The State of NHI Security: Data-Driven Insights

At The 1st NHI Security Conference, John Yeo, VP of Security Research at CSA, shared findings from a comprehensive study involving over 800 organizations. This research aimed to capture the unique challenges of securing non-human identities across various sectors. Here’s a breakdown of the key insights and trends shaping the future of NHI security.

The rapid proliferation of NHIs, including API keys, service accounts, and credentials, was a focal point. Yeo emphasized that as organizations incorporate more NHIs, they face increasingly intricate webs of communication between devices, cloud services, and applications. Unlike human identities, NHIs interact autonomously and frequently with other systems, creating new security dynamics.

1. Visibility and inventory: Most organizations struggle with basic NHI security measures, beginning with identifying existing NHIs. Without accurate visibility, it’s nearly impossible to assess access or manage risk.
2. Permission management: Organizations found permission management especially challenging. Legacy systems often lack fine-grained access controls for NHIs, and retroactively applying restrictions is complex.
3. Manual processes and automation: Approximately 80% of organizations lack automated NHI management processes, relying on manual efforts that are time-intensive and prone to oversight.

Yeo pointed out that NHIs differ from human identities in their predictability. NHIs follow specific patterns, making unusual activities more detectable. However, without automated monitoring and strict provisioning, organizations risk overlooking potential vulnerabilities that can develop from even minor misconfigurations.

According to CSA’s survey, 25% of respondents are currently investing in NHI security solutions, with 60% planning further investment within the next year. As part of their strategies, organizations are beginning to incorporate frameworks like zero trust to provide structured, consistent oversight across NHIs. Yeo highlighted that confidence in managing NHIs remains low, with only a few respondents feeling fully equipped to handle NHI security.

Watch the session to get the full insights.