For years, securing a company’s systems meant safeguarding the “perimeter,” dividing the safe internal environment from the risky external world. Strong firewalls and advanced detection systems gave the confidence that keeping threats outside the borders protected data and systems.
However, the modern reality has shifted as businesses no longer operate within strictly physical, on-premises setups. Data and applications now exist in distributed cloud environments and data centers, accessible from anywhere in the world via various devices. This shift has dissolved the traditional perimeter, leading to a new focal point in cybersecurity: identity.
Identity now lies at the heart of what is considered the gold standard in enterprise security—”zero trust.” Under this model, no inherent trust exists; every access request must be authenticated, authorized, and continuously validated, no matter where it originates.
The Dual Nature of Identity# Identity covers two different realities. On the one hand, human identities require access to resources like email, calendars, or servers, particularly for tasks such as software development. Managing these identities has been refined over two decades, allowing employees to gain the necessary access and lose it once they leave the company.
On the other hand, we have non-human identities (NHIs), or machine identities, which represent the majority of identities in most systems, outnumbering human identities by at least 45 to 1. These identities, tied to things like servers, apps, or processes, present distinct challenges:
- They cannot be secured with typical human security measures like multi-factor authentication (MFA).
- They can be created at any time within an organization, often with little oversight, making them hard to manage across various systems.
- They are frequently over-privileged and “stale,” meaning many remain active long after their intended use, creating significant security risks.
This combination makes NHIs a major concern for organizations managing sprawling cloud environments and intricate software supply chains. It is no surprise that mismanaged identities are a leading cause of security breaches worldwide, often signaled by “secrets sprawl.”
The High Cost of Ignoring NHI Security: Real-World Incidents# Failing to secure non-human identities has real consequences, with multiple high-profile breaches showing the severe impact. In 2024 alone, companies like Dropbox, Microsoft, Sisense, and The New York Times reported incidents where compromised NHIs played a pivotal role in attacks, resulting in financial losses and reputational damage.
An example from early 2024 involved Cloudflare’s internal Atlassian systems, which were breached because of tokens and service accounts compromised at Okta, a major identity platform. Despite Cloudflare’s quick detection and response, including rotating credentials, some tokens weren’t fully rotated, allowing attackers further access.
This isn’t an isolated case—80% of organizations have experienced identity-related breaches. In 2024, the DBIR ranked “Identity or Credential Compromise” as the top attack vector. The fallout from incidents like Cloudflare’s underscores the costly, time-consuming nature of recovering from such breaches, a burden no organization wants to bear.
Fixing mismanaged identities requires both addressing current risks and preparing for future ones. While no solution is instantaneous, organizations can effectively reduce their exposure to non-human identity risks with a combination of immediate steps and longer-term strategies.
How to Manage NHIs: Starting with Secrets Security# To protect non-human identities, companies must take a proactive, comprehensive approach, beginning with secrets security. Securing NHIs starts with implementing effective secrets management strategies:
- Achieve Full, Continuous Visibility You cannot protect what you cannot see. Secrets security requires monitoring a wide range of assets, including source code repositories, cloud storage, and even external sources like GitHub. By expanding visibility, organizations can assess the scope of exposure and address vulnerabilities.
- Prioritize Remediation Secrets security is an ongoing process, not a one-time fix. Integrating secrets security into software development and operational workflows allows for timely identification and revocation of compromised secrets. This reduces the risk of exploitation before attackers act.
- Integrate with Identity and Secrets Management Systems To fully assess the risks of leaked secrets, integration with identity and privileged access management systems is key. This allows organizations to contextualize leaks and understand their potential impact on non-human identities.
Shifting the Security Focus: From Perimeter to Secrets Security# The rise of non-human identities has introduced new security challenges that traditional perimeter-based strategies can no longer address. As the recent wave of breaches highlights, mismanaging NHIs can lead to significant consequences. However, by focusing on secrets security through detection, remediation, and integration with identity systems, organizations can reduce risks and strengthen their overall security posture.
Although the task may seem daunting, the shift toward secrets security is a crucial evolution in cybersecurity. The time to act is now—are you ready to take control of your secrets security? Start today with GitGuardian.
