Case Study (Part 2): How We Implemented NHI Security in Our Enterprise

In this session at The 1st NHI Security Conference, Albert Atias (Senior Director at Workday) and Vinay Patel (CISO at Zendesk) offered their insights on implementing a successful non-human identity security program. They explored key strategies such as establishing policies, enhancing visibility, and aligning stakeholders to manage NHIs effectively.

Albert and Vinay began by explaining why NHIs demand security attention today. As technology evolves, NHIs have multiplied beyond traditional system accounts to include API keys, tokens, and automated processes critical to enterprise systems. This growth has increased the risk of unmanaged or orphaned identities, prompting organizations to adopt NHI-specific security strategies to maintain control and visibility.

1. Inventory as a first step: Vinay emphasized that identifying and cataloging all NHIs is essential for robust security. At Zendesk, initial efforts focused on cataloging NHIs, starting with critical systems, and defining a policy framework to guide secure NHI practices.
2. Applying lifecycle management: Albert discussed Workday’s identity framework, highlighting how aligning NHI governance with existing human identity management principles, such as lifecycle management and least privilege, has helped improve oversight. Automating access reviews and provisioning helps manage NHIs with minimal manual intervention.

To secure their NHIs effectively, both Albert and Vinay underscored the importance of using dedicated NHI tools like Astrix for real-time visibility and access monitoring. Albert shared that Astrix’s integration allowed Workday to manage API tokens in CI/CD pipelines and mitigate excess access risks. By understanding each identity’s activity, Workday can proactively minimize potential exposures.

Both CISOs highlighted how automation simplifies NHI management and minimizes the risk of misconfigurations. Automating key security tasks, such as offboarding orphaned identities or revoking unnecessary permissions, not only decreases risk but also frees up valuable time for security teams.

Watch the session to get the full insights.