CISO Alert: Human Identity & NHI Must be Addressed Together

After last week’s Gartner’s 2024 IAM Summit, the importance of Identity Security can not be underestimated. It is also evident that while NHI is a hot topic, human identity remains unresolved, and we must address these issues together.

Gartner considers identity-centric security a top priority for 2025. The main conditions that have led to this focus include:

• A significant increase in Identity-related breaches due to identity sprawl
• The deterioration of traditional security boundaries from cloud and SaaS adoption
• The exponential growth of digital entities resulting in excessive privileges from over-permissioned human & non-human (NHI) identities

Human risk and NHI remain equally unsolved

The recent hype around NHI has thrown fuel on the fire. Recent estimates suggest that each human user has between 10 to 50 NHI.  This year's major identity security incidents include the AWS ransomware incident and Snowflake breach, just a few of the many attacks this year.

The pervading notion that NHI should be the sole focus is flawed, as human risk remains an equally unresolved issue for identity security teams.

• Excessive permissions for  human identities in the cloud continue to plague organizations
• The manual provisioning, deprovisioning, and compliance of human identities are still a significant concern

The goal: Reduce Risk

The root cause of the cloud identity security problem is the rapid pace of change and lack of visibility into permissions. In fact, 95% of cloud identities, both human and NHI, have been deemed overprivileged. 

At the end of the day, the goal is to reduce the blast risk because a compromised identity, human or NHI, should not equal a breach. 

Lifecycle Management: NHI are tied to the lifecycle of a human identity

A human user’s risk is tied to its identity posture and permissions, as well as the posture and permissions of all NHIs they own. To reduce the blast radius of an identity compromise, you must manage the risk and lifecycle of human identity and NHI together. 

While NHIs operate autonomously, they require continuous management and must be tied to a human identity for accountability and compliance.

• When a human user leaves the organization, you must either delete, rekey, and/or reassign the NHI to a different owner. 
• NHIs can be created automatically and need to be assigned human owners, as orphaned NHIs are a target for exploitation.
• Without a designated human owner, NHI can accumulate excessive or outdated permissions. To achieve the least privilege, permissions must be rightsized across humans and NHI.

Human owners play a critical role in NHI management, reducing operational impacts and proving compliance. They are essential for key rotations, proper permissions, identity lifecycles, and access reviews.

Zero Trust Requires a Holistic Approach Human Identity and NHI

Ultimately, both human identities and NHI will be compromised, and it is crucial to limit your exposure when (not if) it happens.

To reduce complexity stemming from fragmented data and solutions, human identity and NHI must be addressed together as a core requirement on your journey to Zero Trust