My IBM Log in Subscribe

Protecting your digital assets from non-human identity attacks

Security Asset management

20 Nov 2024

4 min read

Authors

Josh Nadeau

Cybersecurity Writer

Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.

The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the only ones that NHIs have opened up.

Heavy reliance on using NHIs to support business growth agendas has led to a surge in security issues in recent years, with malicious sources targeting machine identities to carry out cyberattacks. Understanding the inherent risks of using NHIs and knowing how to better secure them is key to avoiding becoming a victim.

What is a non-human identity (NHI)?

Non-human identities (NHIs) are the credentials assigned to different digital entities in a network. They identify various applications or services, including API connections, OAuth tokens, cloud-enabled devices and third-party integrations.

When enabling certain automated elements across your infrastructure, digital entities must have certain access permissions assigned to them — no different than a human operator.

However, in most cases, an NHI will need to have higher levels of privileged access than most employees since they are often connected to databases, service accounts and other machines. Unfortunately, while this level of access is what drives the operability of NHIs, it’s also what makes them a prime target for cyber criminals.

Industry newsletter

The latest tech news, backed by expert insights

Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.

Thank you! You are subscribed.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

What are some examples of how NHIs are used?

NHIs are now commonly used by businesses of all sizes and are authorized to execute a variety of tasks. Some of the most common use cases of NHIs include:

  • Automated backup services: Businesses often run automated background processes responsible for backing up critical data. NHIs will allow uninterrupted ingress and egress of information as it flows between connected networks and digital storage solutions.

  • Website plugins: Many website plugins rely on API keys to provide access to a content management system (CMS) to automatically sync information from two hosted sources. This allows the plugin to modify certain coding areas and install and download new updates on the business’s behalf.

  • Servers SSL/TLS certificates: NHIs are also used when verifying source connections to a web server. These are used to encrypt secure data between servers and browsers when sharing and accessing information on various websites.

Explore IAM solutions
Mixture of Experts | 4 April, episode 49

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.
Watch the latest podcast episodes

Why are NHIs a primary target for cyber criminals?

NHIs have become increasingly targeted by cyber criminals due to both their privileged system access and businesses’ tendency to forget about the access levels granted to them. This lack of visibility and strict management and control of NHIs lead to several vulnerabilities in security.

Some of the common ways cyber criminals are using NHIs for their attacks include:

  1. Credential theft: Because of a business’s limited visibility on their NHIs as they operate, criminals can more freely attempt brute force attacks on them. And because NHI security can’t be formatted like human operators — such as multi-factor authentication (MFA) — stealing credentials is more achievable.
  2. Privilege escalation: Gaining credentials to a compromised NHI can provide access to a variety of systems. While some NHIs may not have permission levels, if those systems have outdated software or other known vulnerabilities, cyber criminals can exploit them.
  3. Lateral network movement: Identifying and compromising vulnerable NHIs is often just an initial step that attacks will take. In most cases, the interconnectivity of API tokens and database servers will open the doors to move laterally across systems or devices that belong to the same network segment. This can allow cyber criminals to install backdoors, launch harmful malware and disable security protocols.

Effective ways to mitigate NHI attack risks

It’s important to recognize the potential vulnerabilities that non-human identities can introduce, especially as businesses scale their infrastructure. Below are some of the strategies that can be put in place to help mitigate NHI attack risks:

  1. Take inventory of all established NHIs: One of the most important actions to take when minimizing NHI-oriented cyberattacks is to remove any blind spots currently happening. All NHIs established should be inventoried and made highly visible to key stakeholders.
  2. Implement the principle of least privilege: When establishing NHIs, it’s important to only afford the minimum level of access necessary to complete certain business functions. This ensures that even if an NHI becomes compromised, it will minimize the visibility and control it has over critical systems.
  3. Regularly rotate NHI credentials: NHI credentials typically only last for a certain period and will require certificate renewal or revocation. However, autorenewals can be put in place, which could potentially cause issues if there is no active monitoring in place. It’s important to regularly review and rotate NHI credentials as frequently as possible for the same security reasons for regularly changing user passwords.
  4. Monitor NHI activity for anomalies: Lack of visibility is one of the primary contributors to compromised NHIs. Having network monitoring systems in place that can monitor for suspicious anomalies in NHI access and activity can help locate and isolate potential security issues.
  5. Implement strict authorization policies: When developing new systems and migrating workloads to cloud environments, it’s important for all employees to recognize the implications that authorizing NHIs can have. It’s important to establish strict governance policies on NHIs that should be authorized, monitored and revoked as needed.

Keep your non-human identities safe

As organizations look for new ways to automate their processes and streamline operational functions, it’s important to consider the potential risks that unmonitored NHIs can present.

Paying attention to privilege assignments and maintaining ongoing visibility of all NHI authorizations is critical to reducing digital attack surfaces while building a more resilient company infrastructure.

Overview Annual report Corporate social responsibility Inclusion@IBM Financing Investor Newsroom Security, privacy & trust Senior leadership Careers with IBM Website Blog Publications Automotive Banking Consumer Good Energy Government Healthcare Insurance Life Sciences Manufacturing Retail Telecommunications Travel Our strategic partners Find a partner Become a partner - Partner Plus Partner Plus log in IBM TechXChange Community LinkedIn X Instagram YouTube Subscription Center Participate in user experience research Podcasts United States — English Contact IBM Privacy Terms of use Accessibility