'd look at. One, it's not just about the identities that are currently onboarded or managed into your own platforms. You need to understand how many are unmanaged. That's the one thing that often we see. It's not just about what's in your PAM. It's about what's not in your PAM, and how risky are those identities? Understanding that is really an important way to measure your effectiveness right now.

And I think there are other things that come to mind. How many of your identities have owners assigned to them, for example, so that you know who needs to take action when something happens? Always good metrics. Things like MITRE. What's your time to remediation when a violation comes up is obviously very important to understand. Is your program built in a way that can handle these problems quickly and effectively?

There are many other metrics that really depend on the different organization goals, but I think those are a couple that are always good to start with.

Todd Thiemann:

Cool. Let me go on to the next question queued up, and that is, how can I persuade my CISO to invest in better securing NHIs? Basically, at the root of that, how do you justify the spend, the budget, the resourcing that you might want to put in to manage secure NHIs?

Adam Ochayon:

It's a good question. And again, different organizations are driven by different motivation. I'd say the first thing is it starts with introspection. Try to understand, based on your organization goals, if they're driven by compliance, or if they're driven by risk, or if they're driven by somewhere in between, a mix of those two. How confident are you, for example, that you see all the NHIs in your environment and have a good way to track anomalies? Or, how confident are you that you're actually rotating credentials on a schedule to remain compliant, maybe with PCI like we mentioned earlier?

It starts with taking a good hard look at how the organization is doing right now, and where do we feel our gaps are? And then tying that to recent events and understanding, again, how those recent events relate into your environment helps with that process. You start with just really analyzing, how do I feel I'm doing right now on this? And how do I feel my risk in this area compares to other risks? Security teams and identity teams. There are a lot on both of those plates. And so, it's all about understanding the priority of the risk. And I think, one, tying it to recent events. Two, tying it to compliance drivers. I think both of those should help you get to that answer.

And I think one other thing that's very relevant is ... We already mentioned this before. You can't unsee some of these things. Getting to a point where you can understand how those problems relate to your own environment really, really helps, from my experience, in getting that buy-in and really explaining this isn't just a problem that happened in some random breach somewhere. This is a risk that right now exists in our system. And just for that, Oasis offers a free assessment where we plug in with very, very low privilege into your environment pretty much read-only. And we can use that to create a report, based on your own data, on how you track in different metrics, such as stale accounts or rotated accounts or things like toxic combinations that we see. Identities that are over-privileged and unmanaged and unrotated. And we can also detect things like maybe credentials that leak into the dark web and are exposed. And tying that back to your own risk is very, very effective in now I see this problem in my own organization, so now I need to understand what I can do about it.

Todd Thiemann:

Cool. That sounds like a quick way to demonstrate value for any security team and not just demonstrate value. To understand what their risk is so they can take steps to remediate it.

Adam Ochayon:

Exactly. The value comes afterwards. You start with this is the risk, and then two months later you understand what you've done and how much you've mitigated, and then you can see value.

Todd Thiemann:

We are bumping up against time. To the audience, thank you so much for listening and watching. And Adam, thank you for sharing your perspective.

If you want to learn more about Oasis non-human identity management, you can visit oasis.security. That's the website.

Thanks again, and have a great day.

Adam Ochayon:

Thanks a lot, Todd. Thanks everyone for tuning in.

All right, and scene.

More like this
Case study - How leading organizations solved security challenges leveraging NHIM
Case study - How leading organizations solved security challenges leveraging NHIM
Best practices to secure Non-Humans Identities
Best practices to secure Non-Humans Identities
From PAM to NHI Management. How technology is opening up new challenges to securing machine-to-machine access
From PAM to NHI Management. How technology is opening up new challenges to securing machine-to-machine access

Secure all identities, NHIs first

Don't leave your business vulnerable. Contact Oasis today for a free security assessment or to learn more about how we can protect your assets and reputation.
Free risk assessment →Get a Demo