Case Study (Part 1): How We Implemented NHI Security in Our Enterprise

At The 1st NHI Security Conference, CISOs Gary Owen (iCapital) and Carl Siva (Boomi) discussed their unique approaches to building a non-human identity security program within their organizations. Here’s an overview of their insights on establishing visibility, prioritizing inventory, and managing risks in the growing NHI landscape.

Why prioritize NHI security?

Gary and Carl opened by outlining why NHI security has become a top priority. As traditional security controls, such as phishing protection and human vulnerability management, have improved, attackers are increasingly targeting NHIs to circumvent defenses. With modern SaaS and cloud environments, NHI security becomes even more crucial. In fully cloud-based infrastructures, tracking and securing NHI, such as API tokens and service accounts, can be challenging without the physical visibility once available in on-premise systems.

Initial steps: building an NHI inventory

  1. Inventory as the foundation: Gary highlighted that establishing a comprehensive inventory of NHIs was the first priority. With thousands of NHIs scattered across applications, understanding where they are and what they can access is critical for effective security.
  2. Focused approach: Carl recommended beginning with the most critical systems, such as those supporting core business processes, and gradually expanding from there. By tackling NHIs associated with high-value applications, they built a strong foundation for their NHI security program without overwhelming resources.

Risk management and automation

Carl emphasized the importance of automation in sustaining NHI security. Boomi’s automation approach focuses on “active security,” where automated tools proactively handle repetitive tasks and reduce potential exposure. As Carl explained, this allows security teams to focus on high-priority issues rather than manual oversight of each system.

Gary pointed out the need for consistent evaluation, sharing his experience of using tools to monitor unexpected behaviors or connections that could signal potential threats. Both CISOs agreed that automation helps offset the challenge of limited personnel, enabling scalable protection for complex environments.

Evolving challenges and regulatory pressure

As they outlined their future plans, Gary mentioned that large financial institutions are increasingly asking about NHI security in their due diligence questionnaires. This shift reflects growing regulatory interest in how enterprises manage NHIs, signaling that organizations should anticipate further scrutiny.

Watch the session to get the full insights.