Understanding the Non-Human Identity Problem

2 min read
(February 27, 2024)

Recently, there has been a growing buzz surrounding the concept of non-human identity – a domain that demands attention and understanding from security professionals worldwide. To shed light on this intriguing topic, Cyber Security Tribe co-founder Dorene Rettas sat down with Andrew Wilder, a seasoned cybersecurity expert with over two decades of experience spanning various industries. 

Wilder's journey in cybersecurity began over 20 years ago, starting in consulting and later serving in prominent roles at renowned companies such as Nestle and Hillenbrand. Currently, as the Retained Chief Security Officer at Community Veterinary Partners, Wilder brings a wealth of strategic acumen in risk management, audit, and organizational design to the table. 

The Challenges of Non-Human Identity 

In the conversation, the pair delved into the intricacies of non-human identity and the challenges it presents in modern cybersecurity frameworks. A focus was the evolution from traditional identity and access management (IAM) practices to the emerging focus on non-human identities and the significance of addressing the proliferation of non-human accounts, driven by the shift towards cloud-based solutions and automation. 

One of the key insights Wilder shared was the heightened risk posed by compromised non-human accounts. Unlike human accounts, which are more likely to trigger alerts when compromised, non-human accounts can often go undetected for extended periods, providing malicious actors with prolonged access to critical systems and data. 

Drawing from real-world examples such as the Uber and Okta breaches, the conversation underscored the importance of recognizing non-human identities as a vital link in the cybersecurity threat chain. Wilder emphasized that while breaches may initially target human accounts, adversaries frequently pivot to exploiting non-human accounts to maintain persistence within compromised networks. 

A significant challenge highlighted is the current gap in solutions tailored specifically for non-human identity management. While traditional IAM solutions focus primarily on human identities, the evolving threat landscape necessitates a shift towards comprehensive solutions that encompass both human and non-human identities. 

The Evolving Understanding of the Non-Human Identity Problem 

Wilder outlined a five-stage awareness model, ranging from unawareness to product awareness, to illustrate the evolving understanding of the non-human identity problem within the cybersecurity community. He emphasized the need for organizations to proactively address this issue and stay ahead of emerging threats. 

Additionally, valuable insights were provided for cybersecurity professionals navigating the vendor landscape in search of solutions for non-human identity management. Wilder stressed the importance of evaluating solutions that offer platform-agnostic coverage and seamless integration with existing cybersecurity infrastructure. 

As organizations embark on their journey to enhance non-human identity management, there is a great importance for proactive engagement and collaboration with vendors. Wilder encourages cybersecurity leaders to ask probing questions, ensuring that chosen solutions align with their unique operational requirements and provide comprehensive coverage across diverse environments. 

In conclusion, Andrew Wilder's insights underscore the critical importance of addressing non-human identity management in today's cybersecurity landscape. As organizations strive to safeguard their digital assets and infrastructure, understanding and mitigating the risks associated with non-human identities emerge as imperative priorities. 

For those eager to delve deeper into the realm of non-human identity management, Wilder's forthcoming contributions to our upcoming report in March promise further insights and actionable strategies.