The Importance of Securing Non-Human Identities in a University Environment

Non-human identities (NHIs) refer to the digital identities that enable authentication and access between machines, applications, and automated processes without human involvement. 

Examples of NHIs include service accounts, shared secrets, cloud tokens, and API keys—all essential components of modern cloud-based environments. 

Given the pace of technological advancements, particularly in artificial intelligence (AI), NHIs are becoming more integral to our daily operations. However, they are often poorly monitored compared to human identities. When unmanaged, NHIs can be discoverable by malicious actors. 

The growing security risk of NHIs in our environment 

As our reliance on cloud services and third-party integrations grows to support research, administration, and student services, we face new challenges. Each integration introduces multiple new potential attack vectors, significantly expanding our attack surface. 

AI systems require access to critical resources such as email, databases, and internal networks to function effectively. Over time, their reach and integration will only expand, making security even more complex. 

Our mission at the university is to support research, foster innovation, and facilitate seamless collaboration across institutions. We operate in an increasingly interconnected environment where limiting access could stifle progress. With this in mind, the Information Security Office (ISO) is developing strategies to better manage NHIs, ensuring they are secure, properly monitored, and integrated into our broader cybersecurity framework. 

Some key security risks include: 

• Expanded attack surface: NHIs provide access to highly sensitive resources and data, making them attractive targets for attackers.
• Lack of lifecycle management: Unlike human identities, NHIs do not undergo onboarding or offboarding processes, leading to outdated or orphaned credentials.
• Visibility challenges: Lack of full visibility into how many NHIs exist, their purpose, and whether they are still in use. 

Best practices for securing NHIs 

For those in our community who manage NHIs, ISO recommends mitigating risk with a structured approach to NHI security, including: 

1. Strengthening API key security
   • Enforce strict access permissions for API keys.
   • Automatically rotate security keys at regular intervals.
   • Invalidate old or unused API keys to prevent unauthorized access.
2. Managing service accounts
   • Conduct periodic reviews of service account permissions to ensure adherence to the principle of least privilege.
   • Implement automated credential lifecycle management to facilitate the creation, rotation, and removal of service account credentials.
3. Enhancing attack surface management
   • Monitor NHIs to determine which are active, inactive, or overly privileged.
   • Protect against supply chain attacks by ensuring third-party integrations adhere to security best practices.
4. Improving visibility and governance
   • Identify the number and types of NHIs in our environment.
   • Assess whether NHIs are actively used or have been abandoned.
   • Implement controls to prevent unauthorized discovery and misuse of NHIs. 

As we continue our digital transformation, securing NHIs must be a priority. By enforcing strict access controls, automating credential management, and maintaining visibility into NHIs, we can reduce our attack surface and safeguard critical data.