- Navigating the New Frontier: Strengthening Cybersecurity Through Next-Gen Identity & Access Governance
- 20% of Organizations Have Experienced a Non-Human Identity Security Incident
- I tried MSI's new Windows PC handheld - now I'm wondering if gaming laptops should even exist
- I traveled with one of the most secure SSDs ever - and never felt more relaxed
- I changed these 6 TV settings to instantly speed up its performance (and you should, too)
20% of Organizations Have Experienced a Non-Human Identity Security Incident
Today’s business environment requires teams to do more — better than before, and at a faster rate. Thanks to third-party apps, no-code platforms, GenAI, and other forms of automation and integration, enterprises are able to achieve that, but not without a deeply-embedded reliance on the true building blocks of automation and integration — non-human identities (NHIs).
These NHIs (i.e. bots, API keys, service accounts, OAuth tokens) are critical to innovation and efficiency yet remain the biggest security blind spot, hence the recent headline-grabbing attacks like the ones on AWS, Microsoft, Cloudflare, and Okta, to name a few.
The growing frequency of attacks serves as a testament to the harsh reality that 1) hackers have taken notice of this shiny new opportunity, and 2) organizations are still ill-equipped to protect against NHI-related threats.
Knowing that the sheer volume of NHIs, which outnumber human identities by 20 to 1, already pose a significant challenge for security practitioners, we set out to explore the additional blockers and further understand where NHIs fall on the security priority list. The 800-person survey facilitated by the Cloud Security Alliance set a baseline for the current situation: 1 in 5 organizations have already experienced an NHI-related security incident.
Confidence gap in securing NHIs
Human identities are familiar territory at this point, yet only 25% of IT and security practitioners express “high confidence” in securing them, according to the report’s findings. Naturally, the numbers are even more grim for securing non-human identities, with only 15% expressing “high confidence.”
With 69% of organizations expressing moderate-to-high concern about NHIs as an attack vector, it emphasizes an awareness of the risks, but a challenge in addressing the risks head-on, due to a broad range of reasons.
Service accounts, permissions, offboarding – and more
The findings made the point evidently clear: the most challenging aspect of NHI security is managing service accounts, with 32% citing this as their top challenge. Additional pain points include auditing and monitoring (25%), access and privileges (25%), discovering NHIs (24%) and policy enforcement (21%).
The lack of visibility into third-party vendors and OAuth apps also presented a significant concern, with 38% of organizations reporting little-to-no visibility.
The findings show that the management of API keys is another critical area where organizations struggle. Only 20% have a formal process for offboarding and revoking API keys, and only 16% have a process for rotating or rolling back API keys. This lack of a formal process leaves API keys active and potentially exploitable.
Fragmented security approaches
NHIs present a unique challenge, requiring tools that address this specific subset of security. Currently, organizations are relying on a broad range of tools and solutions to secure NHIs — most often IAM (58%), PAM (54%) and API security (40%). These tools are either indirectly or non-comprehensively addressing the problem, leading to a fragmented approach that actually leads to more security incidents.
Future of NHI security
The report reveals that there’s a growing recognition of the importance of investing in NHI security with 25% of organizations already investing and an additional 60% planning to within the next 12 months. By giving non-human identities the same attention that we currently give to human identities, we as an industry can lay the foundation for a protected business environment that’s future-proofed.
It’s time to automate critical processes such as permission management and API key handling, as well as adopt a more targeted and unified approach to protecting NHIs.
About the Author
Alon Jackson is the CEO and Co-Founder of Astrix Security, a leading Non-Human Identity Security provider. Prior to founding Astrix, Jackson served in various strategic roles in the Cyber Security Division of the Israeli Military Intelligence Unit 8200, including leading the Cloud Security Division and serving as the Head of the Cyber Security R&D Department. His experience also spans the private sector, where he served as Head of the R&D Group at automotive cyber security company Argus (acquired by Continental AG). Jackson received an MSc in Computer Science with honors, specializing in cryptography. To learn more about Jackson and Astrix Security, visit https://astrix.security/.
