Non-Human Identity Misconceptions: Secrets are not Identities

Evan Gilman, Pieter Kasselman, and Marcel Levy

January 16, 2025

The Open Worldwide Application Security Project (OWASP) is a great resource for understanding computer security risks and best practices. They recently published a "Non-Human Identities Top 10" list of risks. It's best seen as a picture of where the industry has been, rather than where it's going, and it blurs the line between secrets and identities. 

To understand non-human identities (NHI’s), we need to clear up some confusion. Secrets are not identities. As Eli Nestorov points out, identities are built on standards. In these standards, identities have credentials, and their lifetimes are enforced.

Take SPIFFE for example, where credentials are short-lived, automatically managed and disposable. These credentials are provisioned onto workloads and hosts for as long as they need it – and no longer.  With an NHI identity provider based on open standards, we see that most of the risks mentioned in the OWASP list don't apply, because they are inherent to shared secrets and not identity credentials. For example:

  • NHI7: Long-Lived Secrets - identity credentials like those based on SPIFFE obviate the need for shared secrets and have lifetimes measured in hours or minutes.
  • NHI2: Secret Leakage - a difficult risk to incur when credentials are automatically provisioned at the edge and never shared, making it both unnecessary and difficult for a developer to make a dangerous choice.
  • NHI1: Improper Offboarding - when a short-lived identity credential expires, so do the access rights it once carried. This makes “offboarding” a natural outcome, with no such thing as account lifecycles or standing privilege.

In fact, a whopping 80% of Top 10 OWASP NHI threats are either mitigated or completely eliminated by leveraging true identity-centric NHI technologies. Notice the abundance of conversation about long-lived secrets, API keys, service accounts and improper storage. None of these exist in environments that have deployed an NHI identity provider like SPIRL. This mess has been created by the improper use of legacy, human-centric authentication technologies in the non-human domain. But that's where we've been as an industry in the past, and not where we are – or where we’re going… Remember - secrets are not identities, and identities are not secrets.

SPIRL uses open standards to unify fragmented workload identities across all your environments. Learn more.

Blogs

Discover more blogs from SPIRL

All blogs

Join us at Cloud Native Security Con 2024

Evan Gilman
June 17, 2024

For the past few years, the CNCF, part of the Linux Foundation, has hosted the Cloud Native Security Conference, a key gathering focused on.

Simplifying SPIFFE: Accessible Workload Identity with SPIRL

Quintessence Anx
November 7, 2023

Discover how this SPIFFE-based workload identity solution is designed to truly bring secure identity to everyone. What exactly is SPIFFE, and how can it expand to encompass ‘everyone’ even more?

Why Multi-Factor Authentication for Workloads is a Critical Security Control

Evan Gilman
June 4, 2024

Recent breaches among Snowflake customers highlight the critical need for strong security measures to protect data and infrastructure.

Ready to see how SPIRL can help you secure production?

See how SPIFFE and SPIRL can help you manage the Non-Human-Identity risks in your environment.
SPIRL © 2024. All rights reserved.
Privacy PolicyTerms of Service