OWASP’s Non-Human Identity (NHI) Top 10 outlines the most pressing security risks NHIs pose to organisations, ranked by exploitability, prevalence, detectability, and impact.

Aaron Finnis, our Chief Strategy Officer, breaks down the biggest challenges and how to secure your non-human attack surface.

Aaron says, “Non-human or machine identities present significant risk. These are typically accounts that have too much privilege, end up stale following the decommissioning of legacy systems, and use poor quality passwords that are embedded in existing processes.

I’ve seen machine identities that are nearly 20 years old, and have been used in organisations almost since the deployment of modern systems.

In most instances these identities are simply Active Directory accounts, but they now exist in a hybrid world and were created at a time when cyber risk wasn’t fully appreciated.

The OWASP Top 10 for Non-Human identities is a solid place to start as they address the core risks and challenges with managing these identities."

Stay ahead of the threats—learn how to protect and manage NHIs effectively.

  1. Improper Offboarding:
    Simply knowing if your NHIs are in-use is a great start. Removing stale accounts reduces attack surface and management overhead. Being able to detect and action offboarding for these identities is also critical.
  2. Secret Leakage:
    Secrets are everywhere, from API keys, to tokens to encryption keys. These artefacts end up being stored insecurely, emailed to third parties and ultimately become compromised. Having a secure location that is tightly controlled is critical to addressing the immediate challenges, enabling secure sharing with 3rd parties as required.
  3. Vulnerable Third-Party NHI:
    DevOps and increased cloud adoption have required that we store and share NHI and related credentials with 3rd parties. Having a means to detect misuse and compromise is critical to lowering these risks, and also by ensuring credentials are handled and stored securely by third parties.
  4. Insecure Authentication:
    Legacy authentication protocols continue to add risk with the potential for compromise. It’s still common to see legacy protocols such as NTLMv1 in use. Ensuring that these protocols are blocked and accounts are moved to secure alternatives is critical.
  5. Overprivileged NHI:
    Understanding the exact permissions required for each identity is also critical. This at times requires diligence and patience to establish accounts this way. We have seen the default for access being ‘Domain Admin’ or similar, when this can be greatly reduced.
  6. Insecure Cloud Deployment Configurations:
    Storage of secrets and credentials in scripts, in code repositories and logs exposes credentials to theft. Centralising credential and secrets management continues to be the best way to reduce this and enable automated rotation of credentials.
  7. Long-Lived Secrets:
    Credential rotation on NHIs is a must. By centralising storage of credentials, there is an opportunity to regularly change passwords and keys. This process can be wholly automated so that an attacker who steals credentials would not have time to make use of the credentials.
  8. Environment Isolation:
    Having separate NHIs for production versus non-production is paramount. We tend to protect non-production environments, and if an attacker can compromise credentials in non-production, this can facilitate lateral movement into production.
  9. NHI Reuse:
    It’s common for identities to have multiple uses. This is frequent with legacy applications and services, as typically it’s easier to create a single identity to perform multiple tasks. The downside to this is that it’s difficult to determine what is ‘normal’ behaviour and what is legitimate. Separating NHIs to ensure a single task or process per account is the best way to reduce risk.
  10. Human Use of NHI:
    We have seen time and time again, administrators and users utilising NHIs to make changes or go around existing privileged access protocols. Having strong policies, awareness and also a means to detect and block unusual activities is a must.


Ready to strengthen your security strategy?

Get in touch with us to learn how to secure your non-human attack surface.

Related Post

This is some text inside of a div block.

Unlocking Success in Higher Ed IAM Projects

This is some text inside of a div block.

Active Directory: The legacy we didn’t ask for

This is some text inside of a div block.

RFDS first FLYStart Partner

This is some text inside of a div block.

Identifly's FLYStart Program

This is some text inside of a div block.

Essential 8 MFA Changes

This is some text inside of a div block.

Have a Plan and Execute it

This is some text inside of a div block.

Adopting modern identity one app at a time.

Get in Touch