Leveraging Credentials As Unique Identifiers: A Pragmatic Approach To NHI Inventories
Briefly

Identity-based attacks are proliferating, particularly those involving non-human identities (NHIs) which are used by attackers to access resources and sensitive data. Recent data shows that 83% of attacks involve compromised secrets, with attackers favoring stolen credentials over exploiting system vulnerabilities. NHIs outnumber human identities significantly and lack effective multi-factor authentication. Traditional identity management relies on human traits, but securing machine identities requires focusing on access keys. A clear definition of NHIs remains elusive, complicating management efforts.
According to reports such as the Verizon DBIR, attackers are more commonly using stolen credentials to gain their initial foothold, rather than exploiting a vulnerability or misconfiguration.
Securing machine identities means getting a handle on the unique trait that bad actors actually care about, namely, their access keys.
Unlike humans, machines have no good way to achieve multi-factor authentication, and we, for the most part, have been relying on credentials alone.
Most teams struggle with defining NHIs. The canonical definition is simply 'anything that is not a human,' which complicates identity management.
Read at The Hacker News
[
|
]