Full Report
Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities (NHIs) come in. NHIs — including application secrets, API keys, service accounts, and OAuth tokens — have exploded in recent years, thanks to an
Analysis Summary
# Best Practices: Securing Non-Human Identities (NHIs)
## Overview
This guide summarizes best practices for managing and securing Non-Human Identities (NHIs), which include application secrets, API keys, service accounts, and OAuth tokens. The surge in cloud adoption, AI, and automation has caused NHIs to potentially outnumber human identities significantly, posing substantial risks due to poor governance, lack of MFA, static credentials, and excessive permissions. Addressing NHI security is the critical next step after maturing human identity management programs.
## Key Recommendations
### Immediate Actions
1. **Initiate Comprehensive Discovery:** Immediately begin the process of finding and cataloging all existing NHIs (secrets, keys, tokens, service accounts) across the entire infrastructure, prioritizing identification of those with known broad or persistent permissions.
2. **Review High-Risk Credentials:** Identify and prioritize the rotation or remediation of any static passwords associated with service accounts that have not been changed in years.
3. **Scan for Public Leaks:** Conduct immediate, urgent scans of all public code repositories (e.g., GitHub) and internal code bases for accidentally hard-coded or pasted secrets, keys, or tokens.
### Short-term Improvements (1-3 months)
1. **Establish Centralized Visibility:** Implement tooling capable of discovering and monitoring the lifecycle and usage patterns of NHIs to gain complete visibility into the attack surface.
2. **Implement Secret Rotation Policy:** Define and begin enforcing a mandatory, frequent rotation schedule for all sensitive NHI credentials (API keys, tokens).
3. **Assess Privilege Levels:** Perform a risk-based assessment on discovered NHIs and begin the process of rightsizing their permissions to adhere strictly to the principle of least privilege.
### Long-term Strategy (3+ months)
1. **Establish Formal NHI Governance:** Define and implement a formal governance framework detailing *who* can create NHIs, *how* they are created, *what* their intended purpose is, and the required decommissioning process for retired identities.
2. **Adopt Stronger Authentication Mechanisms:** Begin phasing out static credentials in favor of modern, managed authentication methods, such as federated access, managed secrets vaults, or short-lived tokens where applicable for machine-to-machine communication.
3. **Unify Identity Management:** Strategically integrate NHI lifecycle management into the existing Identity and Access Management (IAM) program to achieve end-to-end protection for both human and non-human entities.
## Implementation Guidance
### For Small Organizations
- **Focus on Inventory:** Start by gaining control over where secrets are stored (e.g., config files, environment variables) and mandate the use of a centralized, basic secrets management tool for all new application development.
- **Manual Rotation Check:** Implement a recurring manual checklist for developers/admins to confirm the rotation status of critical secrets (e.g., cloud provider keys).
### For Medium Organizations
- **Implement Dedicated Tools:** Deploy a secrets scanning tool within CI/CD pipelines to prevent new secrets from being committed to source control.
- **Start Policy Definition:** Begin drafting formal, documented policies for NHI creation, ownership, and mandatory rotation frequency, aligned with existing human identity policies.
### For Large Enterprises
- **Deploy Automated Lifecycle Management:** Fully deploy enterprise-grade secrets and machine identity management platforms to automate discovery, continuous monitoring, risk scoring, and enforcement of centralized rotation schedules.
- **Risk-Based Triage:** Categorize NHIs based on the sensitivity of the systems they access (e.g., production vs. staging environments) and prioritize remediation efforts on the highest-risk categories first.
## Configuration Examples
*No specific, generic technical configuration examples were provided in the source text, but the emphasis is on moving away from static secrets.*
**Recommended Configuration Practice (Conceptual):**
Instead of storing credentials directly in code:
* **Use Managed Identities/Workload Identity Federation:** Configure applications to assume specific IAM roles using cloud-native identity federation services rather than using long-lived access keys.
* **Store Secrets in Vaults:** Ensure all API keys and tokens are retrieved at runtime from a centralized, access-controlled vault (e.g., HashiCorp Vault, Azure Key Vault) rather than environment variables or configuration files.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Primarily maps to the **Identify** function (Asset Management, Risk Assessment) and the **Protect** function (Identity Management and Access Control).
- **ISO/IEC 27001 (A.9 Access Control):** Focuses on ensuring access rights for automated entities are reviewed and revoked promptly.
- **CIS Controls:** Aligns strongly with Control 4 (Secure Configuration of Enterprise Assets and Software) and Control 5 (Account Management), extended to cover non-human accounts.
## Common Pitfalls to Avoid
- **Ignoring "Shadow" Secrets:** Do not rely solely on formal code repositories; secrets frequently leak through documentation, public pastes, or forgotten testing environments.
- **Treating NHIs Like Data:** Failing to recognize that every NHI configuration or credential requires the same lifecycle management rigor (creation, review, rotation, destruction) as a human privileged account.
- **Static Credentials Dependency:** Over-relying on long-lived, static API keys for critical services, which guarantees a long compromise window if leaked.
- **Lack of Decommissioning:** Creating NHIs for temporary needs and failing to track or properly sunset them, leading to accumulation of unnecessary, potentially insecure access points.
## Resources
- **Secrets Scanning Tools:** Tools specializing in scanning code and infrastructure repositories for exposed secrets (mention of GitGuardian indicates capability needed).
- **Secrets Management Platforms:** Centralized solutions for securely storing, managing, and rotating application credentials.
- **IAM Maturity Models:** Frameworks to guide organizations in maturing their overall identity and access management program, treating NHIs as the next logical progression after human identity security.