Full Report
Human identities management and control is pretty well done with its set of dedicated tools, frameworks, and best practices. This is a very different world when it comes to Non-human identities also referred to as machine identities. GitGuardian’s end-to-end NHI security platform is here to close the gap. Enterprises are Losing Track of Their Machine Identities Machine identities–service
Analysis Summary
# Best Practices: Non-Human Identity (NHI) and Secrets Security
## Overview
These practices address the significant security gap created by the proliferation of Non-Human Identities (NHIs)—such as service accounts, API keys, bots, and workload identities—which often outnumber human identities and lack robust governance. The focus is on lifecycle management (discovery, provisioning, rotation, and decommissioning) to mitigate risks like orphaned credentials, over-privileged accounts, and leaked secrets.
## Key Recommendations
### Immediate Actions
1. **Establish Initial Visibility:** Immediately deploy automated discovery tools to scan all known repositories and critical cloud environments to create a baseline inventory of existing machine identities and secrets.
2. **Prioritize Secret Remediation:** Triage and remediate all high-severity secrets (e.g., those leaked publicly or found in unencrypted locations) identified during the initial discovery phase.
3. **Implement Continuous Scanning:** Ensure that secrets scanning is integrated into source code management (SCM) and CI/CD pipelines immediately to prevent new secrets from being committed.
### Short-term Improvements (1-3 months)
1. **Integrate Secrets Managers with Discovery:** Verify that existing secrets managers (e.g., Vault, AWS Secrets Manager) are included in the comprehensive discovery scope, while simultaneously implementing processes to feed newly provisioned secrets into these managers.
2. **Enforce Least Privilege During Provisioning:** Standardize NHI onboarding and provisioning workflows to enforce the principle of least privilege access from the moment the identity is created.
3. **Assign Ownership:** For every discovered secret and identity, actively identify and assign a responsible owner (DevOps/SRE team) to streamline future governance and remediation efforts.
### Long-term Strategy (3+ months)
1. **Develop Unified NHI Governance Strategy:** Fully integrate NHI management into the overarching Identity and Access Management (IAM) strategy, moving beyond siloed secrets management tools.
2. **Automate Lifecycle Management:** Implement automation for the full lifecycle, including scheduled and automated rotation for high-risk secrets and standardized decommissioning protocols for obsolete identities.
3. **Establish Contextual Policy Enforcement:** Implement systems capable of mapping secret relationships and enforcing consistent, context-aware security policies across hybrid and multi-cloud environments.
## Implementation Guidance
### For Small Organizations
- **Focus on Code and Cloud:** Prioritize automated scanning within Git repositories and the organization's primary cloud provider(s) as these are the most common sources of high-risk leaks.
- **Leverage Existing Tools:** Maximize the use of built-in features within existing secrets managers for basic rotation and access control for secrets that *are* centrally managed.
- **Manual Decommissioning:** Establish a strict, documented monthly process for manually reviewing and revoking access for any service accounts that have shown no recent activity.
### For Medium Organizations
- **Adopt Centralized IAM Focus:** Begin the transition toward a unified IAM strategy, ensuring that NHI governance is treated as a formal security domain alongside human IAM.
- **Integrate into CI/CD:** Fully integrate automated secret detection into Git pre-commit hooks and CI/CD build stages to prevent leakage before deployment.
- **Define Policy Templates:** Create standardized, least-privilege templates for common machine identities (e.g., CI/CD bots, monitoring agents) to enforce consistency during onboarding.
### For Large Enterprises
- **Full Lifecycle Automation Scaled:** Implement comprehensive, end-to-end automation for discovery, provisioning, monitoring, and decommissioning across the entire heterogeneous infrastructure footprint (on-prem, multi-cloud, SaaS integrations).
- **Zero Trust Validation:** Use contextual metadata gathered during discovery to continuously validate that all NHIs adhere to Zero Trust principles regarding access scope and network exposure.
- **Framework Mapping:** Formally map NHI controls directly against regulatory and industry standards (NIST, PCI DSS 4.0) for evidence collection and audit readiness.
## Configuration Examples
The document emphasizes the need for specialized platforms capable of comprehensive lifecycle management beyond initial storage. The goal is configuration enablement through a unified platform, not just simple storage secrets management settings.
**Goal Configuration Focus:**
* **Automated Rotation Policy:** Configure a policy within the NHI platform to automatically flag or force rotation for any API key or service account credential that has existed in code or production for longer than 90 days without owner acknowledgement.
* **Contextual Tagging:** Ensure all automatically discovered secrets or identities are tagged with metadata including source repository, environment (Prod/Dev), and identified owner for governance enforcement.
## Compliance Alignment
- **OWASP Top 10 Non-Human Identity Risks (2025):** Direct alignment; specifically addresses 'Secret Leakage' (#2).
- **PCI DSS 4.0:** Explicitly demands strong controls, including least privilege and continuous monitoring for machine identities.
- **NIST Frameworks:** Security mandates now explicitly require robust controls for machine identities, particularly around initial provisioning and monitoring.
## Common Pitfalls to Avoid
- **Relying Solely on Secrets Managers:** Do not assume that using a secrets manager (like Vault) solves the entire problem. These tools secure secrets once vaulted but fail to find or govern secrets scattered across code, pipelines, and cloud configurations.
- **Ignoring Zombie Identities:** Failing to continuously monitor and decommission unused or stale credentials, which allows "zombie" secrets to persist as easy targets.
- **Manual Discovery:** Attempting to inventory machine identities manually; the volume and speed of modern infrastructure make this approach guaranteed to fail and result in an incomplete inventory.
- **Context Blindness:** Managing secrets without context (owner, usage, permissions level) leads to difficulty in prioritization and ineffective remediation when leaks occur.
## Resources
- **OWASP Top 10 Non-Human Identity Risks (2025):** For understanding the landscape of NHI threats.
- **PCI DSS 4.0 Documentation:** For requirements related to credential management and assurance.
- **NIST Cybersecurity Framework:** For guidance on implementing robust governance structures, particularly around identity management.
- **[NHI Security Platform Demos/Documentation]:** (Referencing the concepts introduced by the vendor in the text) Solutions offering end-to-end discovery, governance, and automated remediation capabilities.