NHI Security, Part 1: Non-Human versus Human Identity

The concept of “Non-Human Identity” (NHI) is fairly straightforward: identity for everything capable of taking action that isn’t human. However, as a pure definition this casts the net a bit wide. Technically, NHI can not only cover robots and agents, but everything from legal entities to pets that have a chip in them so we can get them back to their owners. In this series, we want to focus on cybersecurity in the modern business context, along with implications for managing the technologies under our influence and control.

Machine Identity is a similar concept to NHI. We have had processes and solutions built around managing Machine IDs for many years now. But policies around Machine IDs have been somewhat narrow, treating the entities largely as inanimate objects tracked in inventory. The few times our policies accounted for machines taking action, we treated them as puppets with an assumption we could easily trace the machine’s action to a person pushing a button.

The agents and empowered automata of today’s NHI demand we develop a more mature view of how they operate on our behalf. It’s not just physical machines or their components anymore. It’s programs, processes, and an array of other things that live in memory and may not have a permanent address. Further, these things muddy the picture of responsibility that enables us to figure out who pushed what button. We used to think about a computer only taking action when its human bashed away at a keyboard. NHI means the model has gotten more complicated.

So, NHI includes Machine Identity, but also includes things like service accounts, workloads, AI bots, or any other entity that takes action within the modern digital environment. We have programmed these entities to take action when triggered by a set of conditions or in response to a prompt. It’s time we built our frameworks and policies to reflect this notion.

Existing Identity and Access Management (IAM) policies focus on the human experience. Here, we are talking about non-human things as also being able to take action. We can modify some IAM concepts to work for NHI; however, critical differences between human and non-human behavior - how we act - point to needing parallel but separate policies.

Notably, humans and NHI operate at different speeds, exhibit different lifespans, and respond to unknowns in different ways. Humans engage with technology interactively, taking time to absorb and process input before determining a response. NHI are pre-programmed with decision trees that fire almost instantly when prompted. While you might be able to slow a computer down to mimic human interaction speeds, there is no way to speed up a human to rival a computer’s rate of response.

NHI also tend to have much shorter lifespans than the identities we create to represent humans. Workloads might be spun up, down, and up again multiple times a minute. But even if a person is hired and fired in the same day, the corresponding human identity is likely to last months by the time you account for the hiring process, termination, and data retention.

The most profound difference between NHI and human identity, however, is that non-human technologies do not handle unknowns as well as humans. NHI existence is defined by a small variety of assumed relationships with hard boundaries and constraints on operation. Input that blurs the lines is either ignored or creates unexpected and usually undesired results.

In contrast, humans are exceptionally adaptable, spending our entire lives dealing with in-betweener situations and not knowing if what comes next will even fit our model. When presented with a new kind of relationship or a boundary or constraint between us and a goal, we get creative, we do research, we question our assumptions - all while feeding new information back into a re-definition of the problem space.

We would do well to frame our policies for NHI in these terms, placing humans as the slower, longer-lived, error-catching backstop for when things go wrong. Each NHI should be connected to multiple humans so when we have questions, we can pause and reach out. This pause enables us to understand context, design intent, and deployment sensitivities so we can figure out how to get the outcome we need.

We need to supplement our identity management frameworks with processes to support the greater volume, higher turnover, and faster speed of NHI. And we should take advantage of NHI strengths, insisting each instance use its comparatively perfect memory to retain evidence of actions taken and help us understand all the ways it is linked to our ever-growing list of business processes.

Part 2: Identity and Secrets