Navigating the emerging Non-Human Identity (NHI) industry to improve security

As organisations grapple with the growing threat of cyberattacks targeting non-human identities (NHIs) – entities that represent machines (devices and workloads), organisations and other non-human constructs – understanding this rapidly evolving industry has never been more crucial.

With recent significant VC investment and the rise of innovative solutions, the NHI industry is transforming how organisations approach identity and access management (IAM). This article breaks down what NHIs are, why they’re important, and what organisations need to know to stay ahead of potential threats.

What, exactly, is a Non-Human Identity (NHI)?

Non-Human Identities (NHIs) are currently being defined in the market as any digital entity representing a machine or software workload.¹ However, as with most things in the identity industry, there is no consistent universal taxonomy (yet), with several differing representations that blur the lines between an ‘Identity’ and a ’Credential’ (or ‘secret’), which are in fact, well established terms within the industry.² Recently, Gartner, Inc. has published research providing a perspective on defining the taxonomy for human vs nonhuman identities, which may pave the way for industry consensus.³ Machines use either an identity or a credential to authenticate to other machines, which could be in the form of a certificate, an account object, a key, or token.
 

The rise of the NHI industry

Several existing and emerging fields across Technology have released functionality that focuses on managing certain aspects of NHIs in recent years. These offerings are often disjointed and fragmented, but there is hope on the horizon. 

• Governance & Observability: Traditionally, one of the biggest challenges facing CISOs and IAM Leaders has been the lack of centralised visibility to determine the scale and volume of NHIs in use across the technology estate of their organisation (given the decentralised nature as to how different forms of NHIs are created, used, and maintained). Several vendors have emerged in the last 24 months that have established platforms built upon the foundation of NHI observability, not only in terms of the NHI itself, but overlaying rich and useful context such as the consuming entities of the NHI, the resources accessed by the NHI, ownership of the NHI, and activity usage of the NHI, all within a single pane of glass.
• Identity Threat Detection & Response (ITDR): ITDR solutions have rapidly grown and matured in capability recently, with the convergence of human and now non-human identities protection being a key shift in the market. Organisations can now gain risk-based insights into NHIs, in use across their technology estate, in addition to investigative features for incident response. Additionally, further maturity has been seen in the space of providing preventative measures to mitigate threats against NHIs, such as conditional based access policies that allow / deny usage of an NHI based on certain criteria (e.g. source / target authentication, protocol usage etc.).
• Workload Identity Management: Several new standards are emerging such as the Secure Production Identity Framework for Everyone (SPIFFE) which is quickly becoming the preferred approach for service-to-service communication and authentication in predominately cloud-native environments. Additionally, an IETF working group referred to as WIMSE (Workload Identity in Multi System Environments) has been established with the goal of developing standards to address challenges associated with implementing fine-grained, least privilege access control for workflows deployed across multiple service platforms. 
• Traditional IAM Vendors: Traditionally focused on human identity management, most vendors are now expanding their offerings to include NHIs, as seen with SailPoint’s ‘Machine Identity Security’ solution.

Why has this industry emerged, and so rapidly over the last 18 months?

Several factors have driven the rapid growth of the NHI industry over the past 18 months:

• Threat landscape: Organisations have seen an exponential increase in the number of NHIs with 52% of organisations expecting to see a 20% increase in NHIs in use within their environment within the next 12 months. It’s estimated that an average of 45 non-human identities for every 1 human identity exist within an organisation. Recent breaches involving compromised NHI credentials underscore the critical need for better management and security of NHIs.
• Venture capital investment: Since 2022, the NHI market has attracted significant investment totalling US$800m. Vendors at the forefront are developing solutions to holistically manage NHIs, filling a gap in the market. The substantial funding secured by these firms underscores investor confidence in the market’s long-term prospects and potential for future development.

Opportunities for industry convergence

Managing NHIs has often been siloed within organisations whereby organic growth in usage has emerged across technology teams, resulting in unclear ownership across teams such as Infrastructure, Cyber and DevOps. This fragmented approach limits organisations' ability to develop a holistic strategy and invest time in understanding new innovations and standards.

As the NHI market matures, there is a growing potential for convergence. This could occur through acquisitions or product developments (e.g. Silverfort acquisition of Rezonate), enabling traditional larger vendors or emerging smaller players to provide comprehensive solutions that manage NHIs end-to-end.

Preparing for the future

To stay ahead of emerging threats and capitalise on the opportunities presented by the NHI industry, organisations should:

1. Understand your NHI footprint: Make sure you fully comprehend your own NHI situation and its importance in relation to running your technology estate. 
2. Understand the latest innovations: Stay informed about new technologies, standards and capabilities for managing NHIs, particularly standards such as SPIFFE and WIMSE.
3. Evaluate vendor roadmaps: Engage with your existing vendors to understand their plans for supporting NHIs and assess whether these align with your organisation’s needs.
4. Adopt a holistic strategy: Move away from fragmented solutions and work toward a cohesive approach for managing NHIs, ensuring clear ownership and accountability across teams.

If you would like assistance with the above, or would like to discuss anything further, contact Chris Jones.