Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Non-Human Identities: The New Blindspot in Cybersecurity

Since the introduction of computers, usernames and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of most data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries.

Since the introduction of computers, usernames and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of most data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries. In fact, a recent study by the Identity Defined Security Alliance (IDSA) reveals that credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%). 

Nonetheless, many organizations are still lacking key identity-related security controls and the few forward-thinking companies that have started applying proper access controls are typically focusing on human users. This flies in the face of reality. With digital transformation initiatives that span DevOps, cloud transformation, Internet of Things (IoT), etc., the sheer number of non-human identities far outweighs human users. So, what does this mean for the future of passwords and how organizations approach controlling access to their sensitive resources?

For decades, users have been using static passwords to log in to various accounts and services. Unless mandated by policy, personal preferences, or in response to a data breach, the average password remains unchanged from the moment it is created. This makes it highly susceptible to threat actors, since a static password provides a low probability for verifying the authenticity of a user and can just as easily be a compromised credential purchased on the Dark Net. 

Once in the hands of a cyber-attacker, a stolen password can provide unrestricted access to the compromised account, the ability to move laterally within the network and disrupt business processes or exfiltrate sensitive information. The impact is even more significant if the account belongs to a privileged user, who holds the “keys to the kingdom”. Even when an organization has hardened its security posture by implementing multi-factor authentication (MFA), this added layer of protection does not address threats associated with non-human identities.

Go Beyond Static Passwords

Today, identities include not just people but workloads, services, and machines. In fact, non-human identities represent the majority of “users” in many organizations. Machine identities are often associated with privileged accounts, and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. 

These often pose a blind spot, since machine, IoT, service account, and application identities are not always considered when establishing security controls. Besides underestimating the relevance of non-human identities in the context of a data breach, many organizations are quickly realizing that the traditional static password concept that often requires manual and time-consuming configurations is not suitable in fast-moving multi-cloud and hybrid environments, where access needs are often temporary, and changes are constant.

The Future of Authentication: Ephemeral Tokens

Instead of continuing to rely on a static password model, organizations should move to a dynamic password approach. These ephemeral, certificate-based access credentials address the major security issues that plague static passwords without impacting usability and agility in highly digitalized IT environments. 

When implementing ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, establishing a “zero standing privilege” stance that ensures all access to services must be authenticated, authorized, and encrypted. For each session (be it for a human or machine), the ephemeral certificate is issued from the Certificate Authority (CA), which serves as the trusted third-party and is based on industry-standards such as the temporary X.509 certificate. It encodes the user identity for security purposes and has a short lifetime, avoiding the risk of man-in-the-middle attacks. 

Ultimately, the CA controls access to the target system based on user roles (including roles assigned to workloads, services, and machines), which are created based on rules. The rules for particular roles are generated according to security policies and access requirements. The CA then obtains the rules for each role from the traditional enterprise directory (e.g., Microsoft Active Directory) and uses them to determine proper authentication. This approach alleviates setting up access for each individual user and enables streamlined updates to groups of users.


The integration of identity with security is still work in progress, with less than half of businesses having fully implemented key identity-related access controls according to the IDSA research study. To make things worse, we simply can’t trust static passwords anymore. Furthermore, they’re not suitable for today’s machine identity dominated IT environments that are built for agility and fast-paced change. A better approach is to implement a dynamic password model that when combined with a least privilege approach minimizes the risk of identity-related breaches.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...