NIST Highlights NHI Governance: What You Need To Know

The NIST Special Publication 800-207 acknowledges an open issue regarding Non-Person Entities (NPEs), AKA – Machine/Non-Human identities when implementing Zero Trust Architecture. In this quick article, we provide an overview of the NHI angle in NIST’s special publication, and how Astrix helps customers address this gap and apply the zero-trust principles for non-human identities.

Zero Trust in a nutshell

Zero Trust is a security framework that operates on the principle of “never trust, always verify.” This model assumes that no user, device, or network should be trusted by default, even if they are within the organization’s network perimeter. Key aspects of Zero Trust include:

1. Continuous authentication and authorization
2. Least privilege access
3. Micro-segmentation
4. Continuous monitoring and validation

NIST SP 800-207 highlights NHI risks

The National Institute of Standards and Technology (NIST) Special Publication 800-207 provides comprehensive guidance on Zero Trust Architecture. This document has become a de facto standard for both government agencies and private enterprises implementing ZTA, and includes a specific focus on non-human identities, referred to as Non-Person Entities (NPE).
From NIST SP 800-207:

5.7 Use of Non-person Entities (NPE) in ZTA Administration

Artificial intelligence and other software-based agents are being deployed to manage security issues on enterprise networks. These components need to interact with the management components of ZTA (e.g., policy engine, policy administrator), sometimes in lieu of a human administrator. 
How these components authenticate themselves in an enterprise implementing a ZTA is an open issue.”

Non-Human Identities are an open issue in ZTA administration

While NIST SP 800-207 offers extensive guidance on ZTA implementation, it acknowledges an open issue regarding the use of NPEs in ZTA administration. This presents several challenges:

1. Authentication complexity: NPEs may not fit traditional authentication methods designed for human users.
2. Access control: Determining appropriate access levels for NPEs can be challenging, as their roles may be more fluid or complex than those of human administrators.
3. Audit trails: Maintaining clear audit trails for actions performed by NPEs is crucial, but can be more complicated than tracking human activities.
4. Security risks: NPEs could potentially become attack vectors if compromised, necessitating additional security measures.

Zero Trust for NHIs with Astrix

Astrix provides a continuous inventory of NHIs across IaaS, SaaS, PaaS, and on-premises environments, helping organizations maintain visibility over NHIs like service accounts, OAuth keys, IAM roles, and API keys.

1. Identity governance – Astrix provides continuous inventory and real-time discovery of non-human identities across various environments.
2. Granular access controls – The platform offers posture management capabilities, allowing organizations to prioritize remediation efforts based on rich context about services and resources an NHI can access, its permissions, and usage patterns. This aligns with the need for fine-grained access controls and just-in-time access provisioning for NPEs.
3. Continuous monitoring – Astrix employs advanced threat detection engines to expose anomalous behavior, policy deviations, and supply chain compromises, directly addressing the need for continuous monitoring and behavioral analytics to detect anomalies in NPE actions.
4. Secure API integration – Astrix supports the security of API keys, secrets, OAuth tokens, and other forms of app-to-app connectivity. This capability ensures that APIs used by NPEs are properly secured and monitored.
5. Regular audits – Astrix enables policy-based attestation, alerts, and offboarding of NHIs throughout their entire lifecycle. This comprehensive management approach facilitates regular audits of NPE permissions and activities, maintaining alignment with Zero Trust principles.