Survey reveals security gaps in managing non-human identities
Recent research conducted by the Cloud Security Alliance (CSA) and Astrix Security reveals a substantial disparity in the security measures for non-human identities (NHIs) compared to human identities in organisations.
The findings were presented in the State of Non-Human Identity Security Survey Report, which surveyed over 800 experts and analysed data from more than 2 million monitored NHIs across Fortune 500 companies.
The survey unveiled that nearly one in five organisations have encountered a security incident related to NHIs and that only 15% of organisations feel confident in their ability to secure these identities. This data highlights the growing challenge and importance of non-human identities, which include bots, API keys, service accounts, OAuth tokens, and other automated entities that drive operational efficiencies.
John Yeoh, Global Vice President of Research at CSA, emphasised the critical role of NHIs in modern organisations. "NHIs – like bots, API keys, service accounts, OAuth tokens, and secrets – are all lifelines of today's organisations, enabling automation, efficiency, and innovation," said Yeoh. He pointed out that the tools currently deployed for identity management do not adequately address the unique challenges presented by NHIs. "The mismatch is evident in recent attacks on major brands like AWS, Okta, Cloudflare, and Microsoft, where despite having security measures in place, hackers still managed to infiltrate. This joint survey only underscores this vast issue, highlighting that NHIs cannot be treated the same as human identities."
The research identified several major challenges and gaps in securing NHIs. Among the key findings, it was noted that 45% of NHI-related security incidents were caused by a lack of credential rotation, 37% by inadequate monitoring and logging, and 37% by over-privileged accounts or identities. The survey also showed a significant gap in confidence, with only 1.5 out of 10 organisations expressing high confidence in their ability to secure NHIs, compared to nearly one in four for human identities. This lack of confidence is possibly due to the overwhelming number of NHIs, which often outnumber human identities by a factor of 20 to 1.
Fragmented approaches to security tools contribute to this issue. 58% of organisations use Identity and Access Management (IAM) systems; 54% use Privileged Access Management (PAM); 40% use API security measures; 38% employ Zero Trust or least privilege strategies; and 36% use Secrets Management tools. Despite these measures, organisations still face numerous security incidents due to credential mismanagement and lack of comprehensive monitoring.
Additionally, fundamental security practices related to NHIs are proving difficult for many organisations. Issues such as auditing and monitoring, access and privileges, discovering NHIs, and policy reinforcement were highlighted as critical challenges, with 25% struggling with auditing and monitoring, 25% with access and privileges, 24% with discovering NHIs, and 21% with policy reinforcement. Visibility into third-party vendors connected via OAuth apps is another significant concern, with 38% of organisations having no or low visibility, and 47% only partial visibility into these external connections.
Alon Jackson, CEO and co-founder of Astrix Security, noted the importance of targeted investments in NHI security. "As organisations increasingly acknowledge the critical need for robust NHI security, the surge in investments reflects a proactive stance toward protecting our digital infrastructures," said Jackson. He further added, "The key now is ensuring these investments are channelled into the right tools, especially as vulnerabilities persist. NHIs present unique challenges distinct from human identities, making their security complex and demanding. Addressing NHI security requires ongoing refinement, adaptable strategies, and a unified effort to tackle the ever-evolving threats head-on."
The detailed insights from the State of Non-Human Identity Security Survey Report highlight the urgent need for organisations to adapt and enhance their security mechanisms to better manage the risks associated with NHIs.