How To Secure Non-Human Identities With Modern IAM
getty
Every second, hundreds of automated processes and service accounts access sensitive data without human oversight. These non-human identities (NHIs)—spanning API keys, secrets, tokens and service accounts—operate behind the scenes to power cloud applications, automation and microservices.
NHIs authenticate and execute automated processes between cloud applications and third-party integrations; they allow applications, virtual machines and scripts to access resources securely; and they can generate cryptographic credentials that encrypt and validate communications between automated processes—to name just a few of their uses.
The number of NHIs is growing as organizations race to innovate—or just keep pace with digital transformation. NHIs now often outnumber human users, creating a sprawling network of identities that require immediate attention.
Modern architectures—from DevOps pipelines to serverless computing—rely heavily on NHIs. This creates opportunities for bad actors, where multiple permissions, when exploited together, can lead to catastrophic breaches. Left unsecured, NHIs become prime targets for cyberattacks.
OWASP released its 2025 top 10 risks associated with NHIs, highlighting that a lack of monitoring, excessive permissions and credential mismanagement are just a few of the key issues that can lead to unauthorized access, attacks on infrastructure and data breaches. Unauthorized or poorly managed NHIs can inadvertently grant attackers lateral movement across systems. Such shadow access invites attackers to exploit systems, exposing sensitive data and resources without anyone even knowing.
Security teams often struggle to track these interactions due to the complexity of managing NHIs across cloud and on-premises resources.
Legacy identity and access management (IAM) systems are typically ill-equipped to handle the nuances of NHIs. Designed primarily for human users, these systems have two key weaknesses in relation to NHI.
• Lack Of Visibility: Legacy IAM systems fail to provide insight into how NHIs interact with resources, leaving organizations with significant blind spots.
• Focus On A Reactive Approach (Versus Proactive): Vulnerabilities are detected only after exploitation, limiting the ability to proactively secure systems.
Modern IAM must evolve to secure NHIs by leveraging automated detection, risk prioritization and real-time analytics to mitigate risks before they escalate.
To address the growing risks associated with NHIs, here are five best practices for organizations to adopt proactive strategies:
1. Establish full visibility. Use tools like risk engines and query analytics to map IAM vulnerabilities across NHIs. This approach reveals patterns of cloud data exposure, excessive privileges or overlapping permissions and exploitability. SaaS management capabilities can help reveal which vulnerabilities carry the greatest potential impact.
2. Automate risk detection and remediation. Deploy automated detection mechanisms to identify and address lateral movement, chained access and other high-risk scenarios. Ensure continuous monitoring and timely alerts to reduce reaction times and strengthen overall security posture.
3. Establish governance for NHIs. Implement strict policies to govern NHIs, such as enforcing expiration dates for access keys and conducting regular audits of service accounts. Secure service principles and tokens by aligning with established frameworks that include governance recommendations.
4. Integrate proactive security measures. Adopt a risk-driven IAM strategy that prioritizes areas with the highest exposure and exploitability. Implement a system for monitoring SaaS usage and leverage operational data to predict vulnerabilities and prevent breaches before they occur.
5. Educate and empower security teams. As with all areas of cybersecurity, employees can be a robust bulwark or an extraordinary vulnerability. Regularly provide specialized training on the risks posed by NHIs and equip teams with tools that focus on high-priority threats to minimize alert fatigue.
6. Move to more modern security postures for NHIs. API keys are useful and easy, but there are better ways of providing secure authentication for NHIs. Leverage signed JSON Web Tokens (JWTs) for authentication so that they can't be reused if compromised. Use role-based access where you don't need to have a static credential.
The rapid adoption of cloud technologies and automation has made securing NHIs a top priority. It has also made clear that traditional IAM approaches fail to meet the challenges they introduce. Organizations must evolve their strategies to gain visibility, automate remediation and establish robust governance frameworks.
Securing NHIs isn't just about reducing risk; it's about future-proofing your organization in an increasingly automated world. Given the acceleration of automation and cloud adoption, adopting an IAM strategy that addresses NHI vulnerabilities isn't just a priority—it's mission critical.
The question isn't whether your existing IAM approach is up to the task, but how quickly your organization can rise to the challenge.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
a day ago
- Yahoo
Boeing makes new contract offer to St. Louis defense workers
By Dan Catchpole (Reuters) -U.S. planemaker Boeing sent a new contract offer on Thursday to the union representing roughly 3,200 factory workers at Boeing's defense division, mostly in the St. Louis area. It contains some minor compensation changes that would benefit senior union members, the company said. The offer also keeps current overtime policies, which Boeing had proposed modifying in the last contract offer. If the contract is not passed by Sunday, a $5,000 lump sum bonus will not be offered again, according to Boeing. Members of the International Association of Machinists and Aerospace Workers overwhelmingly rejected a contract offer from Boeing on Sunday. The offer sent to members of IAM District 837 included a 20% general wage increase over four years, the bonus, and more vacation time and sick leave. That offer was insufficient, the IAM union said at the time. 'We have carefully considered and responded to the feedback from our employees and the union," Dan Gillian, a Boeing vice president, said in a statement. He called the contract "the richest we've ever proposed for IAM 837." The IAM declined to comment. The workers assemble Boeing's fighter jets and the MQ-25, an aerial refueling drone being developed for the U.S. Navy. Boeing's defense division is expanding manufacturing facilities in the St. Louis area for the new U.S. Air Force fighter, the F-47, after it won the contract this year. The Next Generation Air Dominance fighter jet program, initially conceived as a "family of systems" centered around a sixth-generation fighter jet, is meant to replace the F-22 Raptor. Solve the daily Crossword
Forbes
a day ago
- Forbes
People Over Protocols: Lessons From The Identity Front Lines
Gerry Gebel, Strata Identity Head of Standards, former Burton Group analyst and tech executive at Chase Manhattan Bank (now JPMorgan Chase). 'Tech is easy. People are complex.' That quote, from GE Aerospace's Chief Information Security Officer, Sulohita Vaddadi, in a recent episode of my company's video series, The Identity Heroes, echoes similar comments I have heard from others in the past. After more than two decades in identity and access management (IAM)—working on standards, protocols and platform strategy—it was a good reminder to reinforce the importance of the human element. Co-hosting The Identity Heroes reminded me many times: The most complex challenges in identity usually aren't technical. They're human. In dozens of conversations with CISOs, CTOs, architects and policy pioneers, one theme kept surfacing: IAM may be built on code, but it's people who make it run—our judgment, our alignment and our ability to communicate. As AI agents and machine identities emerge, keeping the human in the loop has never been more critical. Many Roads To Identity One of the most refreshing insights from the series so far has been how few identity leaders set out to work in IAM. They found it by accident—or rather, it found them. Sulohita started in biomedical engineering before becoming a CISO at one of the largest industrial companies in the world. Eve Maler, who was the first chair of the SAML standard, was originally trained in linguistics. I've spoken to identity professionals who began in marketing, audit, military intelligence, theater, even selling carpets. There's a pattern here. Identity attracts problem-solvers. The field is messy, dynamic and spans every layer of modern enterprise infrastructure. But because IAM didn't even exist as a formal practice 25 years ago, today's leaders often learned the hard way—by being handed tangled systems, impossible deadlines and finding a way to deliver value to the project. If you're new to identity and wondering if you belong here, you do. There's no one path to becoming a leader in this field. Curiosity, resilience and empathy will get you further than any certification. Humans In The Machine Yes, you need to understand policy engines, protocols and lifecycle management. But none of that matters if you can't navigate the human dynamics surrounding identity. Sulohita shared an example of ending a major identity project—not because the technology was flawed, but because the business stakeholders weren't aligned. Despite a solid technical plan, the initiative lacked shared ownership, timely engagement from key stakeholders and clear communication around priorities. Rather than force a solution into an unreceptive environment, she made the call to stop the project early. In her words, 'It would've failed silently'—not due to a misconfigured system, but because the people who needed to support it weren't ready or bought in. Eve Maler reminded me that consent isn't a checkbox—it's a conversation. The challenge of identity isn't just verifying someone's claims—it's embedding user agency and trust into the system architecture. It's part of the challenge when we attempt to replicate human, in-person interactions in an online space. That's what 'human-in-the-loop' means to me: Identity decisions that require human judgement, context and accountability. You can automate provisioning. You can't automate judgment. Here are the core skills that I've learned matter most in IAM, and why they matter: • Communication: Get alignment from non-technical stakeholders. • Empathy: Understand real-world user behavior, not just edge cases. • Risk Fluency: Navigate compliance, liability and business risk. • Adaptability: Evolve alongside regulations and organizational priorities. Tools change. Standards evolve. But these skills endure. Ushering In The Next Generation If you're already working in IAM, you know how complex the job can be. But you also have the chance to shape the next generation of leaders—and they need more than just playbooks. Here's what I tell new entrants to the field: • Learn to explain IAM in plain language. If your business peers don't understand what you're doing, a project won't get funded. Go beyond the technical details—clarify how identity supports their goals. Like seamless onboarding for HR, compliance for legal and risk reduction for security. When stakeholders see how IAM ties to business outcomes, they're more likely to support it. • Expect ambiguity. Identity spans HR, legal, IT, security and business units. Navigating gray areas is part of the job. Each group brings different expectations and priorities, so it's your job to bridge them. Make it clear why identity matters to them, and build consensus by showing how your project advances shared business goals. • Tie identity to what each department cares about. It's not enough to say IAM is important—you have to show why it matters to marketing, finance, HR or legal. Frame identity in terms of their priorities: faster access to tools, cleaner audit trails, smoother customer experiences. When each team sees how your project supports their outcomes, it stops being 'your' initiative and becomes ours. • Own your missteps. Some of the best leaders I spoke to got there by learning from failed rollouts, missed audits or painful retros. No one gets through their career with zero errors or mistakes; it matters how you handle those situations and move forward. • Find a mentor—and become one. The field is still small enough that relationships matter. Mentors, in one way or another, have had a huge impact at different points in my career. One of the most lasting impressions you can make is to help mentor someone who is finding their way in our industry. Pay it forward. And for senior professionals: Be vocal about the human side of identity. Encourage your teams to think in terms of risk, clarity and consequence, not just configuration. After all these conversations, one thing stands out: Identity and its associated technology are the infrastructure of business, but they still require people to design, build and operate. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Time Business News
a day ago
- Time Business News
Sayantan Saha: Honored with IFGICT Fellowship
In the dynamic world of information and communications technology (ICT), some individuals stand out not just for their technical prowess but for their ability to drive genuine, industry-shaping innovation. Sayantan Saha is one such professional. His distinguished career, marked by a relentless pursuit of excellence and a visionary approach to database systems, has positioned him as a pivotal figure in modern cloud computing. From his academic beginnings at the prestigious Indian Institute of Technology (IIT) Delhi to his leadership roles at tech giants like Microsoft and Amazon Web Services (AWS), Saha's journey is a masterclass in combining deep technical expertise with strategic leadership. This formidable foundation, a Master's degree in Computer Science from IIT Delhi, has been the bedrock of his career. It's an educational background that prepared him not just to solve complex problems, but to architect solutions that scale to meet the demands of global enterprises. His work at AWS, particularly with AWS DocumentDB, Amazon's premier NoSQL document database platform, demonstrates this perfectly. As a Software Development Manager, he orchestrates the development of critical components that power thousands of businesses and touch millions of lives worldwide. His leadership is not just about writing code; it's about building the future of scalable database technologies. The International Federation of Global ICT (IFGICT) Fellowship is an honor reserved for a select few who have made truly exceptional and measurable contributions to the global ICT landscape. Being granted the IFGICT Fellow grade is a testament to an individual's technical innovation, visionary leadership, and significant impact on the industry. This is precisely the honor that has been bestowed upon Sayantan Saha. This fellowship places him among an elite group of global ICT leaders who are actively shaping the future of technology. The rigorous selection process evaluates candidates based on their contributions to the industry and their ability to drive innovation that creates lasting value. For Saha, this recognition highlights his pivotal role in advancing cloud database technology, especially in the crucial areas of security, scalability, and performance optimization. His work has not only improved existing systems but has also set new standards for how document databases operate in high-demand, cloud-based environments. The IFGICT Fellowship is a fitting acknowledgment of a career dedicated to pushing the boundaries of what is possible in database technology. Sayantan Saha's impact on the ICT landscape is extensive, with his work on several key features of Amazon DocumentDB standing out as particularly transformative. One of his most significant contributions is the development of IAM authentication support for AWS DocumentDB. This passwordless authentication mechanism was a game-changer for enterprise security. By eliminating the vulnerabilities associated with traditional username-password systems, it provided a new level of security for customers. Since its launch, this feature has helped attract thousands of new businesses to the platform, underscoring its value and generating substantial revenue growth. Beyond security, Saha's work has been instrumental in the era of generative AI. He led the development of vector search capabilities for Amazon DocumentDB. This innovation allows businesses to store and query millions of vectors with millisecond response times, opening up new frontiers for AI-powered applications like semantic search and personalized experiences. Another critical contribution is the DML auditing feature. For highly regulated industries like finance, compliance is non-negotiable. This feature, which tracks and logs all data manipulation commands, is a crucial tool for organizations to meet stringent regulatory requirements without sacrificing performance. Perhaps one of his most profound impacts has been in the area of database security with Role-Based Access Control (RBAC). Saha led the design and implementation of critical components, including an authorization cache that not only ensured proper access controls but also doubled query performance. He then pioneered the development of user-defined roles, enabling organizations to implement granular, customized permissions that are essential for enforcing least-privilege access across multi-tenant applications. These security enhancements have been a major driver of growth for DocumentDB, attracting over 20,000 new enterprise customers and contributing to a remarkable 600% increase in revenue. His innovative caching and permission invalidation systems ensure that millions of database queries are executed securely and efficiently, proving that security and performance can go hand-in-hand. Sayantan Saha's influence extends beyond his technical achievements. Through his role as a mentor and technical leader, he has guided numerous junior engineers, sharing his expertise and fostering the next generation of database technology experts. His leadership style emphasizes a holistic approach to problem-solving, one that values both technical excellence and practical business value. By setting this example, he has inspired countless engineers to think bigger and aim higher. Looking ahead, Sayantan Saha's commitment to advancing technology remains strong. He plans to leverage the IFGICT Fellowship platform to continue his work on database innovations. His immediate focus is on leading the development of a columnar storage engine for AWS DocumentDB. This new engine is designed to provide unprecedented efficiency for analytics workloads, promising to further cement DocumentDB's position as a leading cloud database solution. The journey of Sayantan Saha is a powerful narrative of professional dedication, profound innovation, and the enduring impact of visionary leadership in the world of ICT. TIME BUSINESS NEWS
