Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. So we're back. It's 2025. As promised, we had a short break, but now we are back starting with March in 2025. And for this, my guest today is Martin Kuppinger. He's one of the founders of KuppingerCole and the principal analyst. Hi, Martin.
Hi Matthias. Great to be back here.
Great to have you back. And we are starting with a topic where both of the aspects that we're looking at today, we have covered in earlier episodes. We want to talk about NHI and ITDR, so two acronyms. And for those who are really looking into securing their non-human identities, we will cover the intersection of ITDR and NHI. So that will be a quick ride, but a strong ride through this topic. But when we start with that, maybe Martin, a short look at what NHI and ITDR means. three and four letter acronyms starting with NHI. How would you define NHI?
Yeah, NHIs stands for non-human identity, which also means there's a non-human identity management, probably. This is what a couple of solutions do. The question is, it the right term? So we have this term of non-human identity, we have the term of machine identity, we have the term of workload identity. I personally favor the workload identity term because machine for me resembles too much technical, mechanical things, moving parts, noise, steam and so on.
Robots can be more than just the workload identity. So non-human would be everything from a traditional service account that is not mapped to or other technical accounts that are not mapped to an individual user, down to the identity of whatever an IoT component, industrial IoT component, et cetera. And I think that the main focus is really on the workload side, on accounts used by applications to fulfill their job, which has become a bit more complex in the past years because... We have the cloud, have infrastructure as a service, we have platform as a service. And so we have ton of, at the end, service accounts accessing resources and other things in a highly volatile environment. And this is where I would say the workload fits best out of these different terms.
If we look at these non-human identities, workload identities, all these non-carbon based life forms that we have to deal with, where are the security challenges? Why are we talking about that? Why are NHI a topic right now? What is the threat hiding behind them?
Yeah, the point is that as I've pointed out, some of these service accounts used by applications are pretty powerful because there might be a bit of a tendency amongst developers to say, come on, let's use that service account for accessing this database service, this AI service, et cetera, et cetera. And then you have extremely powerful accounts running in the context of very different users. And some of them probably are way worse than a typical domain admin account in Active Directory and for Windows Server even. So there's a tendency of accumulation, but that's only one of the things. I think the challenge to start with, it's a split responsibility. So we have developers, we have security. It's volatility. We're talking about DevOps, we're talking about agile software development. So these things develop fast. It's about a huge number. So there are different statistics and surveys, but basically they're saying we have maybe 40 to 60 or even 80 acts the number of workload identities compared to human identity. So it's a problem at scale. It's a problem that is around volatility. It's not very well managed yet. So we have also a bit of sprawl. So we have seen this emergence of secrets wall, then there are secrets for such workload identities are held. And they can be very granular because at the end of the day, an API has an identity, there's an API token, things like that. And that means that you end up with a very huge number that is a bit of a walled sprawl if there's a wall at all. You have probably more insecure practices like people putting an AP token or API token or other things to do a Slack channel and also hard-coded secrets and other things. And so this sums up to a, I would say, a very dynamic environment with a very significant security risk. And this makes it I would say interesting to solve, but clearly also more complex. And, you know, also the different types of secrets, for instance. And then I think still the very rudimentary understanding of secrets versus identities, with a significant overlap for some of these, all these things together form an environment where we have a relatively high complexity in security, a high need of in automation. We usually don't have these established processes we've built in traditional human identity management over decades. So this is a bit of a challenge.
And I think also there's the saying you can only secure what you know and what you know of. I think the visibility of all the accounts that they are actually around. really just getting the insight might be already a problem. And you've mentioned automation. Automation done right, pretty. Automation done wrong gives you security problems at scale. So that might be also part of the equation. So NHI comes with some challenges.
Yeah, we see that more vendors really are moving to or starting even with discovery. So discovery is a very typical capability of solutions because at the end of the day, you need to get these things under control. And I think managing ownership is one of the capabilities we see a lot in these tools. So trying to understand which human at the end of the day is the owner of these accounts. All these things are needed then to get a grip on it. then we at least potentially have a well-managed identity, there's a well-managed secret, and have some governance at that level, which is by the way only, so to speak, identity governance. And then we have, which would be a third topic we could integrate in our today's talk. Then we have a while ago, we had the emergence in the emergence of CIEM. So C-I-E-M, Cloud Infrastructure Entitlement Management, which in that sense is a bit, they focused on understanding which service accounts have which entitlements to which resources, which is a bit the access management. Together, these form an identity and access management for workload identities when you bring these together. This is still something which is on the road and which also includes a lot of very specific problems like how to securely store secrets. So there are vendors out that use a split storage of sensitive information, all that stuff. A lot of evolution, many, many startups, which also show, I think when you have a lot of startups, that are well funded, it signals a super important market, but also a very huge problem.
Exactly. as you've mentioned, on the one hand, there's this identity and access management part. So the traditional way of how we think of things of although they are different, these are different life cycles. These are different entities. They have different types of access. You've mentioned often highly privileged. So we want to talk about the intersection of ITDR and NHI. We know now what NHI are. We know why they pose a threat. Now enter the stage for identity threat detection and response. How does that come into play from your perspective?
Yeah, so ITDR, Identity Threat Detection Response, basically is a relatively sort heterogeneous field of solutions that promise to identify anomalies in the use of identities and the sign entitlements. So to detect the threats and to respond to the threats by proper actions, which could be everything from alarming to quarantine to whatever else. So this is basically the high level promise. You could argue that ITDR is not so fundamentally new. When we go back, we had UBA User Behavior Analytics or UEBA User and which basically also focused already on detecting anomalies. And this is clearly part of the evolution. So we see a lot of startups, also see vendors that come more from a general security analytics, from a general detection and response side. So the XDR vendors, et cetera, looking also at ITDR. But in a sense, this behavioral analytics is clearly an element. Just that if you tell someone from a German workers council that you do user behavior analytics. This will sort of raise a red flag. While when you tell someone that you are doing identity threat detection and respond to that, it sounds much better. And yes, there's evolution in technology. There are things that are better. Now the interesting point is ITDR for workload identities. And I think this is where I would see extremely compelling intersection. So ITDR traditionally mostly looks at the humans and the way they use their access, which is important because it's an extension to what we do traditionally in IGA. IGA looks at what could Matthias do? Which entitlements does Matthias have with which access? But what Matthias does with the access? as different thing. And that could be, he never uses certain entitlements. Why should he have them? It could be that there are strange combinations of the use of entitlements, creating something and then doing things with an account that never have been done before. Things like that might all be allowed, but look, sort of different to the normal behavior. could be also, Matthias might be allowed to do backups. So if Matthias does one backup, not typically, we have hopefully automated it, but Matthias would do, or Matthias is allowed to download data, a better example. So if Matthias downloads the data in a certain interval, in a certain amount, it might be regular. If he starts doing this, more frequent, obviously, way bigger amounts of data. Or if Matthias is allowed to access records of customers, and usually whatever, accesses 10, 20, 30 records a day, and then one day he starts accessing thousands, and there's maybe some copy action around it, then we have an anomaly in the behavior. And this is very important for humans, it adds to IGA. In vision, you understand that the caters start to do things that are unusual for these applications. Yes, we need to be very careful. That could be just a new feature. But it also could be that some of the accesses just critical, something went wrong. Someone is using a back door into the application, whatever else. I think adding this is usually AI-backed capability to the very volatile field we look at from a workload identity or non-unit identity perspective will help us getting a better grip on what is going on there.
Right, you described this real-time monitoring behavioral analytics, identifying the normal and understanding what is not expected behavior. I think that is a very important part. And we've talked about raising a problem of scalability. And you've mentioned it, AI, machine learning, being part of the weaponry that you have to fight these threats. So this is really something where ITDR can show its strengths because it can apply anomaly detection. Also at scale for a large number of machine identities. So real-time monitoring analysis. But I think ITDR also tries to, or comes with the promise of doing more. So it's threat intelligence, so gathering information from external sources and automated response. really not only understanding, ooh, there's something going wrong, but I can fix it.
Yeah, hopefully you can fix it. And yes, bringing in other perspectives. And I think, know, when you look at software and potential vulnerabilities, then there's a lot which can come in from threat intelligence, also looking at what are new types of exploits that are in the software. Clearly that then goes also into the next area like vulnerability management. But yes, I think there's a value and I think we need to to bring together such worlds, which is, think, also totally normal. It's an emerging field. So we started looking at workload identities, their access, and what can go wrong. And then different types of solutions, different new market segments emerged. And there's some likeliness of some convergence of technologies in the probably near future.
And you've mentioned that it can happen that even keys that are manually managed end up somewhere, but this can also happen for NHI identities of any kind that are in the backup and that backup leaks. then in the end, end up with these credentials being out in the wild. And this is exactly where also anomaly detection can really help. If a connection originates not from your expected network segments, but from somewhere else, because somebody has grabbed this API key that actually is sensitive and use it for own purposes, for intrusion, for lateral movement, then I think ITDR can really also at scale identify these issues.
Yeah, exactly. And I think we need such technology that are built for dealing with dynamic, with volatile, with high-scale environments.
And when you mention high-scale, maybe final thought would be that you are not working or an organization is not working on their own. They are interacting with partners, with the supply chain. I think ITDR and the management of NHI will also have a great impact on how we do supply chain risk management, supply chain security, because the infrastructure and the ecosystem is just getting much bigger. So all of this will be covered at EIC in Berlin in May. This is our first teaser. And again, it's great to be back again. And it's great to look forward to EIC. So I think NHI will be an important topic because this is really gaining traction. ITDR is around for a year now, but it's getting more and more important and it's evolving. If you as the audience are interested in learning more about this intersection of NHI and ITDR, come to EIC, visit us, talk to us, talk to experienced users of these technologies, to vendors, to experts, to analysts, to advisors, and really try to get a grip of these new technologies. And NHI and ITDR is one example. We will follow up on this in upcoming episodes. We will be back in a weekly schedule, and there will be more around EIC and more interesting IAM topics. For the time being, Martin, thank you very much for being my guest today. Great to open the new season with you and looking forward also to seeing you in Berlin. Thank you.
Thank you. Yeah, looking forward as well. Thank you, bye.
Bye bye.
