Non-Human Identity Security Best Practices

A consolidated set of NHI security best practices, drawn from emerging standards (NIST CSF 2.0, PCI-DSS 4.0, ISO 27001), platform guidance (AWS, GCP, Azure, Workspace, M365, Salesforce), and real incident response experience.

---

1. Discovery and Inventory

• Continuous discovery across cloud, SaaS, AD, K8s, code, secrets vaults.
• Single inventory as source of truth.
• Each NHI metadata: type, purpose, owner, scope, status, last-used, risk score.
• Auto-tagging at creation (env, BU, app, owner).
• Regular reconciliation with platform sources.

---

2. Ownership

• Named human owner per NHI (not team).
• Backup owner assigned.
• Auto-detection from creator / first-grant / tags / IaC.
• Tag enforcement at creation.
• No-owner SLA with escalation.
• Owner training on responsibilities.

---

3. Risk Classification

• Tier per NHI by sensitivity / blast radius (Tier 0–4).
• Tier drives controls intensity.
• Document criteria.
• Re-tier on significant change.

---

4. Authentication

• Federation > managed identity > short-lived OAuth > long-lived OAuth > API key.
• No hardcoded secrets; secret manager + rotation.
• Workload Identity Federation for cloud.
• Managed Identity (Azure) / IRSA (AWS) / GKE WI / AKS WI.
• gMSA / dMSA in AD.
• Short-lived tokens (≤ 1 hour where possible).
• Audience binding.
• mTLS for service-to-service where appropriate.
• SPIFFE for service mesh.

---

5. Authorization (Least Privilege)

Cloud

• Predefined / scoped roles over basic Editor / Owner.
• Custom roles for unique needs.
• Conditional grants (resource scope, attribute conditions).
• Quarterly recertification.

Cross-Cloud / SaaS

• Narrow integration scopes.
• Per-tenant / per-resource when possible.

AD

• Tier model (Tier 0/1/2).
• gMSA / dMSA for SAs.
• No SPNs on user accounts.

Kubernetes

• Namespaced RBAC.
• No cluster-admin to apps.
• Federated to cloud IAM via IRSA / WI.

Tools and APIs

• Allow-list per NHI.
• Tool composition risk analysis.

---

6. Lifecycle

• Provisioning workflow (risk + approval).
• Owner assignment at creation.
• HR integration — leaver triggers transfer / decommissioning.
• Workload integration — workload deletion → NHI cleanup.
• Recertification cadence (risk-tiered).
• Suspend-then-delete for safe decommissioning.
• Audit every lifecycle event.

---

7. Secret Management

• Centralized vault (Vault, KMS-backed services).
• No hardcoded secrets; secret scanning + push protection.
• HSM for highest-value (signing, root CA).
• Per-secret ACL.
• Automated rotation.
• Cert lifecycle automation (ACME, cert-manager).
• SSH cert authority.
• Krbtgt rotation twice yearly (AD).

---

8. Monitoring

• Comprehensive audit for every NHI action.
• Centralized SIEM.
• Long retention (≥ 1 year, more for sensitive).
• Immutable storage.
• Anomaly detection per NHI type (volume, geo, time, scope, cost).
• Cost monitoring per NHI.
• Posture tooling (Forestall) for continuous risk-rank.

---

9. Compliance

Frameworks

• NIST CSF 2.0 (PR.AA-05 specifically calls out NHIs).
• PCI-DSS 4.0 (8.6 service account requirements).
• ISO 27001 A.5.16 (identity management).
• SOC 2 (CC6 logical access).
• Sector regs (HIPAA, GLBA, etc.).

Mapping

• Risk classification → control intensity.
• Evidence collection automated.
• Audit-ready.

---

10. Governance

• AI / NHI policy formal + socialized.
• Approval workflow for new high-risk NHIs.
• Re-review on significant change.
• Quarterly review on Tier 1+ NHIs.
• Decommissioning playbook.
• Cross-functional governance body (Security + IAM + DevOps + IT + AI).
• Reporting to leadership quarterly.

---

11. Vendor / Supply-Chain

• Vendor risk assessments for SaaS-to-SaaS integrations.
• Contractual data scoping.
• Periodic re-review.
• OAuth grant audit quarterly.
• Vendor incident notification monitored.

---

12. Incident Response

Playbooks per NHI Type

• Compromised SA.
• Leaked secret.
• OAuth grant abuse.
• Federation misuse.
• RPA bot compromise.
• AI agent compromise.

Containment

• Quick rotation / revocation.
• Identity disable.
• Token revocation.
• Audit trail preservation.

Tabletop Exercises

• Annually, cross-functional.

Post-Incident

• Root cause + systemic improvements.

---

13. Continuous Improvement

KPIs

• Inventory coverage %.
• Ownership coverage %.
• Federation adoption %.
• Hardcoded secret count.
• Stale NHI count.
• Over-permissioned NHI count.
• MTTD for NHI anomalies.
• MTTR for NHI findings.
• Compliance evidence completeness.

Reporting

• Quarterly to leadership.
• Trend over time.

---

Quick Best-Practice Summary

• Continuous discovery.
• Single inventory + ownership.
• Risk classification.
• Federation / managed identity default.
• Least privilege; quarterly review.
• Lifecycle (HR + workload integration).
• Secret manager + rotation; no hardcoding.
• Comprehensive audit + anomaly detection.
• Compliance mapped + evidence automated.
• Governance + policy.
• Vendor risk.
• IR playbooks + tabletops.
• KPIs + reporting.

---

How Forestall Helps

Forestall translates these best practices into continuous, prioritized work:

• Posture scoring per NHI.
• Risk-rank findings.
• Compliance evidence.
• Trend tracking.
• Workflow integration with HR + DevOps.

---

Conclusion

NHI security best practices span discovery, ownership, authentication, authorization, lifecycle, secret management, monitoring, compliance, governance, vendor risk, IR, and continuous improvement. Implement in tiers — start with discovery + ownership + federation + least privilege + audit — and expand outward. Measure quarterly. With these in place, the largest identity surface in your environment becomes a managed, low-risk, audit-ready foundation for cloud, SaaS, AI, and beyond.