Full Report
When we talk about identity in cybersecurity, most people think of usernames, passwords, and the occasional MFA prompt. But lurking beneath the surface is a growing threat that does not involve human credentials at all, as we witness the exponential growth of Non-Human Identities (NHIs). At the top of mind when NHIs are mentioned, most security teams immediately think of Service Accounts.
Analysis Summary
# Best Practices: Non-Human Identity (NHI) and Secrets Management
## Overview
These practices address the growing cybersecurity risk posed by Non-Human Identities (NHIs)—such as Service Accounts, Service Principals, and IAM Roles—and the associated "secrets" (API keys, tokens, certificates) they use for authentication. NHIs are numerous, often lack traditional human-centric governance (like MFA), are prone to sprawling across infrastructure, and represent a significant, often hidden, attack surface.
## Key Recommendations
### Immediate Actions
1. **Establish Initial Secret Inventory Scope:** Begin mapping all known locations where secrets reside, focusing initially on application configuration files, source code repositories (especially public mentions), and cloud provider secrets managers (AWS, Azure, GCP).
2. **Audit High-Privilege Secrets:** Immediately identify and review any secrets, particularly API keys and tokens, that possess broad or administrative access rights, as these represent the largest immediate blast radius if leaked.
3. **Block Public Exposure:** Implement immediate repository scanning or enforcement tools to prevent new secrets from being committed to public platforms like GitHub.
### Short-term Improvements (1-3 months)
1. **Enforce Secret Expiration Defaults:** Configure mandatory, short-term expiration policies (e.g., 90 days absolute maximum) for newly generated API keys and tokens across all platforms where possible.
2. **Implement Centralized Secrets Management Adoption:** Begin migrating secrets out of hardcoded locations (codebases, configuration files, developer laptops) into centralized, audited secrets managers.
3. **Audit CI/CD Pipeline Secrets Usage:** Conduct a detailed review of secrets utilized within Continuous Integration/Continuous Delivery (CI/CD) pipelines to ensure they are only injected at runtime and removed immediately after use.
### Long-term Strategy (3+ months)
1. **Develop Formal NHI Governance Framework:** Design and implement a comprehensive governance model for the entire lifecycle (creation, usage, rotation, destruction) of all NHIs, independent of human identity lifecycle management.
2. **Integrate Automated Secret Detection Across All Sources:** Deploy tooling capable of scanning legacy systems, collaboration platforms (Jira, Slack, Notion), and documentation tools to detect and remediate existing secret sprawl.
3. **Enforce Least Privilege for NHIs:** Systematically review and reduce the permissions assigned to all service accounts and roles, ensuring each credential only has the minimum access necessary to perform its intended function (Zero Trust for Machines).
4. **Establish Secret Auditability and Ownership:** Mandate clear ownership for every secret and establish mechanisms to audit access and usage patterns, compensating for the lack of MFA with stringent logging and anomaly detection.
## Implementation Guidance
### For Small Organizations
- **Prioritize Repository Scanning:** Focus resources on implementing basic DAST/SAST tools that scan source code pushed to version control, as this is the most common leakage vector.
- **Leverage Native Cloud Secrets Managers:** Utilize built-in solutions (e.g., AWS Secrets Manager, Azure Key Vault) for initial centralization, as they integrate natively with existing cloud infrastructure.
### For Medium Organizations
- **Inventory Across Platforms:** Expand inventory beyond source control to include cloud environments (AWS IAM, Azure AD Service Principals) and initial application configuration stores.
- **Introduce Rotation Automation:** Automate the rotation process for frequently used secrets managed in vaulting solutions to reduce the window of exposure for static credentials.
### For Large Enterprises
- **Unified NHI Governance Platform:** Deploy a dedicated NHI Governance or comprehensive Secrets Management solution capable of scanning across code, cloud infrastructure, and collaborative tools/AI pathways for centralized enforcement.
- **Integrate with SIEM/Monitoring:** Ensure all secret access and rotation events from centralized vaults are fed into the Security Information and Event Management (SIEM) system to detect anomalous machine activity that mimics human threat indicators.
## Configuration Examples
*Note: Specific configuration commands rely heavily on the chosen native cloud or third-party tooling. The principle configuration goal should be:*
**Secret Lifespan Policy Example Target:**
Configure all newly created service authentication mechanisms (e.g., IAM Keys, OAuth Tokens) with a default expiration time **not exceeding 90 days**. Exceptions must require explicit security review and documented business justification.
## Compliance Alignment
- **NIST SP 800-53 (AC & SC Controls):** Addresses requirements for system and communication protection, specifically around credential management and configuration baseline enforcement.
- **ISO/IEC 27002 (A.8 & A.12):** Aligns with asset management (identifying all NHI assets) and operational security (protection of system files).
- **CIS Benchmarks (Cloud specific):** Applying least privilege principles and secure credential storage configurations mandated by respective cloud provider CIS Benchmarks (AWS, Azure, GCP).
## Common Pitfalls to Avoid
- **Assuming Legacy PAM Tools are Sufficient:** Do not rely on traditional Privileged Access Management (PAM) tools designed for humans to adequately govern decentralized, API-driven NHIs.
- **Focusing Only on Code:** Forgetting that secrets are frequently leaked through documentation, chat logs (Slack, Teams), ticketing systems (Jira), and AI agent inputs/outputs.
- **Granting Static, Over-Permissive Access:** Creating "just in case" credentials with broad access that never expire to avoid development downtime.
- **Ignoring the Lack of MFA for Machines:** Failing to recognize that machine authentication bypasses typical MFA controls, necessitating compensating controls like strict network segmentation and time-bound tokens.
## Resources
- **Secrets Management Solutions:** Tools focusing on secrets vaulting, detection, and governance (conceptual reference, specific names omitted as per request constraints).
- **Secure Coding Standards Documentation:** Internal or industry standards detailing how environment variables and secrets should be handled during application development.
- **Cloud Identity Documentation:** Official documentation for AWS IAM, Azure AD, and GCP IAM regarding Service Account and Principal creation best practices.