Delinea | Privileged Access Management Blog

How to Manage and Protect Non-human Identities (NHIs)

Written by Tony Goulding | Jan 21, 2025 1:00:00 PM

Non-human identities are attractive targets for cyber attackers, as evidenced by recent incidents at Cloudflare (failure to rotate service account credentials), Snowflake (stolen credentials linked to service accounts), Hugging Face (compromised Hugging Face tokens), and AWS (misconfigured .env files that contained access keys and API credentials). Lack of NHI visibility and over-permissioning increase the attack surface, enabling lateral movement once an identity is compromised.

Forty-five non-human identities are born for every human user. While your identity security program meticulously governs employee access, these Non-Human Identities (NHI), critical to your applications and services, remain unmanaged, unsecured, and ripe for exploitation. Cost, compliance, and reputation risks abound.

In this blog, you'll understand how adversaries leverage NHI and what you can do about it to protect your organization.

What are Non-Human Identities?

Human identities—such as employees, partners, and customers—are familiar territory for most organizations. To control resource access, these identities are tied to people and managed through usernames, passwords, and multi-factor authentication (MFA).

 Non-Human Identities (NHIs) represent machines, applications, containers, APIs, or services that interact within digital ecosystems. Unlike human identities, NHIs aren't tied to individuals but are used to enable machine-to-machine communication, automate processes, and secure workloads.

While human identities rely on predictable behaviors and access patterns, NHIs operate at high speed and scale, often with complex interdependencies that require specialized management. This distinction is critical, as traditional identity management frameworks designed for humans fall short in addressing the unique lifecycle and security needs of NHIs.

NHIs consist of a unique identifier and an associated credential. An identifier (ID) might be an application ID, container ID, or platform-provided identity, while credentials could range from static secrets, API keys, and X.509 certificates to OAuth 2.0 client credentials, SSH certificates, Kerberos Tickets or SPIFFE SVIDs (Secure Production Identity Framework for Everyone Secure Verifiable Identity Documents).

These identities enable machines, workloads, or services to authenticate and interact with other systems securely.

How adversaries leverage Non-Human Identities in the MITRE ATT&CK Chain

If you look at the MITRE ATT&CK Framework, most tactics involve techniques that explicitly target non-human identities, including reconnaissance, initial access, persistence, privilege escalation, credential access, and lateral movement.

Tactic Technique Name Description
Reconnaissance Gather Victim Identity Information: Credentials Adversaries may gather credentials that can be used during targeting. These credentials may belong to non-human accounts or users within the target organization.
Resource Development Compromise Accounts Adversaries may compromise existing accounts, including non-human identities, rather than create new accounts to support their operations.
Initial Access Valid Accounts Adversaries may abuse valid credentials, including non-human accounts, for Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Persistence Valid Accounts Similar to Initial Access, adversaries may use compromised credentials of non-human accounts to maintain persistence within a network.
Privilege Escalation Valid Accounts Adversaries may use compromised credentials of privileged non-human accounts to escalate their access rights.
Defense Evasion
Valid Accounts
Using valid credentials, including those of non-human accounts, allows adversaries to blend in with legitimate activity and evade detection.
Credential Access Brute Force Adversaries may use brute force techniques to repeatedly try different passwords to gain access to accounts, including non-human accounts.
Lateral Movement Valid Accounts Adversaries can use compromised credentials of non-human accounts to move laterally within a network and gain access to additional systems and resources.

NHIs are rapidly proliferating in modern IT ecosystems, driven by increased reliance on microservices, DevOps practices, cloud platforms, and artificial intelligence (AI). This expansion is complex and often unmanaged and fragmented, which impacts IT and security leaders in several ways.

Consider:

Visibility: Do you know where your NHIs live? Many NHIs lack clear ownership, are inconsistently documented, and are left unmonitored. For instance, service accounts are frequently shared across multiple workloads to reduce administrative overhead.

Lifecycle governance: NHIs aren't typically governed by traditional IAM or Identity Governance and Administration (IGA) solutions. They lack standard processes like join/move/leave lifecycle events and proper management of permissions. Adding an NHI to an admin group like domain administrators is often done for convenience but unnecessarily broadens permissions. Different silos of NHIs usually require custom governance treatment.

Credential storage: Credential storage is challenging. Safe storage relies on encryption or file system access controls. With encryption, key management becomes critical. Are your DevOps teams storing secrets in code and configuration files in plaintext? Also, while humans use MFA to mitigate static credential risks, machines struggle with MFA without introducing another secret.

Credential management: Static secrets dominate NHI authentication but are seldom rotated or managed at scale, leaving them vulnerable to compromise.

Identity risk posture: Can you tell your NHI risk posture at a glance? Can you identify misconfigurations that require proactive mitigation, such as stale/unused and overprivileged NHIs? Can you prioritize remediation to tackle the riskiest concerns first? If not, you may be miscalculating your risk exposure and/or spending time on issues that don't materially impact your risk.

Monitoring: NHIs live in many places. Can you continually monitor their use, detect anomalous behavior, and alert or, ideally, automatically remediate them?

Business impacts of poor NHI management

The lack of effective management for NHIs poses significant challenges across key business operations areas, including cost, compliance, security, and productivity. Inefficiencies in managing the vast inventory of NHIs lead to resource wastage as IT teams spend excessive time on manual oversight and reactive troubleshooting. These costs are exacerbated when unmonitored NHIs contribute to security breaches, requiring expensive remediation efforts.

Compliance risks arise as frameworks such as PCI-DSS, OWASP, NIST CSF, CIS, and DORA increasingly mandate robust machine identity management. Organizations failing to meet these standards expose themselves to penalties and reputational harm.

Regarding productivity, the absence of structured NHI management processes forces you to discover and manage NHIs manually. Developers and IT teams often devise workarounds to enable machine-to-machine authentication. These challenges collectively hinder business agility, innovation, and operational efficiency, making effective NHI management an urgent priority.

Addressing NHI risks: a practical and strategic approach

Addressing the risks associated with NHIs requires immediate action and a long-term strategy.

Focus initially on prevention so credentials aren't exposed. The more barriers you can place in front of NHIs, the better.

You can begin by operationalizing your existing capabilities in tools that manage human user identities, such as IAM and PAM solutions. Such tools should be capable of handling basic NHI-related use cases like discovery, vaulting, and monitoring to address immediate gaps in discovery, governance, and security.

Look to answer questions that focus on posture management, such as:

  • Where are NHIs stored?
  • How are they being used?
  • How easy is it for attackers to compromise them?
  • What risk do they represent?
  • What should we prioritize first and why?

To help you get started reducing NHI risk right away:

Delinea Secret Server discovers and vaults static credentials like API keys and service account passwords, and automated credential rotation, MFA, and just-in-time (JIT) access workflows reduce the likelihood of credential exposure.

Delinea Identity Threat Protection and Privilege Control for Cloud Entitlements support identity posture management functions. They detect misconfigurations, such as stale keys or over-permissioned identities, and enable remediation to minimize vulnerabilities. They also extend discovery to cloud identities, including CSP vaults, secrets, and workloads.

Delinea Privilege Control for Servers ensures that NHIs operate with only the permissions necessary for their tasks. Analytics and machine learning also play their part in continuous monitoring, detecting anomalous behavior, and identifying risky access and permission pathways across your identity fabric.

Delinea Account Lifecycle Manager streamlines privileged account creation, management, and deprovisioning. It ensures secure, policy-driven automation for account onboarding, access governance, and offboarding, reducing risks associated with orphaned accounts and manual processes.

In the long term, transition from static credentials to ephemeral, short-lived tokens such as OAuth, Kerberos Tickets, SSH Certificates, or SPIFFE SVIDs. Short-lived tokens are inherently more secure than static credentials for NHIs because they minimize the opportunity for attackers to exploit discovered credentials.

Static credentials, such as passwords or API keys, often persist for extended periods and are susceptible to exposure through misconfigurations, code repositories, or inadvertent sharing. Attackers leveraging automated tools can quickly discover these exposed secrets on public-facing services like GitHub, as evidenced by the millions of secrets leaked annually.

Once compromised, static credentials provide attackers with unrestricted access until they are manually rotated or revoked—a process often too slow to prevent damage. Static credentials must be stored and encrypted at rest.

In contrast, short-lived tokens can expire within seconds or milliseconds, rendering them useless even if intercepted. This ephemeral nature dramatically reduces the attack surface and aligns with modern security practices, ensuring access credentials are dynamic, tightly controlled, and far less prone to long-term abuse. Pay special attention to the NHI creation process and how ephemeral credentials are requested.

For example, how does the new NHI authenticate itself to the credential provider to request and obtain a new ephemeral credential? This is the "Secret Zero" challenge. Avoid temporary access keys. Frameworks like SPIFFE can facilitate federated and attested identities, ensuring stronger assurance levels and seamless integration with modern DevOps workflows. Alternatively, leverage CSP machine IAM services to validate or attest to the NHI's identity before granting a temporary credential.

It is also essential to implement a comprehensive NHI lifecycle management strategy encompassing automated onboarding, decommissioning, and governance tailored to the unique needs of machine identities.

Align with Gartner's recommendations for protecting NHI

Delinea's current identity security capabilities, our ongoing roadmap for NHI management, and Gartner's recommendations for protecting NHI are closely aligned.

By following this advice and embracing Delinea identity security solutions, you can ensure your NHI strategy supports both current needs and future growth. This dual approach mitigates risks today and establishes a foundation for more secure and efficient operations in a machine-driven world.

Managing Non-Human Identities is foundational to securing modern IT environments. By addressing immediate risks and planning for a future based on ephemeral credentials and robust lifecycle management, you can mitigate threats, ensure compliance, and streamline your IT operations. The time to act is now.