I had the pleasure of speaking at the first NHI Conference in NYC last week, hosted by Astrix Security and Cloud Security Alliance. I want to share key takeaways from CISOs and security leaders about the current state of NHI.
First, for context, for my non-identity readers, NHIs are Non-human Identities tied to applications and services that may include bots, API keys, service accounts, and OAuth tokens - all of which are credentials that allow machines to access resources and communicate with each other.
As a market researcher, NHIs have been the hottest topic in my coverage (CISOs & Investors alike) behind AI security this year, so here are four few things I heard:
1) Historically, the focus on identity has primarily been on managing human access (IGA), governance (IGA), and privileged accounts (PAM). The problem of NHIs resonates with every security leader, especially those with SaaS / Cloud architectures. While NHIs are nothing new, there have been recent attacks exploiting NHIs (1 every month over the past 13) ~ namely the Cloudflare, Snowflake, HuggingFace & AWS attacks creating a spotlight this area deserves attention.
2) The #1 issue every leader wants to solve is primarily visibility, discovery and inventory of all NHIs in their environments (Across Cloud, SaaS and On-prem). Inventory was the most-used word, showing that many organizations lack proper visibility and a good inventory of all their NHIs.
3) No existing solution truly solves this problem. Existing IAM, PAM, API Security or ITDR products only have a siloed view of different types of NHIs. This is big because most organizations have a fragmented stack ~ some have service accounts within on-prem active directory. Some within hashicorp or cyberark/delinea for storing secrets + vaults. There is an opportunity for one vendor to provide a centralized view of NHIs and handle the lifecycle of NHIs.
4) Some CISOs have already implemented NHIs, while some see it as 2025 budget line item. Some organizations have built scripts to deal with NHIs, but overwhelmingly, most agree this is a buy vs build category with proper staffing. Although too early to call, I heard some CISOs say the future identity stack looks like AM, IGA + NHI. Some PAM, ITDR & CIEM depending on architecture.
I'll share more in my upcoming report on Thursday, which delves into the state of NHIs ~ key vendors, the market and how CISOs and organizations are solving this problem. In the meantime, I recommend checking out the report by the CSA from 800+ security leaders on the state of NHIs (link in comments)
MASSIVE thank you to the team at Astrix Security for their leadership in moving this industry forward with this great conference. Congrats to Alon Jackson, Idan Gour, Dana Natan Katz, Ryan Rockenbaugh and everyone for a well-organized and attended conference. It was great to share the stage with Michael Silva. Thanks again for having me, and I expect this topic to become even bigger in 2025.