Lead Image © ARMMY PICCA, 123RF.com
Identity for Machines, Workloads, and Agents
Digital Colleagues
Non-human identities (NHIs) are not a new phenomenon, but they are rapidly becoming increasingly prevalent and complex. NHIs include identities for workloads, services, Internet of Things (IoT) devices, machines, and, increasingly, autonomous artificial intelligence (AI) applications. Studies and observations in corporate environments show that NHIs exceed the number of human identities many times over: Ratios of 40:1 to 80:1 have been reported. Whether or not these numbers are accurate, clearly NHIs give rise to an identity and access management (IAM) and cybersecurity problem of a considerable magnitude, giving rise to a variety of security risks and prompting the need for automation.
The challenge lies not only in the sheer numbers. NHIs are often created automatically, for example, as part of continuous integration and continuous delivery (CI/CD) pipelines or through instances of Kubernetes pods. Their lifespans can range from a few seconds to several years, and their privileges range from simple read access to comprehensive administrative rights.
The majority of today's NHIs are either unknown or work with static access credentials that do not change over long periods of time. This combination of opacity and permanent authorizations creates a massive attack surface that classic strategies in the area of IAM do not address. The strategies currently in place only consider human identities and a small subset of NHIs – the technical and functional user accounts managed by privileged access management (PAM; i.e., service and system accounts to be more precise).
Management of Non-Human Identities
Different terms are sometimes used synonymously with the umbrella term "non-human identity management" for strategies, technologies, and processes, and sometimes specific sub-areas (Table 1).
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Related content
-
News for Admins
In the news: GitGuardian Introduces NHI Governance; IBM Launches LinuxONE 5; OpenSSF Offers Free Course to Help Navigate EU Cyber Resilience Act; Rapid7 Announces MDR for Enterprise; Infoblox and Google Cloud Partner on DNS Security Solutions; IBM z17 Mainframe Engineered for AI; 2025 Open Source Job Survey Report; GitHub Launches Free Secret Risk Assessment Tool; Sonatype Offers End-to-End AI Software Composition Analysis; and Unmanaged Open Source Components Pose Serious Risks, Says Black Duck Report.
-
Secure microservices with centralized zero trust
SPIFFE and SPIRE put strong workload identities at the center of a zero-trust architecture. They improve reliability and security by taking the responsibility for identity creation and management away from individual services and workloads. -
Secrets and certificate management
Vault is a highly secure, trusted place to keep your secrets and certificates. -
Password management with FreeIPA
Passwords should be safe, but easy to remember – a contradiction that can be difficult to resolve. One remedy is a password manager that stores all passwords centrally. The open source tip this month shows a different approach: FreeIPA. -
Zero trust planning and implementation
The many facets of the zero trust implementation process can be a source of frustration, which is why we offer a step-by-step guide to implementing zero trust models to help you make state-of-the-art IT security become a reality.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
