Transcript
things cell phone products and solutions. I'm your host, Alex Niemann. And today with me, I have Mr. Lalit Chhota, also known as Mr. NHI. How are you? I'm very well, thanks. Lalit is the CEO and founder of the Non-Human Identity Management Group. We are so excited to have you here today. And I have a number of questions. NHIs or non-human identities is a really hot topic today. So we are excited to have you here. Welcome to Navigate, by the way. And we're going to dive right in, if you don't mind. So would you mind painting a picture for our audience, right? When we talk about non-human identities or machines or whatnot, right? What type are we really talking about? Are we talking about service accounts, bots, all of the above? But most importantly, how did we get here? What makes them so tricky? Yeah. So, look, non-human identities, or also referred to as machine identities, are the accounts, the identities that are used to operate all of your IT infrastructure. So literally everything that runs around the world sort of automatically relies on a non-human identity to operate, authenticate, and interact with other services. So you've got machines, devices, OT equipment. And then you have your software workloads, CICD pipelines, bots, and now AI agents. But in terms of NHIs, there's sort of two main buckets, where it's kind of like what people would call maybe the legacy static credentials, and they would be things like passwords, API keys, tokens, service accounts. And then more modern IM, you've got then sort of things like OAuth2, OIDC, SVids, IM roles. So these are the identities that are used to operate all of our infrastructure in an automated way without any human intervention. Great. Well, it sounds like it's a varied group of things, right? There's secrets, there's identities, accounts, all sorts of things. Now let's talk numbers for a second, because we hear many different figures, right? But we just heard something recently, 50 million leaked API keys and service accounts or tokens in the dark web. We know for a fact that there are more non-human identities than human ones, and, you know, anywhere for five times to 25 and 50 times the number of human identities. I guess most importantly, what failed? How did we get here? Because we know that they are, you know, tricky to secure. And algorithms are trying to find them all. So talk to us a little bit about these numbers. Sure. Yeah, look, most people will quote 25x to 50x in terms of humans to non-humans. And then with now agentic AI, that's going to just increase dramatically. What's failed? I'm not sure anything's failed, but I think what's happened is in the industry over the last 15, 20 years, you know, we've seen huge hyper-fragmentation in the environment. Right. You know, before it was about protecting, you know, your internal on-prem systems. And now that things have gone highly distributed, we've got multi-cloud, we've got SaaS, API-based services, and then also with microservices and containerization, that's caused a huge proliferation in the need to have NHIs. Sure. And then we talk about something called secret sprawl. So now before, you know, the secrets, the credentials were just in-house within your organization, but now with that highly distributed environment, cloud, SaaS, a lot of these credentials are sort of out in the wild. So one of the stats, 23.7 million secrets were found in public GitHub repos. So that's really the challenges kind of people have needed to use and grow their NHIs, but they haven't thought about a security-first approach, because really managing and securing NHIs is very, very difficult. Right. Indeed. So, thank you for that. I know you're a practitioner, right, and you've been in this space for quite a bit of time. So let's talk a little bit more in practice, right, advice for practitioners watching this and saying, okay, how do I go about systematically finding all of my accounts and all of my identities? So do you have a roadmap that you would recommend for our audience? Sure. Look, I think the challenge with dealing with NHIs is so big for an organization. I would say it's probably going to be the hardest challenge you're going to have to deal with. And now with the Genting coming there, you have to really look at this kind of holistically and come up with a strategy of how you're going to tackle this huge elephant in the room. Sure. For most organizations, this is going to be a multi-year program, two, three, four years. The last program I ran at a big financial institution, we're into year five of that program because we were dealing with hundreds of thousands of NHIs. So look, when you go about tackling and establishing an NHI program, yes, the number one focus is first understanding your inventory, discovering all your NHIs to understand the size of the problem. Have you got 10,000? Have you got a million? And most organizations, when they start that discovery exercise, will discover much, much more is out there than they expected. But even discovery inventory is challenging because you've got that hyper-fragmented environment. You need to go to all the endpoints, local accounts, databases, or your on-prem. Cloud's a lot easier. And some of the SaaS API keys, again, there's no real inventory. So there's no common source for how you manage NHIs. It's very distributed. It spans across IAM, DevSecOps, cyber groups. So start with inventory. The next thing is to classify, understand sort of the risk levels and the breadth of access. NHIs are typically highly privileged, but you need to understand what access they have, what systems they have access to, are they admin accounts or are they read accounts? So you can start to take a risk-based approach. The next step in the process would be to look at posture management or hygiene. Because again, because there's very weak controls typically around managing NHIs, you're going to see, for example, many stale accounts that get paraded and get forgotten about because there's no inventory. No expiration dates. No ownership. I've been in organizations where we've actually had to, we've discovered 50, 60% of the accounts stale and inactive. So cleaning those up, reducing permissions from write to read. So there's many techniques you can do to reduce the risk. Then it comes to securing the credentials. You're going to find hard-coded credentials in source code and other places. So a big effort will be required in vaulting, scanning solutions, and then also password rotation or credential rotation. You then need to move on to monitoring controls to understand who's using the NHIs. And surprisingly, humans within your organization use them all the time. So it's very important to stand up a monitoring control. Then finally, you need to look at more modern techniques around sort of dynamic ephemeral credentials, stop people checking in code at runtime. So then it's moving from that detective to preventative kind of model. So that's kind of the typical life cycle we recommend for organizations. No, that makes sense. And I think my biggest takeaway from what you just said is you have to look at this as a program. You said the word program, not a project, because I think that's a lot of the expectation from organizations that this will be a project. Not necessarily a one and done, but it will never be that. I think it has to be a continuous program for sure. Now, if we think about AI agents, right, it's a new identity. It's a new thing. We're still trying to figure out, okay, what are going to be the implications? Does anything change from a tooling perspective? Like what should organizations be looking into today? Are there new, obviously new threats, but maybe talk a little bit about what we might expect from the threat perspective. Does that require a new tool or a new investment? What should they be looking at? Yeah, that's quite a lot to cover there in terms of the question. I think from a threat standpoint, we're already seeing the use of AI, LLM technologies to mount attacks on organizations. So clearly the threat actors, the hackers are definitely leveraging AI to sort of now move much, much faster in discovering and compromising credentials. So clearly from a threat landscape, you know, I guess there's going to be an evolution in tooling that can deal with sort of monitoring controls, detecting, but I think really we need to move more towards a real-time threat protection model, not just detect, but by the time you detect it's too late. You need to stop these things in its tracks. Now clearly with the way AI agents can be very adaptive, how can you, they're not very deterministic, you know, so looking at common patterns, you know, isn't really going to work for the agentic AI world. Look, in terms of sort of technologies, tooling, I guess the biggest breakthrough in helping standardize the development of AI agents is MCP, Model Context Protocol, that provides a standard way for AI agents to kind of communicate, interact with other services and data sources. So look, standards are evolving, you know, but it's such a fast-moving environment. You know, I think my main guidance would be take it slow, don't rush with the development of agentic AI, and have appropriate controls and guardrails around it and keep the scope, the privileges, you know, as minimal as possible to begin with, but, you know, this discussion in a year's time will be very different. Yes, I think we can talk about that for a long time. We can be here for a long time, but you did say something that we've actually been thinking through and talking to our customers about, which is moving from detection to more real-time. So just moving from that reactionary to just being a lot more proactive, and I think it overall helps our customers just reduce their attack surface because they're reducing risk. So thank you for that, Lalit. I know there was a lot to unpack there. One more question. Let's talk about attackers for a second because we know that they are leveraging non-human identities a lot more for the same reasons that you just mentioned, right? They are not necessarily, they have weaker controls, they're not necessarily monitored all the time. Is there any recent incident or breach, without naming names, that you can perhaps, you know, review, go over with us where our customers just can learn something from that? Sure. I mean, look, our group published a big report a few months ago, 52 NHI breaches, just showing how prevalent NHI-based attacks are. I guess one in December involved actually the US Treasury getting breached. You know, there was a particular PAM solution that was being used by the Treasury, and there was an exposed API key that the threat actors, you know, were able to take advantage of to get into remote support SaaS solution. And once in, they were able to change the local account passwords and then do the typical things of exfiltration. So that was a huge, huge compromise, you know, that woke up the industry. What are some of the lessons learned? Clearly, you know, API keys are probably one of the most compromised types of credentials. In essence, they're just a password. So being able to discover them, you know, based on what we talked about earlier, becomes very easy for the hackers. You know, best practices around regularly rotating these keys are really important. It's important to make sure that they're secure, not hardcoded in public repos, you know, vaults, and other solutions, and make sure there's proper segregation, that you don't use the same key for all of your deployments with all of your customers. But look, really, you need to move more away from static credentials to just in time, zero standing privileges. That's really going to be the only way you're going to be able to address these problems. Lalit, that is a really good point. And in a way, my key takeaway here is twofold, right? One is, all of the things you just mentioned are really foundational, right? Vaulting, segmentation. All of those things are things that we have been hearing for a while. So somehow we have to help organizations continue to go back hygiene and work on the foundational things. The basics. Exactly, the basics. But also, moving into more dynamic, just in time, to be able to keep up with the new threats that are coming. So great points. Thank you so much for being here today and giving us a little bit of your wisdom on non-human identities. It's always a pleasure. It's a pleasure. Thank you. Thank you. Thank you so much, everybody, for watching, for tuning in. And if you are interested in watching more episodes, please visit sellpoint.com. Thank you.
