The Cloud Security Alliance (CSA) and Astrix Security today announced new research that sheds light on the current state of non-human identity (NHI) security.
The findings of the State of Non-Human Identity Security Survey, a survey of more than 800 experts paired with data from more than 2 million monitored Fortune 500 national health insurance organizations, reveal a major security disparity: Organizations are far less equipped to secure non-human identities than their human counterparts. The most common challenges include service account management and national health insurance discovery, though the survey also revealed a growing recognition of the importance of investing in national health insurance security, with 1 in 4 organizations already investing in these capabilities and an additional 60% planning to do so in the next 12 months.
“NHIs—such as bots, API keys, service accounts, OAuth tokens, and secrets—are the lifeblood of today’s organizations, enabling automation, efficiency, and innovation,” said John Yeoh, global vice president of research at CSA. “While organizations understand the importance of securing NHIs and often deploy a mix of tools such as identity access management systems, these tools are not specifically designed for the unique challenges posed by NHIs. This mismatch is evident in recent attacks on major brands like AWS, Okta, Cloudflare, and Microsoft, where hackers were able to infiltrate despite security measures in place. This joint survey underscores this massive problem, and highlights that NHIs cannot be treated the same way as human identities.”
CSA and Astrix set out to dig deeper into how organizations perceive and address NHI security, with the goal of uncovering specific gaps and weaknesses in securing API keys, OAuth tokens, and more. The report reveals key findings:
NHI attacks are on the rise, defenses are lagging: Nearly 1 in 5 organizations have experienced a security incident related to NHI. The most common reasons for NHI-related attacks were: insufficient credential rotation (45%); insufficient monitoring and logging (37%); and overly privileged accounts/identities (37%). Low confidence in securing NHI versus human identities: There is a significant gap in organizations’ security approaches, with only 1.5 in 10 organizations having high confidence in their ability to secure NHI, compared to about 1 in 4 for securing human identities. This lack of confidence in securing NHI versus human identities could be due to the sheer volume of NHI in their environment, which often outnumber human identities by a factor of 20 to 1. Fragmented approaches lead to security incidents: These tools are not specifically designed to address NHI security challenges; for example, 58% use identity and access management (IAM) systems; 54% use privileged access management (PAM); 40% use API security measures; 38% use zero trust/minimal privilege strategies; 36% use secrets management tools. As a result, the top three causes of NHI security incidents include lack of credential rotation (45%), inadequate monitoring and logging (37%), and overly privileged accounts or identities (37%). Struggles with basic security practices related to NHIs: Key challenges organizations face include auditing and monitoring (25%); access and privileges (25%); NHI discovery (24%); and policy enforcement (21%). Another significant concern is the struggle to gain visibility into third-party vendors connecting to OAuth applications, with 38% of organizations reporting no or low visibility into third-party vendors and another 47% having only partial visibility.
“As organizations increasingly recognize the urgent need for robust NHS security, the increase in investment reflects a proactive approach to protecting our digital infrastructure,” said Alun Jackson, CEO and co-founder of Asterix Security. “The key now is to ensure that these investments are directed to the right tools, especially as security vulnerabilities continue to emerge. NHSs present unique challenges that differ from human identities, making their security complex and demanding. Addressing NHS security requires continuous improvement, adaptable strategies, and a unified effort to address ever-evolving threats head-on.”
You can read the full report here.
Yu will present an in-depth analysis of the survey results at the first-ever Non-Human Identity Security Conference on September 18 at the World Trade Center in New York. To register for this dynamic half-day conference focusing on evolving trends and tactics in non-human identity security, visit https://www.nhi-security.com/.
