Hello. Welcome to today's webinar, Beyond Humans — Securing the Digital Frontier with Non-Human Identity Management. My name is Alejandro Leal. I'm a Senior Analyst at KuppingerCole. And this is one of the webinars to prepare the Road to EIC, where we will be having more conversations around this topic in May.
Today, I have a great lineup joining me. I'm going to let them introduce themselves.
So, first, we can start with Selen. How are you, Selen?
Thank you, Alejandro. I'm very fine. It's great to be here. Thank you for inviting me into this insightful topic and hard topic. I can introduce myself. My name is Selen Yılmaz. I'm the Head of Identity and Access Management Team in GarantiBBVA. GarantiBBVA is a bank, is a private bank in Turkey, and it has 15 million customers and 23,000 employees, over 23,000 employees.
And also, GarantiBBVA is a part of BBVA Global. You know, maybe it's a global bank. And I hope we'll have fun with this topic. Thank you.
I hope so, too. Thank you, Selen. Happy to have you here with us.
Maybe, Lalit, you can tell us a little bit about yourself. Hi, everyone. I'm Lalit Chodha. I'm the founder of the Non-Human Identity Management Group. 30-plus years in the industry, mainly in investment banking, working on large global IM, PAM, and NHI programs. Recently finished a huge program at a huge bank, looking at NHIs, hundreds of thousands of them.
Last year, I formed the Non-Human Identity Management Group initially on LinkedIn, nearly 2,000 active members, and created probably the biggest knowledge center around NHIs in the industry, now known by the name Mr. NHI. Awesome. Thank you so much. Dr. Heiko? Yeah.
So, hi, everyone. I'm Heiko. I'm the CEO of Nexus, a leading software vendor for enterprise authorization governance. More than 20 years in the identity and access management space. Most of the time, not on the software vendor side, but in the consultancy and professional services side in various roles. And I did a lot of research and focus on non-human identities, NHI, during the last couple of months or the whole last year. Thank you. And last but not least, Matthias? Yes. And as an analyst and advisor, NHI, of course, is a topic that we as Copenhagen Coal have to have an eye on.
And that's maybe the reason why I'm here. So, it's really something that is gaining traction. And as you said, Alejandro, we will have a track on this at EIC in Berlin in May. And I hope we have a great discussion with Mr. NHI and all the other experts here around. Awesome.
Well, thank you so much, everyone. Now to set the stage, maybe we can start with you, Matthias. First question, in your opinion, what has driven the rise of non-human identities and why is their management now a critical priority in identity and access management?
Okay, maybe a starting point. I know there are lots of these arguments to say, okay, cloud and cloud native and all this orchestration part is the most important part. But I think the point where I want to start with is most or many of those are not yet new and we just did not take proper care of those identities.
So, what we now think of non-human identities, I think they are around for quite a while. We put them into PAM and we put them into IGA and abusing, misusing IGA for that.
Finally, we understand that they are important and need to be taken care of. And that could be technical accounts and communication between two autonomous systems. But of course, the overall movement is towards more of those and much more of those through orchestration. But I think it's an issue that we just happily ignored for quite a while. But now it's really coming back to us and it's coming massive. And there are lots of other good reasons for that. Absolutely. And as I was talking to you guys earlier, I'm currently doing some research on access management.
And I did a report on that topic two years ago. And one of the trends that I see is that lots of vendors are talking about it now. It seems like it's a hot topic. They're trying to address it. But I'd like to know more about your thoughts on this Lalit. Maybe you can tell us your opinion.
Yeah, look, I think, as Mattia said, this problem has been there ever since I started my career. My first dealings with NHIs were actually 25 years ago, right, when meeting SOCs, regulations around cycling passwords. And we struggled to do that in those days. We didn't have bold solutions and had big issues.
Look, I think definitely in the last five to 10 years, with kind of cloud, SAS, I don't know. Obviously, all the on-prem, legacy, estate, containerization, microservices, and obviously API-based kind of interfaces. And obviously now with Gen AI that's coming is going to kind of take the NHI landscape to a much, much more concerning level. We quote regularly, NHIs outnumber humans 25 to 50x.
And look, we're now seeing lots of breaches. We reported 40 breaches late last year around NHIs over the last couple of years. And even yesterday, there was a publication around nearly 24 million secrets found in public GitHub repos. So these NHIs now are easy to discover. It used to be more of an internal issue. It's now more of an external issue as well. Hackers are discovering them, and it's compromising not only clients, but their third-party supply chain vendors as well.
So look, that's, I think, to the question of why this has risen and why now it's a challenge that we need to tackle. What's your take on that, Selen? But when we come to this point, the systems have changed. We have lots of different systems, mainframe distributed systems, cloud systems like on-premise cloud, public cloud, and the application architecture has changed a lot.
And also, we have different kinds of devices in our environment. Eventually, we have to connect these devices, applications, and like automated secrets, robot users, and the ecosystem, I think, has expanded a lot.
So today, that's why we are dealing with non-human identities. Back then, it was like the users. Only there were users.
But today, there are lots of systems that have to connect to each other and talk to each other. And eventually, they have to authenticate to communicate with each other.
So today, we have lots of non-human identities in our environment. And I think, like we have in our finance, in our company, in finance systems, we always focused on the human identity, human users.
But today, we finally are aware of the non-human identity is more crucial than user identities. We have to govern them and make processes to govern and govern the lifecycle of them.
Because, like Dalit said, the numbers are huge, and we don't treat them like normal users. We first create the user, non-human user, and we don't think about it after the creation. They stay there. The secrets are everywhere in files, in databases, anywhere. So the risk is huge, and the attack surface is very expanded. So it is critical to govern the lifecycle of non-human identities like the human identities, at least like human identities. And I think the onboarding and offboarding processes are crucial. And another thing is the credential and secret management of non-human identities.
That's another critical point to manage. Like I said, the secrets and credentials are everywhere. So we have to manage them. We have to keep track on them and change them and put necessary policies and processes to govern them. Yes. What do you think, Heiko? Do you see some of the things that were already mentioned with the work that you do at Nexus? Yeah. So basically, that was a great summary from the colleagues addressing different aspects. And basically, I think the kind of the development in IT and architecture across the last 10 or 15 years changed tremendously.
So we had, what Matthias said, systems in the past were used as a kind of app used, using an IGA for non-human identities or managing secrets in a PAM installation. We had a tremendous shift in how we do software applications or how we build software architectures. We went away from monolith architectures. We have a service-oriented architecture. We have so many services interacting together. We have the cloud ecosystem, and it's not just about shifting from a non-PAM data center into the cloud. It's also the design principle, how we build an architecture.
An architecture of application has changed tremendously. We have completely new possibility. And with that new possibility, so many things have outnumbered when we have system-to-system interaction.
And now, when we think about the trend in Gen AI, another layer is coming on top. What has not been mentioned yet is the thing from compliance and regulatory requirements that you have now in parts liability at the top management level, if you have not taken care about securing your IT environments. We have a change in the geopolitical landscape. Cyber attacks have been rising. And so many different factors have influenced the need for addressing this very important topic that has been solved somehow.
Probably okay-ish working 10 to 15 years ago, but now with the modern ecosystem, it's basically not manageable with the tools from yesterday. Thank you for that. I think all of you provided great input, but maybe we can get a little bit more specific and perhaps we can start with you, Heiko. What would you say are the biggest security risks associated with non-human identities? And where do you think organizations struggle the most? That's a good question.
So, first of all, it's probably discovery. So, figuring out, Lalit mentioned the GitHub scan, that 24 million, I think, tokens have been found.
So, basically, most organizations, frankly speaking, don't have a clue on where they really use non-human identities or whether they have secrets, certificates stored, built in code, probably provided to public code repositories as well. After you have discovered, I think then you have to do the work, kind of ensuring vaulting, rotation, kind of that stuff.
So, ensuring a proper management with tools that are already there or on the market. But then the next step comes when we think about that non-human identities have outnumbered their identities, their human identities. And when you have a classical identity and access management background and you still have customers having challenges with managing human identities, so employees, partners, or customers, and you have, there are different numbers out in the market from outnumbering from 20 to a factor of 40 or even more.
So, that's a tremendous amount. So, basically, you have to think about processes in place on how you ensure a proper assignment of ownership, on how to ensure a proper delegation from the human's authorization to delegate some rights and, for example, AWS VPC to a machine or human identity to make a deployment in a broader environment.
So, there are so many aspects to think of. And I think that's probably the most and the long lasting challenge to really change the processes on how things have been done into a more managed phase or managed approach for non-human identities in the future.
Maybe, Lalit, you can tell us about an example or a real use case that you encounter with an organization that surprised you when it comes to maybe misconceptions or people not understanding the security risks of non-human identities. Sure. And I think there's a question on this as well around understanding this a bit better.
Look, I would echo everything Heiko said. You know, look, in a nutshell, though, NHIs typically are unmanaged, right, and have very weak controls. They have high privileges.
You know, humans use them today. You know, we have lots of hard-coded passwords.
You know, we have lots of stale accounts that are out there that increase the surface area of risk. You know, excessive privileges, lack of cycling.
You know, we even see sharing of credentials. So, look, I'll give you a great example that occurred a number of years ago. I won't divulge where it was, but I get called by my CISO to say, look, we've got a major issue where there was a production incident that caused huge business impact. And we believe it's as a result of an NHI.
So, as me and some of our team investigated the issue, it turned out there was a human that knew the password for a non-human identity, like a technical account on a database. And they were trying to bypass kind of human PAM controls to use this account to do some activities. They were trying to do the work in UAT, but accidentally connected to production.
So, the first two issues were humans using non-human identities, which is against policies. Two, the same identity logically was in production and non-production with the same password. All right. Our CIO says, I want this password cycled immediately within the next 24 hours. It took us three weeks to cycle one password in production. Why? As we started speaking to the application team, they said, well, look, to cycle the password, we need to find out where are we using this password. We've probably got many scripts, right?
And we don't even know all the places where we've referenced this password. If we cycle the password, some of our scripts might fail to operate. And we believe, by the way, a few years ago, we shared the password with other business applications.
So, even if we fix all of our hard-coded passwords and we cycle, we think other major business applications will also be impacted and break once the password cycled. So, we then had to put in monitoring controls on databases, look at who was logging in, from which IP addresses, which hosts. And we found potentially like around eight to 10 other applications that were all sharing the same NHI credentials. They all had to then move to their own unique credentials, fix all their code. And all this took three weeks just to cycle one password.
So, if you multiply that by the tens of thousands of passwords that are out there, hard-coded, this is a massive, massive problem for the industry and for any organization to solve. I hope that was a great example. It was. It was. Thank you. I'm aware that the audience is already asking some questions.
So, we're going to save those for perhaps the last 20 minutes because I have one more question for you guys. But before, I'd like to ask Mathias or Selene if you would like to add anything to what already has been said.
Actually, all the scenarios Lalit talked and explained to us, we get through them. We live them. And it was like I was living the situations when he was talking about the situations. I want to add one more thing to this. There's also a compliance issue with these for the regulations with our local banking regulations. It is strictly forbidden that any non-human identity without accountable.
So, it is very important for us to build an accountable ecosystem and to govern this accountable ecosystem. And it has to be always available. What do you mean with available? You have to manage the lifecycle of the accountable as well, like the identities. It's another part for us with the regulations. I can add this scenario for this topic. Maybe if I can add to that as well.
So, we are using the term NHI and this is just an umbrella term. There are lots of different types of non-human identities actually hiding under that umbrella. And I think if we look at some of those from IoT devices to OT devices, we've talked a lot about technical accounts with these hard-coded credentials somewhere in config files or in the code. They have different attack vectors that need to be taken care of containers, cloud instances.
And with this move that we have in all of this that I just mentioned, more or less comes to machine-to-machine communication or system-to-system communication. That's API communication. We are looking at REST. We are looking at API keys. And all of these different types of identities that are hiding under this NHI umbrella have their specific attack vectors and their security posture. And we need to make sure that we understand them individually as good as we think we should manage also the human identity.
And I really, as an IAM, IGA guy, I really want to make sure that I reiterate on what Selim just said. So, ownership, proper lifecycle management for people, having a successor in a role, making sure that there's not an abandoned NHI, whatever it may be. That is of utmost importance to make sure that there is a consecutive flow of responsible people for individual NHIs or for clusters of NHIs when we talk about orchestration and huge numbers of NHIs.
Thank you, Matias. Before we jump into the questions from the audience, I have one more question for you guys.
So far, we already introduced the concept of non-human identities. We briefly talked a little bit about the security risks.
So now, are there any solutions? What are the, let's say, how should organizations rethink traditional IAM approaches to govern and secure these identities? What would be the number one advice you would give to organizations? Maybe we can start with Lalit first.
Yeah, look, I think a lot's been mentioned about lifecycle processes. Look, I would say this is probably going to be the hardest challenge you're going to face in your IT career to solve. It's much more complex than dealing with human identity management. And because there are so many weak controls and lack of processes around how you provision, decommission, how you discover inventory, how you classify the ownership, the permissions, you're going to have a lot of hygiene issues with inactive accounts and shared accounts.
And then you've got to go on to securing, protecting the credentials, the hard-coded passwords, rotation. You need monitoring controls to understand is anyone inappropriately using your accounts, whether it's an external threat actor or someone internally, right? And then you've got to think longer term about prevent controls. How do you stop people checking in hard-coded secrets? How do you move to sort of just-in-time dynamic secrets and real-time threat protection? A lot of the issues we have today are because we have lots of static secrets, right?
So longer term, moving to more of a zero-trust footing and ephemeral secrets is where we need to get to. But in terms of to your question around tooling, look, I've had experience at some major banks where we were able to use some existing tool sets and then supplement them with scanning tools and vaulting solutions to sort of in our own in-house inventory solutions, cycling solutions, monitoring solutions. But this is a really, really heavy uplift to try and do it yourself, build these solutions yourself.
Look, there have been tooling that's kind of come through a lot of vendors in the last 18 to 24 months that are providing pure NHI solutions. There are some vendors that are now providing human, non-human solutions and some PAM providers that are now pushing kind of NHIs as another angle to their offering. I would say some of the existing PAM IGA tool sets are not really designed, right, to meet all the low-cycle requirements of NHIs. And that's why a number of products have emerged over the last few years.
But we're going to see a lot of interesting kind of maturity in this space as all the existing vendors and new vendors all come together, converge. So my number one advice would be is first, look at this as your overall strategy, your risk-based approach, focus on policies, governance. Don't think about a solution. That should be the last thing you do. You first need to think about how you're going to tackle this elephant in the room, taking a risk-based approach. So come up with a structured strategy, understand your current maturity, and then think about how you start tackling this.
You know, you can't do this in a year. It's a multi-year journey. So you need to plan for it properly. Understood. What do you think, Selene? Anything that you would like to tell an organization that has all these questions? I think the approach must be in a more holistic way. The processes, the policies, the procedures we put in place for human identities should be in place for, at least these processes should be in place for non-human identities. Like the least privilege controls or the zero trust approach and the whole lifecycle management and secret management.
For the legacy approach, we only think about the human users, but we have to change our point of view and we have to include non-human identities as well in the whole process. Like I can give an example. We have lots of regulations, you know, and PCI DSS is one of the regulations for card management. So with this new regulation, PCI DSS version 4, a new regulation has come and it says that we have to make access reviews for also non-human identities. It's a new thing for us as a financial organization.
We do access reviews for all users, but we didn't do access reviews for non-human identities before today. So we have to make the approach in a holistic way. What we do in place, what we put the policies, the procedures should be put also for non-human identities. What do you think, Heiko? Anything to add?
Yeah, so basically let me just pick up a couple of things Lalit said. So with my consulting background, clear advice, start with the strategy first. And as the topic is so large, you have to drive somehow a risk-based approach. You can't say I buy now a tool and everything is solved. That would be wishful thinking and it would be great. But it won't solve your challenge immediately. So basically you start with a risk-based approach and identifying the highest risk areas for your business or for your IT. And try to work on that and get rid of the risks on the one hand.
And on the other side, probably as a parallel stream, one is cleaning up the past. And this takes time, like cleaning up a dirty kitchen. The other thing is being or doing the right things in the future. And this thing should be driven in parallel. So you can work on cleaning up and de-risking your existing infrastructure, your existing IT architecture, your existing non-human identities. But at the same time, you can, in an HR way, step by step, decrease the security posture of everything that you build new. And you build a massive stack every year new in your IT organization.
In the sense of thinking about how to manage secrets in the right way. How to define ownership, how to define probably lightweight IMO, IGA and authorization processes on NHI's. And then you can mature step by step. But I think that's probably the most important approach an organization can drive in the future.
Matthias, any last thoughts before we jump into the audience questions? Yeah, right. I think everything that was said is perfectly right. And I think what I want to add is actually the aspect of perception within an organization. That organizations actually get the message that they understand that there is this risk out there. And I hope that Webinar and the EIC and everybody else and Mr.
NHI, who was talking about it, really raises attention. To make sure that these non-human identities are understood as high risk assets. And they need to be treated properly. And that is something where we really need to make sure that this is properly done. And then we come to automated lifecycle management for all these individual types of NHI's that I mentioned earlier. And there are so many more and everything that you just mentioned. But first of all, if we currently talk to organizations and ask them how many of you are already executing a program.
An effort to secure your non-human identities. I think the results will be far too low. And I think perception of this risk is maybe one of the most important advice that I can give. To make sure that it's really taken care of. Because there are more. We are taking care of human identities. We do phishing simulations. We train people. We have least privilege in our identity and access management in the IGA. We do recertification. Why don't we do it for our non-human identities? And I think that is the advice I would like to give.
Treat non-human identities at least as well as you do it for human identities. One thing I'd like to add that people should walk away. I did allude to it in the example I gave. A lot of people think of the NHI problem as an external threat issue. And there has also been lots of big breaches. But what I would say is the use of NHIs by your staff is happening right under your noses. For BAU activities. And as we went on a big program to turn on PAM controls for our human users in production. We thought the job was done. We got our PAM controls. No one can get into production without a ticket.
What did we see as we turned on monitoring controls of NHIs? We saw a huge spike in people using NHIs. They knew the passwords. They didn't like to use PAM controls. So they started to use NHIs more and more. So if you think you have solved the human problem. You have actually created a bigger NHI problem. And actually a lot of the issues, the reasons why programs kick off in a number of organizations. Is due to the internal issues of humans using NHIs. And all the implications. Lack of repudiation. Impacting books and records.
People should remember this is a problem happening at the moment internally with your staff as well. Thank you Lalit. We have a lot of questions from the audience. And some of those questions have been voted two or three times. So I'm going to start with those. And I'm going to ask a question. And you can raise your hand if you would like to answer it. If no one does. Then I will just choose somebody. The first question is. How do you see regulations like the EU's NIS2 and DORA. Shaping the future of non-human identity management? You both can take it. Maybe you can go first.
I think Lalit was first. Lalit go first. So Len mentioned PCI DSS. Which is now very real. And I mentioned SOX 25 years ago. Both of us being in the financial industry. We have had to deal with regulators. The Fed. CBEST. The UK regulators. The MAS. Singapore Authority. And many other regulators. And I can tell you very clearly. Having run a huge regulatory program for over three and a half years. The regulators came in. And they were asking very loaded questions. Do you have hard-coded passwords in your source code repos? Do you cycle your non-human identities? Do you have monitoring controls?
And many of these regulators. They perform testing. Red team testing. And the first thing they find. It's so easy. It's hard-coded passwords in source code. Forget the public repos. There's actually eight times more chance of finding secrets. In your internal private repos. So look. As regulation comes. And auditors and regulators. You're going to realize. You've got a massive problem in front of you. And our advice would be. Get in front of it. Before the regulators and auditors hit you. Because when they do. You'll end up having to stop all your activities. Just to focus on this one problem.
So that would be just some of my initial opening thoughts. On regulatory implications. I encourage you. Thank you. Adding on what Lalit has said. So often. IT folks see. Regulatory requirements. Or standards as a kind of burden. Or we have to implement this. This is yet another. Requirement on my bucket list. I have to fulfill it. My release. You can see it from a different point of view as well. Or frame it for yourself. From my point of view. It's not a burden. But it helps you as an organization. To clean up the room. To do the right things. So that maturity of. The contents of a regulation.
It's really helpful for you as an organization. To get things sorted. To follow state-of-the-art requirements. Or state-of-the-art approaches. Implementation procedures. And so on. So this can be really helpful. To follow the standards. And when you are working in an IT department. Or a business department. The good thing is. When you have been probably an evangelist. Or an advocate for doing things right. In the past. You probably never had the support. To get your things prioritized. So there is always timing constraints. Budget constraints. Constraints of the delivery team.
Some organizations tend to go features first. Features for the customers. Features for my product. Features for my processes. And the rest like security. Can probably wait a little bit. Until there is time. But there won't be. Never time for implementing it. But when you have now the support. From an official side. Outside the company. From a law. From a regulatory requirement. You can involve your whole management chain. Your CFO. To de-risk the company. In the sense of okay. When we are compliant to standard. We reduce our risk for the enterprise. And the risk can be.
Be numbered in financial figures. We de-risk our risk exposure. By a couple of million euros. By year. And then you have a good argument. In the sense of supporting your initiatives. And I think that might be. Might be very helpful for so many. In operational roles. To use this play. And seeing regulatory requirements. As friends and as a support. For getting the right things. Implemented in your IT organization. Thank you for answering that question. We have another question. Received three votes. So what would be the authentication mechanism. For non-humans in the future? Okay.
I'm going to choose Matthias. Yeah. I was just raising my hand. So all good. I think we need to understand again. Which types of identities there are. If we are looking for example. At machine to machine communication. Then we need to make sure that we. Secure the. The bearer tokens. That we are looking at. So these are API keys. So I think API keys won't go away. The question is. Where do we store them? Maybe their secrets management. Is the right place to use that. And we need to have a proper. Protection of the communication channel. So that would be one example of. Securing authentication.
And parts of authorization as well. Properly for one type of NHI. And I think others might be much more difficult. But this would be one example. So really having proper. Secrets management for API keys. And securing communication in transit. That would be a good starting point. Thank you Matthias. The next question. Says. What is your stance on. We just block. Interactive logging. For our technical accounts. And be done with. Especially as we see API keys. And tokens being leaked. On large scale. Almost weekly. Valid. Yeah look. I've got a lot of experience. Dealing with this term.
Interactive login. I guess folks that are. Maybe used to the Unix. Linux environments. And some of the technical accounts there. You know you have the ability. To have interactive login. Right and this is part of like. A pseudo to a technical account. And impersonate. The same can be done for. Windows admin accounts. And this is the standard mechanism. Historically on some of our legacy. On-prem environments. Right where you would. Pretend you're going to do support. There's an issue with your application. It's running out of memory right. So you would suit it to that technical account.
Using interactive login. So definitely one of the best. Principles. Guidelines you have. Is to turn off interactive login. For your service accounts. For your technical accounts. Right generally that shouldn't. Be required. And you know we did that. One of our previous organizations. But that's just tip of the iceberg. Because you've got. Databases right. That have local accounts. Right that you can't turn off. There's no concept of. Enabling or disabling interactive. You know all the API keys. And tokens. They're just strings right. You don't need. They don't really have concepts.
Of interactive login. You just know it's like a password. Right if you know the API key. You can interact with an API. Or a service right. So interactive logins on their own. It's just one small part of the problem. It's not going to fix this issue. And usually PAM controls. The ones that handle. The broader scope of NHIS. Matthias mentioned earlier. Thank you. The next question. I believe we. Talked about a use case earlier. But this user is asking. As I am new to the topic. And to better understand. The peculiarities of the problem. Is it possible to give an example. Of a user scenario.
How was it handled before. And what would be the path forward. To avoid the problem. I think we did cover. In that example before. But look I think the biggest issue. Today is with the static secrets. Right they're hard coded. There's no ownership. They're not cycled. They're shared. The same. Credential is used in production. Right. They have excessive privileges. Right. So these are all the fundamental issues. Around NHIS. So the biggest problems we have. The fact these are static. And then we have to do a lot of work. To fix those issues. Put the credentials. The secrets into a secret vault.
Cycling. Where you break something. Unless you know all the dependencies. So really that's kind of the old way. And as some folks have touched on. What you need to move to. Is a zero trust model. Using dynamic secrets. Just in time. Secrets in that way. You know if someone has your key. You know it's out of date. Immediately right. Because you're dynamically creating. And authenticating and authorizing. You know service to service. Interaction. And that's the way we need to go. And I think especially. With AI. Identic AI. To Aiko's point. Whilst fixing all the static credentials.
Is going to be a problem. That you need to get. And manage in a risk based approach. At least for your new stuff. The shiny new AI stuff. You should be using the best of breed. In terms of zero trust models. So at least. You know the AI. Solutions that even have more. Privileges. Better protected. And we've already seen a group reported. Three major breaches. Right on AI LLM agents where people. Use the AI API keys. That they discovered. Took over and made the AI. LLM models do things like dark role playing right. So definitely for AI. NHI controls needs to be. Using zero trust. Techniques.
But yes. And maybe to add to that. A lot it mentioned that already. There are there are lots of these. Hard coded secrets in around. And the question was how. What would be the path forward. To avoid the problem. First of all we don't. Avoiding would be making things better. Or having better practices. Better processes around. But Aiko mentioned. Cleaning up the kitchen or. I think of. Yeah cleaning up the basement. Because everything is hidden down there. And we need first of all. To find these these. These issues that are around. And that pose these these threats.
And just you can only manage. What you understand. This is a truism I know that. But first of all you have to find. These dangers that are already around. And there are tools for that. There are discovery tools. They're not perfect. But they can support you. And you can apply this. This risk based approach that Aiko mentioned. First of all you need to have. Some kind of inventory. Of what to clean up and where the. What the risk level is. And then you can continue from there. And of course you need to have better processes. For new NHIs. And that that is. Obviously clear.
With proper lifecycle management. With with clear joiners and levers. For each individual type of NHI. But cleaning up. Doing the homework first. And this is a boring. And tedious work. I get that. That would be a starting point. Because having old threats lying around. In the basement. Doesn't help when you. It's a problem when you. Still are better in the new processes. So cleaning up. I think it's important. And the older an organization is. The bigger the development team is. The bigger the basement is. And just to quickly add on that. We had hundreds of thousands of NHIs. At a previous.
Financial organization just to. Tackle the ownership problem. That's the land mentioned earlier. Took us three years. There were like thousands. Of thousands of NHIs. No one knew who created them. Are they still in use. So back to the housekeeping. The hygiene. Very important inventory. Don't risk as much as you can. Before you start remediating. Adding on that. When you just think about the complexity. Of assigning ownership. Which is a complexity on its own. If you just go one step further. And think about. Assigning authorization. So what is the NHI really allowed to do.
Then the complexity increase. Or basically explodes. When you think. Or in the audience. That there are area managers. For the team members. What are they allowed to do in certain IT systems. And then we are talking about.
30, 50, probably 100 people. And colleagues. Human beings. They work day by day together. Basically where you basically expect. Oh the manager knows. What his team should be doing. And it's a very complex. And complicated task. If you transform this into an NHI world. Where you have a token. Which is allowed to. In a cloud environment. Where you basically have no clue. That this action even exists. Then the problem gets so many facets. That are really hard to manage. Hey. You mentioned a good thing. Because we are currently. We are dealing with this. We are trying to make access certifications.
For service users. That are used in PCI DSS. Regulated platforms. And no one wants to decide. Whether the privilege. Is okay or not. We are dealing with. All the service users. One by one. And trying to understand. What are the users for. And are the privileges are enough. Or the users are overprivileged. For these tasks. The accountables also. Have the tendency to say. Okay this is the deeded privilege. Don't touch them. If you touch them. The systems will fail. We don't want to be accountable for this. And it's a huge work. And it's very hard. Just to add quickly on that. 20 years ago.
Meeting SOCKS requirements. Around password cycling. We were failing as an organization. To do it. No one wanted to cycle. Things would break. Or the hard coded passwords. We didn't have vaults. Nearly 90% of our SOCKS accounts. SOCKS cares about rights. Updating data. Books and records. And we found 90% of the NHIs. That had right privileges. Were only doing reads. So we reclassified those accounts. From right to read. And we reduced our surface area risk. By 90%. Reduced our cycling requirements. By 90%. So overprivileging. Making things from right to read. And it affects massively.
In your organization. So these are the techniques you should focus on. To take that risk based approach. Yes. And for the life cycle management. And the privilege part. We have to make automated processes. And auto discoveries. Like you mentioned. If you don't do these. Automated or discovery processes. We cannot go through. With the accountables or system owners. Thank you everyone. For all this information. There was a question. On discovery actually. So maybe Selene. If you have something to add. The question is. Are there specific tools or methodologies. For the discovery part? I can say.
We are using a CyberArk. DNA tool for discovery. To discover the accounts that are used. In operating systems. And if they have the privilege. Or the proper privileges. And if they are. Open to some attacks. Or hash to pass attacks. I have an experience in that. But maybe there are. Furthermore. Discovery tools. My colleagues can add. Yeah look. I wrote a huge white paper on this topic. Including discovery. There is kind of discovery. Of the NHI's themselves. Which can be very challenging. I guess in cloud environments. It is much easier to discover things.
But in the legacy on-prem environments. You need to have. Endpoint connectivity. You may have local accounts. On servers. Databases. So the discovery challenge. Is really difficult there. I think the other discovery side. Is how do you find out about. The hard-coded passwords. That are scattered all over your repos. And your confluence. And your slack channels. And to that there are tools. For example. That are dedicated scanning tools. You have get leaks. That you get out of the box. But there are other vendors. That do quite good. Scanning. But you do have to.
End up having a lot of false positives as well. And some of the new. Kind of NHI vendors. Try and make discovery easy. At least for the environments. That are easy to connect to. And discover from. But anyone that's got lots of large. Legacy on-prem kind of estates. Local accounts. Lots of directory services. Identity providers. Discovery is a non-trivial exercise. And one of our orgs. We spent many years building. Connectors to get full visibility. And even once you get the visibility. The next step is. What's the privilege as Heiko said. When was the account last used. Is it stale.
Does it have right permissions. Read permissions. So discovery and the privileges. That those accounts have. Is a massive massive problem. And as Matthias said. It's probably one of the biggest things. You should focus on discover. And then understand the size of the problem. Thank you. Since we're running out of time. We have eight minutes left. So maybe just one more question. And I will let each of you. Answer it. This question got four votes. So I believe it's relevant. For many people in the audience. For organizations. Just beginning to address. Non-human identity security.
What are the first three actions. They should take. I think the first action. Is to know. And discover what you have. In place. Like Matthias said. If you have legacy systems in place. And you are running. The systems for a long time. The basement is full. And first you have to see what you have. You have to discover. And learn. If. If they are still used. Orphaned or stale accounts. First to know your system. And then. The second thing. To make is. Manage the secrets. I think. First discover. And. Learn whether it is used. In the system. Or orphaned or stale. And then manage the secrets.
With a tool. And make sure that the secrets. Are not in files. Or in codes. In some places that we. People can see and use. And I think. The last part is. The third part is. To make. Well defined and governed. Processes to make. The new coming. Non-human identities. Be well governed. And well processed.
Thank you, Selene. Heiko, any takes on that? Yeah. So a bit overly elapping what Selene has said. So start with a strategy. Make a clear plan. Towards the future. That's number one. Then when you look to the past. Try to de-risk as much as possible. Identify quick wins. Identify things you can easily. Achieve. Or probably balance it out. Between time and effort. And the business value reach. That you get the most out of it. In cleaning up. The foundation. Or cleaning up the kitchen. And for the future. Do the right things. And start as of tomorrow. So don't try to do what.
Often enterprise organizations. Try to do. They're starting a project. And producing paperwork for too long. But you can decide. Okay. From tomorrow on. We stop doing this. And from tomorrow on. We start doing this. Probably build a flagship team. Within the organization. And the earlier you start. The better it is. And then you can. Kind of inherit. This new behavior. This new procedures. When they have proven. Step by step to other teams. So that you. Avoid building up. The kind of ballast. Still in the future. Then it's just about. Cleaning the past. And doing the right things.
In the future. Thank you. Before I give the floor. To Matias. And Lalit. To conclude the webinar. I would like to remind everyone. On our EIC conference. Taking place in May. Where we will have. The topic of non-human identity. As well as.
Way, way more topics. So make sure to. Check our website for more information on that. And Matias. What do you think about this last question? Yeah. I won't come up with three items. Because those that have been mentioned. Are really great already. I want to just add one thing. And that has been mentioned also before. These NHIs. They don't just pop up. They don't just show up. And nobody is responsible for that. The exact opposite is the case. Ownership. Responsibility. Liability. And proper life cycle management. For those who have to. Own these NHIs. Is key. And doing this wrong.
Might lead to two years paperwork. And trying to identify ownership concepts. That is not the way to move forward. But really to understand. That people who are responsible for NHIs. Who own API keys. Who own systems. Who own development processes. CICDs. Chains. They need to understand. That they are also responsible. For the associated NHIs. And this ownership. Needs to be established. Understood. And really put in place. And really put into practice. And lived every day. And that needs to also be applied. Very soon. Because you will need these owners. For cleaning up as well. Lalit?
Yeah, look. I'm following on from what Matthias said. Kind of. It's all about. The first thing I would. Say to organizations. In addition to what Heiko said. That we discussed earlier on. The strategy. The risk-based approach. Focus on policies. Standards. And controls. This is super important. And education of your staff. Around the risks. And what is acceptable. Checking in hard-coded credentials. Not acceptable. Whether you have tooling or not in place. To prevent that. At a previous organization. We made it very clear. To all staff members. That if you are found checking in new credentials.
Hard-coded credentials. That could be a preliminary offense. And could lead to termination. You have to set the bar. Top-down. For management. And have senior management totally bought into this. Around what is acceptable. And then you can start. Putting in place some of the controls. It's all about people, process, technology. Define the policies. The standards. And live and breathe that. As Matthias said. And start seeing what you can do. You can start putting in prevent controls. There are solutions that can stop. You checking in credentials. So you need to make some big infrastructure.
Decisions in place. On how you are going to tackle this. Monster elephant in the room problem. So involving strategy. And architecture organizations. Into this. Your CICD organizations. And making sure you move to a shift left. Dev sec op strategy. But it's critical. It's a huge problem. That touches all of our life cycle processes. And IT teams. So you all need to come together as an organization. And work out the overarching strategy. And architecture. Will be my closing thoughts. Thank you so much. We have one more minute. So maybe just very, very briefly. Any final thoughts?
Maybe we can start with Heiko. Oh. In just a couple of seconds. Start with a strategy. As I said before. And start acting on. Solving your NHI problem. And start acting today. Matthias?
Yeah, Jess. If you feel that this webinar. Rang a bell for you.
Yeah, do it. Just what Heiko said. So if you came across. In the back of your mind.
Yeah, I could clean this up. Do it. Selene? I think that it's. A hard topic. For non-human identities. To manage non-human identities. So start from today. I can say that. Melit?
Look, finally this might be a cheeky plug. But I would say go to nhimg.org. I've got the best independent. Knowledge repository on NHIs. And you can learn everything. About what we discussed. But the first step is. Educate your management. Get their buy-in. And then work from there. All right. On that positive note. We'll conclude the webinar. Thank you very much to all of you. For attending. For the questions. And if you have any further questions. They'll be happy to help you. Once again, thank you very much. And have a nice day. Thank you. See you at EIC. Thank you.
