Mitigate Identity Risks

Non-human identities (NHIs) are identities not defined by or associated with one “human.” They include cloud environments and cloud-native apps, DevOps tools, CI/CD pipelines and supply chains, automation tools and scripts, workloads, mainframe applications and more. They can be digital credentials and permissions that allow machines to communicate and interact with each other and with humans. Recent studies suggest NHIs outnumber human identities by 50 to 1, and are propagating at a far faster rate than human identities. Worse, 97% of NHIs have excessive privileges, increasing unauthorized access and stretching the attack surface.

This loosely defined term presents significant challenges to identity systems and the risks they try to corral. Digital nomads are “people who are location-independent and use technology to perform their job.” They work remotely, telecommuting rather than being physically present at a company's headquarters or office. In these remote settings they pull a host of new identities into their workflows, from local routers to 5G connections and public WiFi. Pandemics and global events exacerbate this trend: in 2023, there were 17.3 million American digital nomads, a 131% increase since 2019 

Security teams are charged with managing identities across hybrid, connected environments. They must do it not only for employees, but also for customers, partners, and every machine connected to the enterprise. They need to manage identities in on-prem systems and across multiple clouds. This creates “silos.” Silos make it very difficult to discern where identity risks may appear. For example, if a corporate user has compromised private credentials, they pose a risk to the entire enterprise if they’re reusing credentials across accounts. 

Not only are different business units creating their own versions of the same identities, but “Shadow IT” – the unsanctioned use of software, hardware, or external systems and services – is snowballing. Modern organizations feel a need to move faster than their IT processes allow, compelling a search for shortcuts. Shadow IT identities are difficult or impossible to correlate with other identities and their activities. 

Scoop research says that 57% of companies globally use MFA, including 87% of large companies, 34% of medium-sized businesses, and 27% of small businesses. But phishing-resistant MFA – authentication using strong possession factors like FIDO-based or x.509-based credentials – is still a significant minority in enterprise implementations. This is the only way to achieve phishing resistance: organizations who “check the box” on MFA, without actually assessing its strength or configuration, have no idea how much risk they’re accepting.    

A September 2024 article in Networking claimed “Identity attacks are the main threat to combat in the SaaS context.” The majority of identity vulnerabilities exist in the context of SaaS applications where security teams have less supervision and central control. And there are a ton of them: SaaS-based apps for business use are increasing, with 80 SaaS apps being used by the average company in 2020 and 130 being used in 2022(DevSquad).