Summary
This white paper discusses non-human identities (NHIs) within the context of software as a service (SaaS) and the associated risks they pose to data and operations. It begins by defining NHIs and contrasting them with human identities, highlighting their lack of standard security checks such as multi-factor authentication (MFA). The document outlines various forms of NHIs, including shadow applications and their integration into authorized applications, which complicates security governance. It details the methods of granting access to NHIs, such as API keys and OAuth authentication, and provides examples of typical NHI activities. The paper also identifies five reasons why non-human accounts may be less secure than human accounts, emphasizing the need for visibility, effective permission management, and robust threat detection to mitigate risks. Furthermore, it discusses SaaS security posture management (SSPM) and identity threat detection and response (ITDR) as frameworks for monitoring and protecting against threats posed by NHIs.
