The Challenge
Product

Platform

Non-Human Identity Security

Agentic AI Security

Secrets Security

Capabilities

Discovery & Inventory

Discover AI agents, NHIs, and secrets across your environment

Classification

Add context to all identities with ownership, permissions, and lineage

Posture Management

Identify and prioritize risks & exposures, and right-size excessive access

NHIDR™

Detect and fix real-time threats and abuse of AI agents and NHIs

Zero Trust, PAM & JIT

Enforce least-privilege access across clouds, agents, and vaults

Lifecycle Management

Manage your identities from creation to rotation and retirement

Integrations
Verticals

Financial Services

Healthcare

Travel

SaaS and Technology

Retail

Entertainment
Use cases

Governance and Administration

SOC Automation

Compliance, Posture, and Reporting

Securing Public Cloud and SaaS

Secure the Private Cloud

Mergers & Acquisitions
Customers
Company

About us

Partners

Careers

Contact
Knowledge center

Blog

Videos

Resources

News

Events

Home » Knowledge center » Videos

The first steps to tacking the NHI security challenge

February 24, 2025

Non-human identities offer an attack surface so large that even the most experienced security professionals struggle to figure out where to start when it comes to securing them.

The question is: what’s the first step you should take? This webinar covers the practical first moves security teams can make.

Why NHI security is a top priority today, backed by data
What the first step is to securing NHIs before deciding on a solution
How NHI management can improve business processes and incident response plans
How to regain control of non-human identities without interfering with your company’s developers
And more

Transcription

00:00:03
hi there welcome to today’s webinar brought to you by the Cyber Hut and intro security um we’ll get started momentarily we’ll just let people get joined for hi there everybody Welcome to today’s webinar brought to you by the Cyber Hut and entro security um fabulous topic nhis non-human identities uh and how to get the first step in in understanding and tackling this security challenge um before we get started into today’s content a little bit of um housekeeping um before we start obviously we are on Zoom today um

00:01:32
so everybody is centrally muted um but we do have the chat and Q Anda functionality available to us so please put your comments and questions in there as we go and I will um try to interweave some of those questions um into our discussions as we go along we’ll also leave probably five or 10 minutes at the end as well to uh to wrap up any questions that you may have um today’s content is obviously being recorded as well so you can view this on demand or again afterwards at your leisure and of

00:02:08
course uh you’ll be sent a link to that afterwards um what a fabulous topic um non-human identity has been one of our biggest um inquiry topics over the past 12 18 months Absolut privileged to be uh here discussing this today um but I guess maybe quick start off with some introductions my name is Simon Mofford I’m founder at cyber Hut which is at globally renowned research agency looking all of the exciting identity security topics facing us including obviously nonhuman identities as well

00:02:42
been fortunate just to been in this space for a couple of decades I guess and there hasn’t been anything I don’t think as exciting as non-human identity has been over the past probably 20 four months it’s been a a real um inquiry and research topic for ourselves and one which many organizations large small Enterprise organizations are desperate to understand um how to get started what are the capabilities why is this becoming a major problem now absolutely thrilled to to be here chatting with it

00:03:16
from my entro sick uh welcome how are you doing uh I’m good I’m good Simon thanks uh thanks for having me not at all not all look looking forward to our conversation I guess maybe just starts off your sort of background and history and how have you got to to building up um entro security uh yeah for sure uh so I’m Itzik Alvas the co-founder and CEO of entro security entro is uh a nonhuman identity life cycle management and secret security company um we pioneered uh that vertical so a bit about myself started almost 20

00:03:54
years ago back at the Israeli Defense Force I was uh in one of the intelligence units over there I was doing offensive cyber uh back then but then moved to the to the industry to the public market and switch to defensive uh cyber security so prior to entro I was responsible for the internal security of one of Microsoft clouds um before that I was a ciso of the largest Healthcare Services organization uh in in Europe uh where I was breached by non human identity so like couple of weeks after migrating to the cloud over there

00:04:32
uh we were breached by non human identities uh and then at Microsoft we were breached twice by non-human identities so after U the third time that I was breached by non-human identities I basically started to think about the problem and uh and yeah went and uh joined forces with a friend of mine back from uh back from the Army Adam Shri is the CTO and we started inro that basically created uh that uh that maret and vertical I love that I love the fact that you just drop in there the fact that you first of all you were that on

00:05:05
the offensive side which is pretty cool I think in itself but equally now doing the defensive work I think that having the ability to to look at both both camps I think is is really really interesting and really powerful but also just that practitioner experience as well you’ve been there you felt the pain of of some of these things you felt the real impact ultimately of of breaches related to NH uh the cost of management difficulty of management I think that’s um I think that’s quite that’s quite

00:05:36
unique actually it’s quite powerful thing isn’t it to have been burned if you like by some of these problems and then obviously now building out Solutions so um so looking forward to to this this conversation today’s agenda obviously keep things loose on uh on the industry webinars ultimately you know really do understand why is nhi stuff become a priority today and I said ear this is really it’s been a top top inquiry topic for the Cyber Hut over the past 12 18 months you know organizations

00:06:04
coming to us just wanting to understand you know what is this space why is how does it work how can we integrate this technology how can we get improved visibility how can we improve remediation and so on so we’re going to launch with that and then basically then get into what does a good solution look like in this space talk about life cycles of people I think we’re quite quite well versed in managing life cycles of people taking some of those Concepts into the nhi space is is vitally important and obviously how can

00:06:34
we get started you know what what are those first steps and some of the first immediate things organizations can do so um I guess let’s build this sort problem statement ultimately why why is nhi suddenly becoming a top priority and it it is difficult because you know we speak with sea sea level identity leaders Business Leaders digital leaders as well they all have PR ities they all have finite resources they don’t have enough cash they don’t have enough people they have alert fatigue they have

00:07:08
more apps they need to migrate or develop they have to do things faster than ever before but there’s one which is is becoming consistent and it is this nhi aspect and a couple of things I want to sort of pull out here and one is I guess the bit of a the definitions really terminology in santic is ultimately around nhi in secrets which is something we have to engage a little bit around educating the market around what some of these topics mean and machine identity sort of Pops in there as well and love to get your sort of

00:07:40
view here on on this definition I think you know we’re quite good if you like about human identity definitions of of employees and customers and then a few years ago we had the secret management problem if you like around vaulting of things and having to manage cryptographic Secrets uh and that migration from hsms to be Cloud key management system so that terminology is a little bit understood but how does the nhi in here I’ve got my own opinions but love to bring you in here straight away

00:08:12
and what’s what’s your immediate view of this uh yeah no I think you’re uh I think you are right um we should probably start with a bit of of a definition uh just to frame everything for everyone um to level it up so non-human identities is in secret sometimes you know people are are tricking them as the same which is kind of true but not really non human identities are actually the the entities the programmatic entities that um enables Identity or or some sort of an authentication for applications when

00:08:52
those applications are trying to communicate with other applications or maybe resources they need uh like database and so forth so if the application needs to authenticate against the database and and connect to the database they’re using uh non human identities in order to faciliate that authentication and connectivity but um so that’s the entities and you’re attaching permissions to it so you can give the non human identity admin permission over your mongodb or RDS database and so forth the activities are

00:09:22
over there some attributes are over there secrets are actually the credentials of that non human identity okay so you’re creating an non human identity you’re giving it permissions and and other attributes but uh the credentials of that of that non-human identity is actually what the application is using to authenticate against the resource more good be in our scenario um so again those are the actual credentials of that non- human identity so that’s secrets that’s non human identities uh just to

00:09:56
level up uh the field over here so yeah go ahead no that’s great that’s great and it’s it’s so simple if when you describe it in those terms and it’s again if you take it back to the sort of human world if you like we have an identity an identity profile which may be created it’s verified it’s on boarded maybe stored in the directory whatever and then there’s a credential aspect it could be a biometric it could be a password hopefully not passwords but you know there’s a credential life cycle in

00:10:27
there an MFA aspect and then we talk about um authorization uh session management enforcement points Etc so it’s exactly the same thing and soon as you start to apply those basic building blocks to the nhi world you’re then thinking oh wow actually we need a life cycle of capabilities we don’t we need more than just as you said a cryptographic maybe stiff Cur or whatever yeah that’s part of it but there’s a much broader thing and I think soon as instantly they describe it in such simple terms you

00:10:59
then go ah yeah absolutely we need to have identity management we need to have the entity then the credential then the right sizing and it’s just a bigger thing isn’t it right you can’t really do one without the other so there are some companies out there that are doing non human identities but don’t do Secrets which is I don’t understand that and then there are other companies like secret scanners and so forth they are searching for those are credentials of the non human identities those Secrets

00:11:25
but they are not really attaching it or protecting the non human identity you you really need to do both in order to yeah secure your non identities um yeah for sure it’s got to be ENT hasn’t it I think the next thing for me is they’re everywhere and this this this you know as soon as you start to uncover and work on those definitions and say look well if you are talking about an interaction between apis between workloads um between anything maybe to infrastructure to do with AI because AI is everywhere

00:11:59
once you have those interactions those access paths without a human involved that just proliferates and I love there’s another number here which is always good 92 to1 ratio uh between humans and non-humans and that that comes to on research report which I think there’s a link going to be sent around afterwards here so that’s your sort state of nhi report for for 2025 so 92 times the uh relationship there between people huge and obviously we’ve been going through this microservices

00:12:32
migration for probably a decade or more you know moving to Agile moving to um faster way of delivering uh integration we have cloud service provider adoption The Big Three there you know Google Amazon Microsoft but all whole host of other SAS providers really which are going to be integrating API first ultimately uh we have all automation Pipeline and obviously the last probably 18 months I guess the sort of chat g chat GPT aspect and um the conversational ai agentic ai is everywhere and that of course is a brand

00:13:06
new Beast around how you manage both the data access the data and all of the the connectivity there so is 92 to1 is is that is that now a conservative estimate do you think is is it going to be higher next year do you think I’m sure so that’s a by the way it’s an insane number right for every human employee you have within the organization you will have on average 92 nonhuman identities which which is insane um and yes I think it will only grow like I know it will only grow um the last metric we had was by Gartner

00:13:39
back in 2021 they saw an average of 1445 so for every human employee will have 45 nonhuman identities um and then we took our uh customer base so we have the biggest customer base in the industry uh and we ran some metrics over it uh anonymized but uh but great metrics one of them is is this one like 1 to 92 so basically um overd doubling the number of non-human identities within uh less than four years uh so and yes it will only only increase and when you think about it again like non human identities

00:14:14
applications are using them in order to access and authenticate resources they need right like databases to account um and you wrote over here microservices so we used to add monolit now we’re breaking that monolit to microservices so instead of one set of keys one set of non human identities credentials per a monolith now we have set of credential set of Secrets for each microservice more cloud services we use more non identities to authenticate against them right for every new uh offering we’re

00:14:48
using in the cloud or on Prem we will need some or the application will need some way to authenticate against it uh and that’s a new a new secret a new non human identity so yeah I I think it will increase I think for all the things you said there and as well I think organizations are just becoming more aware the problem so they are looking and understanding ah okay what about apis what about third parties Supply chains Etc and I think as identity is sort of moving from being an operations aspect to really being a

00:15:22
pillar of cyber data security endpoint security uh business productivity and others you suddenly see as you describe all of those tentacles just becoming more proliferated throughout migration digital delivery uh BTC ecosystems so delivery of consumer facing apps privacy preservation all of those systems services will be will be needing an nhi backbone which I think is it isn’t going to get smaller I think that that is for sure and the other thing which I think is fascinated us at the cyh is you know

00:15:56
when you start asking and talking and researching what this is all about this it isn’t just one type I think you know the human space has had a a bit of a proliferation in the types of identity available you know 15 years ago it was staff you know in the elap sort of Nel or ad active directory and then that extended a little bit maybe to Federated partners and then you have a b2c thing going on with customers and citizens and stuff but they’re quite big chunks you can sort of bucket these into quite easy

00:16:27
chunks and so on but soon as you look at this space it’s basically saying W that could be it could be a service account the old fashioned service account thing it could be right the way through to to some sort of agentic AI credential linking up multiple different backend repositories you API Keys you got all of that stuff around o 2 clients which can be hugely misused o 2 is is absolutely superb very broad often very complex to implement there’s a whole a 2 landscape in there is there anything missing this

00:16:59
one it seems to be another sort of type week so so yes like we’re at entro we’re supporting over uh 12 other types of non identities yeah that’s so again like there are a lot uh so 1,200 types that’s and over that that’s what we support in in around non human identity types at and there are more so while you have over here the most common one if you will uh there are a lot of different types of non-human identities and secrets uh so yeah for sure what what are some of the most sort of obscure

00:17:37
Edge Edge ones that you’ve you’ve discovered and found yeah there’s a there’s a lot like any any and every s offering out there or again any offering out there can create their own key okay okay they create some sort of an algorithm maybe we’ll call it like Simon with a with a one two three at the end that’s that’s that’s a token and the application will accept it and let you authenticate with it and and so forth so there are a lot of types out there and in order to find all of them uh to keep

00:18:10
them secure like that’s a huge huge huge challenge uh but I I agree like service accounts API keys I don’t see connection strings over here which are widely used for database access and so forth but I age most of most of the most common non human ID entities are over here uh on that slide uh which makes up like 60 usually about 60% of okay yeah an average organization landscape the other 40% are the less common one and I imagine as well because this landscape is changing you need to have a

00:18:50
platform which can adapt to this stuff ultimately you know you’re having just an oof2 you know client um sort of management system is great but I I imagine you need to be very flexible and being able to discover identify classify I guess that’s a big part of of the platform yeah correct and and by the way like ORS token are usually the most um safe one if you will uh it’s not easy to abuse them it’s not easy to uh use them as an attacker and so forth usually it’s um usually all tokens are to connect

00:19:25
between two SAS vendors like the default integration between two SAS that’s so if you’re using I know cly to connect to your calendar uh it will be faciliating use uh using an O token which is pretty much safe you can auto rotate them and and so forth so that’s not the the problematic one like that’s the safest one uh but definitely API Keys like connection sing service accounts those are being neglected uh so yeah you know but but again you need to you need to guard every single one of them I think that’s

00:19:58
it you’re only as strong as your weakest link so you need to have that broad broad coverage of course and we’ll do a quick question that’s just just popped in we’ll try and keep on top of these as they go and question asking about the market and stuff but then more importantly you know it seems to be the perception of the business that nhi is is just a problem of the sort of it teams um and how they should take care of it any arguments there is it just an IT operations thing or is it more

00:20:24
security and compliance what’s your sort of view there uh I think it’s a course Department problem uh I think like I understand why we’re asking about it over here it are or and IM teams sometimes but it are the ones who are creating human identities for an organization uh which is you know it’s been around for a long time we have our processes it’s pretty straightforward now to understand how to create them uh you know you have a new employee you’re creating his human identity at your active director OCTA

00:20:59
whatever you guys are using um and then you’re adding him to some security groups which gives him permissions and and you’re able to manage his life cycle but I think the you know the caveat over here is that you know everything about your employee you know his SSN you know where he lives you know his name you know everything about it uh the problem with uh usually the problem with nonhuman identities are they are being created permissioned used by development teams by developers Devo accessories and

00:21:31
so forth because developers needs them in order to enable their application to connect to the resources the application needs right and usually those non-human identities are long randomiz strings and that means that once they are created it’s so easy to lose track of them uh you can use them with one application and then with another application and like you don’t really know anything about them you don’t have context again long randomized strings uh and it’s not easy to understand when they should be

00:21:58
off bard when they should be rotated or reseted and and so forth so I think that’s the main difference uh it’s easy for it teams to create those non those human identities and managing them it’s not as easy for them to do it for the nonhuman identity side because though it’s really like a development process yeah yeah yeah I think you’re right you know in the human space you sort of know the the problem statement if you like you understand how many employees will join how many will leave even in the in

00:22:30
the sort of BTC world you sort of know what an identity profile will look like you’ll know what credentials they will use and you sort of another behaviors to an extent so it’s a slightly more controlled ecosystem but I think in in the nhi thing not only do you have a a broader variety but as you say they could be getting created from different areas there’s no single they are created from different areas if you need to authenticate against again mongodb you are creating the nonhuman identity at

00:22:57
the mongodb level if you need to connect to Azure you’re creating the non human identity at Azure at Microsoft Azure so there’s like like no one place to control them all like we have with active directory or OA um and again you you need to understand how they are being used it’s super easy to understand how a human will use his human identity uh send emails or Connect into shared locations storage locations it’s not easy to understand how the application will use it if it’s

00:23:26
a script it’s different if it’s an a UI it’s different and so it’s not easy for it teams to actually go ahead and manage them no and I think you’re right the behaviors are different outen there as well it’s as you said the DB Thing versus an au to client versus something they’re going to behave differently they’re going to have different starting points ending points usage and I think that sort of Segways nicely into into you know back to why is this a priority and it’s it’s causing a load of

00:23:51
complications and you know we have things you mentioned there about centralized visibility or lack of because everything is getting created every everywhere there there’s no single source of Truth so there isn’t one person or one team creating stuff it’s distributed um creation correct lack of monitoring the credential aspect is entirely fragmented as well so you have different credential um providers perhaps different ways not being stored effectively um things often static as well so you know somebody creates coding

00:24:24
pipeline don’t necessarily have that is part of a routine of rotation in there as well so there’s a lot of problems which then the implications of that are frankly because it impacts lots of different parts of the business not not just the set Ops or security or identity ultimately it could have a huge impact on data breach data exfiltration uh lateral movement the tax surface is increasing because you’ve already said there’s 92 to1 and growing so this perimeter problem is is getting bigger

00:24:56
um so there’s a lot of people involved lot of different stakeholders I think can can benefit from from improving NH I think yeah no uh correct and we have no magic Solutions over there like we have for human identities like U MFA can be one of them you unable to use MFA with nonhuman identities unfortunately right uh so if you have a human identity and for every time that he needs to authenticate against something is getting you know an SMS with a with a onetime password uh that’s pretty pretty

00:25:29
safe that’s pretty safe to do uh you’re unable to do it like application can’t can’t do that unfortunately and there are so many other controls in place for human identities that unfortunately is is not available uh and and I don’t think will be available for non num densities no that’s ABS absolutely Fair it it does it does remind me a little bit of the sort of BTC thing which emerged sort 10 15 years ago when you s okay we we’ll just take those existing BTE components and just repurpose them

00:26:00
for external identity which never worked of course there was the new industry and it’s exactly the same and I think absolutely there are definitely some principles we can talk about and say look okay how how can we do strong authentication for NH how can we do rotation how can we improve this sort source of Truth problem um so we we have experiences in the human world but the tooling Frameworks the stakeholders they just seem very different to me they seem like it’s a audience uh different

00:26:30
Technologies needed it just seems like a brand new thing to me um all righty what does that thing look like what does that solution area look like which is which is I think the big thing for me I think we’re going to touch on this a little bit later as well is we need to think broad don’t we we need to think end to end of these um nhi you know where are they been created what are they been used for um what does the risk look like with this absolutely there’s a credentialing aspect here but

00:27:03
it just looks there’s a broad set of capabilities is that is that fair are we looking at a platform play I think uh yeah it’s uh it’s fair like there’s um so the main problem that we’re seeing in the industry is um is because those developers or technical teams are the ones who are creating them permissioning them using them a lot of the time they are scattering them around so they can store with Vols which are um a secured storage location but that’s what it is it’s a storage location and that’s it

00:27:36
but they can they can store them within vaults we’re seeing that for every organization there’s an average of five different completely different Vault offering so if you’re using kubernetes you will store some of your secrets at your kubernetes secrets if you’re using AWS you will store some of them at AWS Secrets manager GitHub GitHub action secrets and so forth so you will have uh those secrets and non human identities will be scattered between uh different vaults but then they are also being you

00:28:05
know committed into code uh sent over slack or teams uh within Confluence manuals and so forth and and the main problem that we’re seeing is that security teams or the organization don’t really know how many nonhuman identities they have and and where they are um and and again also those are long randomiz strings and that means that even if uh you know a professional will find one then what like which application is using it is it even enabled or already expired like what do I know about it

00:28:36
usually nothing and when we combine that that we don’t know how many we have uh where they are and how they’re being utilized that’s why organization are really struggling to protect them um you know according to the latest report by IBM cost of data breach Verizon reports Gartner which are you know leading the industry it’s the second most frequent teack vector nowadays are the number one most costly or devastating attack to an organization so yes you know we need to implement what we’re seeing over here

00:29:07
and and and probably more in order to actually tackle that problem and be be in front of it no that’s interesting that’s interesting segue to a couple of questions keep there two more come in here so there a question about we be talking about rotation we it’s funny we we talk about that just like a thing rotation of credentials as if it’s like this easy thing to achieve which I think it isn’t first of all but the qu the question is more about um the other end of the Spectrum which is looking

00:29:34
ephemeral identities so identities that appear and disappear um specifically talk about um things like tracking auditing scaling of that stuff what’s your sort of view on on the identity side yeah I think uh I think that’s uh some of the problems with Emeral I don’t think it’s it’s mature enough currently um so okay first of all the support like Emeral credential Emeral secrets and identity support it’s not really being supported with everything that we’re using it’s very limited um usually the

00:30:07
the the resources your application will need won’t support it but even if they do and I try to implement that myself at one of my organizations even if they do support it I think those are great comments like what about scalability of them I’ll give you an example so basically the flow is once using once the application is using the non human identity it’s gone that’s the Emeral part of it okay and then when the application is to use it again there’s a process which going to create

00:30:40
a new one and again once it’s being used it’s gone so that’s that’s the process so now what happens if an application is using or a workload like you have two containers or two workloads from the same application that is using the same token which is perfectly fine so now the first workload is using the token connect to the database and then the second workload the second maybe container want to use the same one now it’s being created there’s another one that is being created then the new

00:31:11
workload will use that but the fourth one will be deleted that’s the Emeral part of it and now your first workload is unable to connect to the database so what are you doing so you’re creating some scripts around it and so forth and trying trying to tie stuff together it’s not unfortunately it’s not mature enough it’s not a good solution there’s there’s a lot of stuff that you need to do in a practical level like it’s great for as a concept uh and hopefully in the future it will mature

00:31:40
but currently it’s not something that you’re actually able to use unless you have a very specific architecture uh that is based around it so definitely for your already you know developed applications that’s something you are unable to use and probably for future ones unless you really you know stitching it together it’s not going to be easy and of course monitoring and so forth it’s a problem yeah yeah yeah great answer yeah it’s a complicated thing isn’t it I think that’s the main

00:32:09
the main main takeway there um all right so we sort of the first half hour we built up this picture it’s it’s a big priority there’s a lot going on it’s a broad ecosystem of sort of types but equally un need a broad set of capabilities and I want to talk of talk a little bit around how can we how can people start on this journey I think people realize look we need to do something here we we have some sort of semblance of maybe there’s a homegrown solution maybe there’s not but they need

00:32:37
to start and I quite like this we internally the Cyber do s Workshop stuff it’s really basic in this sense you need to know where you’re heading to your target profile you need to understand your current profile your current ecosystem and it could be People based non-human based whatever internal external we need to understand where you are and I think that’s a really it’s often overlooked bit isn’t it of nhi because people want to be into the solution straight away we need to buy I

00:33:07
know Secrets vaulting rotation thing we we need to buy some software but to me it’s let’s understand the problem space first and I think there’s some some interesting things for me around you know include more stakeholders this isn’t just one team or one area that’s impacted it’s going to be multiple areas whether it’s engineering security devops you know others in here understand what’s there you know tooling the response mechanisms and so on and and I think it is trying to engage and show

00:33:38
the outcomes I think something I want to pick up with you guys is around you know you have this assessment model it’s essentially going in in in taking a look at organization’s ecosystem so how does that work how does that process start off yeah I I I I think you are correct that’s with any problem um before you jumping to a solution let’s understand what is what is our problem and and you know I understood it too late after my thought breach and and then that was the time when I tried to use Emeral uh non

00:34:12
human identities and and completely fail because it’s not meeting reality uh and and and I had the same problem that I Des described earlier like I wanted to at least get an inventory in place at least understand how many non-human identities I have and and where they are like at least that because they are being created from many different resources there’s no one source of truth I needed that I needed one source of Truth um and then you can build on top of it right and then you can try to

00:34:43
maybe classify each one of them and en reach and and protect but you need at least an an inventory that was my problem maybe for others they have like an ex Excel spreadsheet or other thing uh and they have the inventory and maybe they have a different problem but I agree with you you need to assess the problem and then choose the best solution for you um and and and yeah that’s something that uh that’s out of the report that we’re providing so we have we have like an assessment a free

00:35:13
assessment uh within our portal you can ask for it over there uh just log into to entro ENT do. security and and start it over there and that’s like one piece of it uh where we’re giving uh some of that in so you can if you have something you can at least compare um but yeah I I I that was my biggest problem and I see that that’s what you’re are showing over there I think it’s um it’s just interesting I think being able to to shine that light into an organization and say look this

00:35:47
this is this is what you have which is fine I think that itself is is quite a difficult step for many people is understanding what we have how big the problem is but then how helping them I guess internally to to build the business case or build this security argument to say look we have got more identities than we thought were broader Spectrum we need to classify them and understand from a risk perspective and then do something about that you know build a business case internally to redesign process expand the coverage

00:36:21
obviously ultimately buy some software I suppose but it’s it’s just trying to you know what are you going to explore to you know is is it in this case what it was unique Secrets locations where they are what they’re doing the impact blast radius I think that’s the stuff which helps organizations to really say look we’re not in control of this problem um this is the breadth and depth of the problem and this is the impact I think those I think they’re really really important things which I think many

00:36:50
organizations are wanting to get started with aren’t they helping internally build the case to say look this is a much bigger problem the just or two clients for example right that’s a that’s a great example over here like the main problem or the main Bridge Point for organization is exposure of those tokens yeah um and and that’s what we’re seeing that’s again out of the assist assessment um so you will be able to understand at least from that assessment you will be able to

00:37:19
see how many non-human identities were created in the different creation location that’s the the earlier slide we just had uh and then then how many of them are vaulted within a Secure Storage location and then how many of them are exposed outside of where they should be like over here I see environment variables of aure function and committed into code and sent over teams and within SharePoint um so yes it’s a that’s a great great great report uh and a wonderful way to observe the problem and to understand

00:37:54
you know where is my organization in the mature level of actually keeping them protected yeah that’s absolutely great I think that’s a great um it’s practical it’s pragmatic for me I like practical stuff um and second to my question I was going to ask you which um is actually popped up in here um it was more about um would this capability as in nhr management would it sit within an IM am sort of team I think is the question or who do you see as the main sort of stakeholders or people that for example

00:38:23
this assessment report would would be used by right I think uh there are two main uh teams uh and usually they are working together but it defers on the organization uh which one will be the owner of of a system like security or or a nonhuman identity life cycle management uh secret security platform uh it can either be application security because applications are the ones who are using those uh entities and and basically application security knows how the devel development process and the different application works and how

00:39:01
those non human identities should be used so that’s one piece like application security teams we are seeing them as users uh and yes we’re seeing IM IM teams as users uh it’s um again it’s it’s depends on the different organization and what they decide but it’s definitely those two like I am teams and application security teams are really uh between those two yeah yeah that’s what we’ve seen as well those two the identity guys clearly have the experience if you like around the the

00:39:33
terms you know or or z uh conditional access strong authentication enforcement but then equally it it is it’s the app guys if you like or maybe even engineering Dev as well who saying look this is on our head say we have a huge incentive to try and get this fixed because it impacts security it impacts productivity as well engineering effort is isn’t really not going to make any cash by build their own workload management system you know they they are paid and incentivized to build applications deliver business customer

00:40:06
functionality so there’s a productivity thing there and there’s a security and risk thing you know hugely as well that’s a great Point by the way you you don’t really want to interfere the developers you want something out of band that can find all of them monitor them protect them and so for yeah yeah it’s it has to be easy you know simplify that adoption as us to get out of the way of people who are doing stuff and there’s a couple of questions that have popped in again here from the same

00:40:32
person and I want to um I want to shoe on those into the next s so 15 20 minutes around amplifying this life cycle sort of conversation and the benefits of of handling this stuff and absolutely you know if if we sort of zoom out for a little bit and say look we’re going to deliver an nhi platform it’s it’s going to get consumed by the identity guys the app security um team as well compliance audit benefits of that huge and I think you you can instantly say well you’re going to have

00:41:03
automation there which removes U human efforts it removes errors you have consistent policy um eliminate misconfiguration we’ve already said you you could be talking about mongod DB one minute Azu the next Amazon the you need have standard clear ways of configuring those systems external leakage detection and issues so there’s a huge huge benefits here but the big the big thing for me we have to think in life cycles don’t we I think before we before launch into this there’s a couple of questions

00:41:35
I want a shot shoehorn in and this was asked a little bit earlier there by the anonymous attendee U and it was basically asking about like a taxonomy of identities which we sort of covered a little bit earlier but really that mapping into NY so the nist cyber security framework which I’m sure most people are familiar with these days you we talk about identifying your protection detection respond and recover we’re instantly again you’re into a life cycle aren’t we you’re instantly an end to end view um I’m just

00:42:07
sort of wondering how your sort of life cycle here is is maybe n aligned or is it n inspired what’s your of take that yeah I know it’s definitely aligned and I think you like jumped over one slide like i s for a brief moment which is exactly that uh maybe one before that or two before that um yeah okay yeah exactly exactly that like you need to identify so that’s the like the inventory and the classification which goes together because again you need to classify them uh because those are again

00:42:40
long randomiz strings um and then in order to actually protect them so at least uh that’s that’s in terms of the different terms that are being used uh within the industry so nonhuman identity detection and response nidr uh it’s like an itdr but for non-human identity so that’s that’s a great way to understand how those non human identities are actually being in use and if there’s any abuse around them and so forth um and we we spoke about different teams and stakeholders uh so that’s a

00:43:14
lot of the time going to the sock team uh because it’s abnormal behaviors around them uh so you will see sock um with you know their Sims and so on and so forth uh using the nidr capabilities and yes of course automated uh Remediation in scale we we we talked about 92 to1 uh that’s on average organization by the way so if you’re if you have a lot of developers you will probably have an higher ratio uh so you need to have some sort of an automated way in order to mediate all of the risks

00:43:47
I usually when we’re entering environment it’s like a Christmas tree that lights up so you will need some sort of an automation so so that’s like a a very high level n and of course the life cycle that you saw that we saw earlier in a bit more details with the different pillars are align to that to that as well uh for sure and I guess you know you go you’re going through this I suppose sequentially you know you can’t protect what you can’t see ultimately so I presume you’re doing that Discovery

00:44:15
thing first and early to to inventor IE but it’s again it does seem like it’s it’s it’s um uh it is a nonlinear process by by that I mean you’re constantly discovering essentially so maybe Pi one area and you having to go back and and reiterate those I guess those initial inventory aspects but the classification is a good one you one thing we we’ve get asked a lot is is how do you um link to people I mean is that important you have to be able to understand you mentioned owners there

00:44:45
you know how is that it’s it’s quite difficult uh but we are doing that with great Precision um but yeah that’s basically the different pillars that make up inro inro platform inro security platform so again Discovery you want to make sure that you’re finding them at their creation location a storage location which are usually Vols and exposure location like if you’re missing one of them you don’t have a comprehensive inventory you don’t really know how many non-human identities and

00:45:16
secrets you have so that’s that’s one huge part of it find them at their creation location even if someone created a non human identity but haven’t done anything with it you would like it to list to be listed as part of your again same with the vaults if someone stored a new secret over there and exposure location huge that’s the most important part uh this is how te are getting in h classification yes ownership assignment understanding the permissions of them activities pretty much

00:45:46
everything uh you need to know in order to understand the BL ruse of those nonhuman identities uh so we’re creating like a lineage map of which applications which workloads are using the non identity to access water resources and other vital uh data around them it’s like placing an air tag over your non identities if you will and then that’s enabling us to do posture management right misconfiguration static risk analysis we can take that inventory in the classification and and understand

00:46:14
the different uh misconfiguration and risks around them nonhuman identity detection and response again we’re taking the activities of which non human identity creating an activity Baseline and any deviation from that activity can be considered as a potential bridge and we will run our non- human identity detection and response uh rules around them or against them I’ll give you an example let’s say that someone from I don’t know China is using our token but we’re not doing business with China that’s an abnormal

00:46:46
behavior right uh if someone is mess downloading secrets from our vault that’s another abnormal behav another thing we should probably prevent um in five and six those are remediation uh pillars uh so yes streamline the rotation be able to do that and you can only do that if you have the lineage map if you understand how those are being used um and move all of the exposed tokens which is again a huge problem into a secure location uh vaults and the commissioning that’s uh that’s basically

00:47:15
removal of any idle stale not in use uh non human identities uh when we’re entering an environment we usually see that about 40% out of all non human identities are not in useed anymore they are active someone can use them but no one is and that means that you can probably reduce your attx off by 40% like that um so yeah question I’ve seen emerge a little bit is is is the rotation thing and I to backtrack a little bit on this and if we sort of go back maybe 10 years 15 years it was passwords for people and and

00:47:50
there was often the the nist guidelines and nist excellent guidelines I’m not criticizing them at all but there was obviously 15 years you would have the nist password stuff around password complexity uh change your password every 28 days irregardless um just constantly keep changing it h and obviously now we have password managers that can do that stuff for us so many websites just say look your password’s expired rotate it irregardless of a breach now I’m wondering what what’s your view here on

00:48:18
on sort I guess step five and sort ties in with step four I suppose do you just say look rotate everything continually whether it’s every few minutes hours whatever or do you say look we’re only going to rotate it as and when we see something suspicious in our um stage four there in our nhi Dr so just wonder what your anecdotal view would be there yeah so you know we have a lot of Regulation and compliance that requires 90 days key rotation so in order to be compliant in some cases you it’s

00:48:52
mandatory like it’s not my opinion or not but if if if you’re taking my opinion I think the most uh important piece out of it is is the en IDR capability and the pressure management capability like if you can detect when those uh nonhuman identities are being misused and and someone is using them to do lateral movement or any any kind of bridge um you’re pretty much protected right you can’t really cover everything you can’t do everything and if you need to prioritize I would probably

00:49:24
prioritize the misconfiguration like let’s stop them from actually being uh being vulnerable um and and and then like let’s remove any exposures that we have and so forward and then let’s monitor them because if someone is trying to use them in order to breach my environment let’s stop him before he succeeds uh but yes I would definitely recommend doing doing rotation most of those non human identities again over uh 1200 types of them most of them are static um and they can live with saw we

00:49:58
saw I think that was like the oldest one we found but it was like over 25 years if something if you have a credential that is over 25 years awesome like you know they assume leaked it’s it’s leaked I’m sure it’s leaked somewhere and somebody so yeah like rotate them uh if you can and if you have the context and if you understand how to do it safely without interfering the application yes you should do it yeah 25 years that’s that’s that’s got to be an edge case how hoping I’m hoping that

00:50:28
seems extreme um wow that’s a good one so so um wrapping up here this has been absolutely fabulous um I guess is any see any further questions come through but I guess question just while we’re waiting for any final um comments is what does the rest of sort of the next 12 months look like both I guess forro but just in industry in general it seems that this is such a important and vital capability which organizations should have I just I wonder what what you guys are planning this year on next or what’s

00:50:58
what’s coming up on your agenda yeah no we have we have a lot of new capabilities that are soon to be released and um and and hopefully if you’re going to follow our LinkedIn page or going into our website and sign up for the newsletter and so forth um we’re going to announce them pretty pretty soon um there’s there’s a bunch of capabilities of new support that is uh that is coming up I I really do think that um again if we’re if we’re taking the IBM report and Verizon report and

00:51:28
Gartner you can see um the increase of the tax around non human identities like they weree uh four and now they are the second most frequent one in terms of two years and and I really do think that people an organization should like we invest so much in human identities and usually nonhuman identities have more permissions higher permissions than the nonhuman identities usually they have admin permissions and right capabilities of databases um and stuff that like human identities permission that human

00:52:01
identities don’t really have and we’re investing so much in protecting the human identity part and I do think that organizations should take a closer look at non-human identities and start to allocate some resources uh to protect those as well because it’s definitely an higher risk yeah I agree I agree it’s definitely you know as I say you can’t you can’t protect what you don’t know I think understand where you are today you know the the landscape the the breadth and depth of of of the potential for nhi

00:52:32
who’s going to own it impacted stakeholders uh and then obviously you can start to make informed decisions about obviously about software but about that response process about how to Baseline stakeholders involved how to measure success and other things um this has been absolutely fascinating um clearly um we send some links afterwards but obviously I guess calls to action you know really really worth having a read of that state of nhi identities in Secrets um report theuk kind released some frightening statistics in there not

00:53:07
just the scale and breadth of the problem obviously some of the impacts in there as well if you get this stuff wrong and I think unfortunately at the minute it is it’s an adversarial attack VOR isn’t it it’s a really big identity entry point for for the bad guys the identity attack surface is is there it’s not necessarily being rotated managed monitored so it is really a big entry point I think as well you know we talked about that sort of assessment thing but really just getting started

00:53:37
understanding where you are understanding your current landscape the impacts and such there which you think is is uh vitally important but um any sort last minute sort of takeaways for the audience there it’s before we before we close up uh no I hope it was uh uh beneficial uh for you guys and and like feel free to even contact me directly using LinkedIn like I I love this vertical we pioneered it I’m I’m doing it from the moment I’m getting up in the morning um so yeah feel free to reach me even

00:54:15
directly over LinkedIn I’ll send an email and I’ll be happy to don’t don’t put your mobile number out there that’ll be that’ll be getting spammed with WhatsApp but yeah ABS reach out you know you guys are you know experts in the field and I think things like the the the assessment um it’s a good pragmatic way to at least start that Journey which I think is vitally important I think it’s you know we’ve gone past this sort of IM immediate enablement thing isn’t

00:54:40
it really now it’s action isn’t it making a start finding the right um sort of entry points and building building uh capabilities building business cases to to do so it’s a it’s fabulous conversation this is really um it’s an area which is absolutely exploded last s two years I certainly amplify the fact that whether it’s 92 to one maybe it’s 192 this time next year we we shall see but clearly this is not a problem which is disappearing it’s problem which is getting bigger and I think it does have

00:55:13
fundamental impacts to security productivity within engineering compliance audit application delivery time and so on so it’s definitely a really fabulous area to uh be involved in and I think you guys are doing there some some fabulous stuff there so it’s it thank you for taking some time out thank you to our not at all not all has been wonderful to be educated on this stuff it’s great stuff so um thank you for conversation thank you everyone for watching and uh we will see you next

00:55:42
time thank you yeah thank you bye-bye.

Want full security oversight?

See the Entro platform in action