How Non-Human Identities Differ from Human Identities

This article is available in audio format, click play above to listen to the article. 

Managing and securing digital identities within organizations has become a significant concern for the technology industry. This article explores how Non-Human Identity Management (NHIM) seeks to address the complexity of managing identities in organizations not tied to humans and is an extract from 'The Essential Guide to Non-Human Identity Management' which is available to download. NHIM involves the management and protection of identities associated with systems, applications, services, machines, Application Programming Interfaces (API’s), Artificial Intelligence (AI) entities and any other automated systems or entities not associated with a human user.

Paul Carpenito, Head of Information Security at Loews Corporation, states while human identities are often characterized by a specific interaction and an expected or a reasonably defined behavior of a human, non-human identities operate autonomously and often lack ownership, clear visibility and typically, exist in the preverbally “set-it and forget-it” state, that cyber professionals are all too familiar with.

Examples of Non-human Identities 

Non-human identities or machine identities, in the context of identity and access management, often take the form of:

• Service accounts: These are special types of accounts used by applications or services to interact with each other or with databases. They are not tied to a specific user but are used to run processes, tasks, or jobs.
• API keys: These are unique identifiers used to authenticate a user, developer, or calling program to an API. They are used to track and control how the API is being used.
• Certificates: These are used to secure the communication between different services. They authenticate the service's identity and encrypt the data being exchanged.
• Tokens: In the context of OAuth, tokens are used to grant applications limited access to user accounts on an HTTP service.
• Bots: In platforms like Slack or Teams, bots have their own identities and are used to automate tasks or responses. Often include integration with sophisticated Artificial Intelligence (AI) algorithms.

How Non-Human Identities differ from Human Identities

Machines far outnumber humans today. But far from any sci-fi notions of a dystopian robot-ruled future, machines help free us, from dangerous, time-consuming, or repetitive tasks.

Just like humans, each machine needs one or more unique identity to authenticate and securely communicate with one another or a system. Unlike their human counterparts, machine identities receive far less attention.

Human identities, in the scope of identity and access management, refer to t unique identifiers, such as usernames, or credentials that are assigned to individuals to access and use resources within a system. These identities allow for the tracking of user activities, setting permissions and ensuring accountability.

Non-human identities, often referred to as service accounts, system identities, or machine identities, are used by applications or services to interact with each other. These identities also require management to ensure secure communication between different services, prevent unauthorized access, and facilitate accountability.

The key difference between human and non-human identities is that human identities are tied to individual users with personal characteristics, while non-human identities are used by systems or applications for interaction, not tied to personal characteristics or individual user behavior.

Carpenito adds unlike with human identities, the creation and control of non-human identities aren’t centralized to IT or an identity team. In many cases, non-human identities are directly created by developers or even citizen developers in no-code, low-code who may not be aware of their usage, as they represent the only means for the code they need to interact with systems.

Securing non-human identities carries inherent operational risks. In the absence of a comprehensive understanding of all consumers, there is a potential for disrupting production systems. For example, efforts to rotate secrets may unintentionally disrupt established and vital business workflows.

Adding to the challenge is the lack of standardization of non-human identity types and formats across different cloud providers and technology stacks. For example, AWS service accounts differ from Azure service principals, which differ from GCP service accounts.