I created the Non human identity management group on LinkedIn back in May last year. I've been very surprised that we're now close to 2000 members. A lot of people in the industry, consultants, a lot of practitioners, pretty much the who's who's now in them in that group. And we've started to post a lot of content there. But then I realized that's not really going to work.
Whilst you'll be able to disseminate kind of news, what's going on in the industry, if someone wants to learn, they're not going to go through a feed of hundreds of NHI posts from me and others in the industry. And then I thought, look, let's create a portal. And that's when NHIM g.org was formed. And my mission was purely at the time, all about education, evangelizing. I was in a job and this was kind of a side hobby, a bit like what you guys do at Idec. And it just sort of flourished
from there. I wrote more white papers, more content, and there was a lot of good, you know, feedback. I started talking to sort of folks in the market to say, would you like to kind of share content as well? And then that's really what I've been doing for the last 12 months and since January decided to go into this venture full time and the mission hasn't changed. It's to educate, evangelize. It's the kind of help the
industry come together. And I guess along the way, someone, one of the vendors kind of just, and maybe a LinkedIn post was said to me kind of verbally, Mr. Nhi. And I started using the name and it's now now stuck with me unfortunately. But maybe it's a bit better than Mr. Sox. Yeah, Mr. Stocks kind of kind of sounds like a Quentin Tarantino character for Mike Reservoir Dogs or something like that. Or cat, a cat name.
Yeah, that's true spoiler right. If you're watching a video, I've got a couple DJ cats in Amsterdam behind me. So if you're if you're not watching a video, you're missing out that that glorious scene. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing great.
I feel like we're living in this weird time work kind of thing. We're recording before Identverse. It's going to be dropped after Identverse, but I want to talk about Identverse. I mean, we're going to be doing the identity squabble game while we're there. I guess technically it's in the past, but hopefully we'll be able to drop it as an episode. It's going to happen in the NHI Pavilion at the Expo Hall. Really excited about what we're doing at Identverse. Yeah, it's a very cool thing.
I I'll be honest, I'm a little bit nervous on how this will come off. I dentist squabble as we're kind of calling it. It is an extension of the Fido feud that we did at the Authenticate conference last year. But we are doing it all on our own basically, right? No help. We don't have like an AV team. It's going to be me setting up a bunch of cameras and me figure out how to try to mic it up.
So, you know, we are a couple days away from that and hopefully by the time people hear this, it turned out well. I hope people, you know, are entertained. You may not learn anything, but I hope they're entertained as we go through that. So. Yeah, I'm going to. I'm going to give my thank you in advance to the CRA for I mean, look, we're doing so much
there. You and I are each hosting a panel and we're going to be recording a bunch of podcasts and have an opportunity in the actual hall to meet people, give out stickers. I'm excited for the whole thing. Yeah, definitely been a great experience. Shout out to Shirley for for helping us out with this. So if you see Shirley roaming the halls from CRA, give her an identity at the center. Fist bump of gratitude. How about that and just a fist bump.
Don't do anything else. Yeah, no, just fist, not fist to any other part of poor Shirley. I think the other thing that would be great is like if people got to meet us, people got to and are listening to the show, go out, give us a a review on whatever podcast platform you listen or give us a thumbs up and subscribe on YouTube. It definitely helps get the word out because I mean, the podcast has grown significantly over the last six years and it's grown organically, right?
We don't run any ads. It's people telling people about the podcast, people liking the podcast or giving us five star reviews and kind of like working it up in terms of the algorithm, yeah. No advertising. The only advertising is what I see behind you, all the different plaques that you've taken from, you know, the, the different cocks we've been at. But definitely very cool. And we are going to hit a couple milestones this year.
We're going to be celebrating 6 years, I think pretty close by the time this one comes out. And you know, I'm going to preview we're, we're probably going to hit 1,000,000 downloads sometime later this year. So pretty pretty crazy. Yeah, there's big, there's big numbers. They keep coming. They keep coming quicker than I expected them to come. So but that's, that's not a credit to me and you, Jeff. That's credit to all the people
who listen. And I think the practitioners out there who you know, let us know all the time that you know how they feel about the content. 99% positive this. That's a shout out and a credit to them. Yeah, we like doing it and like the conversations we're able to
have. And, you know, that's that what's that's what leads us to the conversation we're having today, you know, especially like around, you know, NHI, which is, you know, so hot right now if I want to steal something from Zoolander. But why don't we pivot into our conversation here with Mr. NHI himself, Lylett Choda. He's the founder and CEO of the Non Human Identity Management Group. Welcome, Lylett. Thanks Jeff and Jim for inviting me to your identity of the
Center podcast. Real pleasure to be here and talk all about NHIS non human identities or some will say machine or workload identities whichever camp you're in. Yeah, we're going to get totally into that. I want to start though, with your background, because this is tradition around here is the the identity origin stories for the people in the space. So tell us a little bit about your identity background. How did you get into this? Is it something that you chose or did identity choose you?
It's probably the the latter. So I started my career 30 years ago in investment banking, came out of university straight into Morgan Stanley, was there for 18 years. I moved into sort of the equities division running order
management systems. And I guess that was my first exposure to sort of regulatory audit and sort of identity when the infamous Sarbanes-Oxley Sox Act came and we had to make sure our systems were Sox compliant, I was the only one in my equities division that really took the Sox control seriously.
And ever since then, I was tagged in those days with a different nickname, Mr. Sox. And ever since then, sort of for the last 25 years, anything that was his regulatory order, you know, compliance, operational risk, you know, I was involved in. So I've run a number of large feds and other large regulatory programmes for, for, for various investment banks and then slowly went more and more into the identity space doing human regulatory programmes, Pam and
I've done a number of NHI programmes along the way as well. And when I did SOCKS 25 years ago, that was actually my first time I actually had to deal with Nhis or in those days we would call them technical accounts or service accounts. So it's a little bit of my background in terms of my identity journey until I became, I guess, Mr. NHI. So how did you, how were you awarded that title of Mr. NHI? Is this a, you know, something
that somebody gave you? You know, is it something that you've kind of adopted as a moniker? Tell me about that. Yeah. So about a just a year and a half ago I decided one weekend to write a white paper on how to manage non human identity risks. I was just running in the middle of a very large regulatory program at a large investment bank fixing the NHI issues. And I thought, look, it might be worth writing some insights on
what we did, the challenges. And I probably said on LinkedIn, I wasn't really a big LinkedIn follower or contributor. And what surprised me was within a few weeks, you know, I was getting pings from some pretty big industry heavyweights. I'll drop a name, for example, you know, head COVID said Silverthorpe pinged and said, love your white paper. Let's chat. And after writing that white paper, kind of a lot of doors started to open.
I started to talk to a lot of folks in the industry and I realized what was going on. There'd been a huge growth in startups and a lot of discussion around the non human identity problem. And I then started to realise, well look, if you're a customer you want to learn about the problem, where do you go to understand about the risks, the challenges, where'd you get guidance and advice? And really there was nothing in the industry about just over a
year ago. And again, just one weekend I thought, look, why don't I start and create like Anhi community. So I created the non human identity management group on LinkedIn back in May last year. And I've been very surprised that we're now close to 2000 members. A lot of people in the industry, consultants, a lot of practitioners, pretty much the who's who's now in them in that group. And we started to post a lot of content there. But then I realized that's not
really going to work. Whilst you'll be able to disseminate kind of news, what's going on in the industry, if someone wants to learn, they're not going to go through a feed of hundreds of NHI posts from me and others in the industry. And then I thought, look, let's create a portal. And that's where NHIM g.org was formed. And my mission was purely, at the time, all about education, evangelizing. I was in a job and this was kind of a side hobby, a bit like what you guys do at IDAC.
And it just sort of flourished from there. I wrote more white papers, more content, and there was a lot of good, you know, feedback. I started talking to sort of folks in the market to say, would you like to kind of share content as well. And then that's really what I've been doing for the last 12 months and since January decided to go into this venture full time and the mission hasn't changed. It's to educate, evangelize. It's the kind of help the industry come together.
And I guess along the way, someone in one of the vendors kind of just in maybe a LinkedIn post was said to me kind of verbally, Mr. Nhi, and I started using the name and it's now now stuck with me, unfortunately, But maybe it's a bit better than Mr. Sox. Yeah, Mr. Sox kind of sounds like a Quentin Tarantino character for Mike Reservoir Dogs or something like that. Or cat, a cat name.
Yeah, that's true spoiler right. If you're watching a video, I've got a couple DJ cats in Amsterdam behind me. So if you're if you're not watching a video, you're missing out that that glorious scene. But let me talk a little bit here with you about NHI, which is why we're here. I know we want to get probably a definition from you of what is
NHI. But before I get to that, it seems like NHI is kind of having a moment right now, kind of like identity at large is having a moment as like, hey, there's a spotlight identity and people are trying to take notice of it even though we've been here for years. And I would argue the same thing for NHI. But why do you think NHI is such a, a big deal right now? Because it seems like every conference that we've gone to over the last six months to 12 months has really started to put
more focus on NHI. And I'm curious, you know, if you see the same thing and and if so, why do you think that is? Well, there's only one answer. It's because of me and our group and all the noise. No, that's not true. Look, I, I think, you know, I do get asked this question a lot about why now when you talked about identify earlier where our groups are actually going to be hosting a big NHL workshop next Tuesday and the pavilion you refer to we're hosting.
So it's going to be great to have you there. Look, I think what's changed is the last four or five years where, you know, this was always a problem, right? As I said, I was dealing with this 25 years ago as part of Sox controls to cycle NHI passwords and in those days, but before it was all about an internal issue, right?
But with kind of the hyper fragmentation that we've now got in the environment with you know, the multi cloud kind of environment, SAS integrations, containerization, micro services, you know, API based interfaces. And I guess now, you know, more growth we're going to see with Gen. AII guess all these kind of non human identities, they're much more easy to compromise and
discover. There's a great start by a company that produced a report in 24 saying that there were 24,000,000 secrets found in public GitHub repos. So look, people have not implemented good controls around managing NHIS or secrets. They're all over the place. You know, we've got generally very weak controls around managing the NHIS. So we're seeing, you know, a lot of issues, breaches that are occurring.
That group recently published a 52 breach report to celebrate our 52 weeks since we were formed. And we're seeing breaches now occurring on a weekly basis where threat actors are discovering these credentials in repos, API keys, tokens. And it's an easy way to get in, right? They don't longer need to, you know, kind of compromise a human's credentials. They just can get access to these NHI identities.
And you're in, right? And given, you know, environments are so distributed with cloud and SAS, we're much more significantly exposed than we were, you know, many years ago. So I think just the explosion and you know, and the micro fragmentation that we've had in the environment has just now caused this this huge problem.
Lalit, so feels like you come to this with from the practitioner perspective, and that's a big reason why Jeff and I wanted to have you on this podcast because we've got a lot of folks who come on with kind of the vendor perspective. And you know, this is, and no way to disparage what they do. They're out there building solutions, right?
But overall we're I, we're hoping to get out of this conversation as kind of a framework for the practitioner to wrap their brain around this NHI problem and how they can solve it, right? Where do they use their existing tool sets like IGA privilege, access management, single sign on? Where do they need new tooling or new approaches? And I'm going to start you with a really simple question because I, I kind of feel like we need to define NHI and you made a statement earlier.
Some people might call it machine identities. Is that, is that what it is? Is NHI equal machine identity? Yeah, look, there is still a lot of debate in the industry around what's the the official term for this, this topic we're covering. Obviously you know, which camp I'm in, which is the non human identity camp. You know, I guess our friends are gonna, you know, talk about machine identity is kind of the
descent of the universe. And then under there they talk about, you know, where workloads and devices, where we started non human and then talk about workloading devices under that. Look, I think it's going to take a while for things to settle on what you know will be the common term. I think hopefully what may happen is that these become interchangeable terms. You can to me non human machine workload, it's all really the same thing. And I think they can in some respects be used somewhat
interchangeably. But I guess to your question, Jim, you know, what is a non human identity? Look, it's a digital identity or a credential that represents, you know, a machine, an application, some automated process or a service that's used within your IT infrastructure
stack. And these non human identities allow those machines and software workloads to securely authenticate, you know, operate and perform tasks automatically, including kind of, you know, authenticating to other machines, processes and services without any kind of human interaction. So that these are the identities, the accounts they used to run all software, you know, all around the world, you know, including IoT devices and other devices, you know, in an automated way, right.
So it's what runs everything we do. So they are pretty important from an identity standpoint. So if you were back at Morgan Stanley or your advice for a practitioner out there, right, they get stuck in a long elevator ride with the CIO and he happened to hear about these non human identities and like, hey, I'm in the elevator with the identity guru. I'm going to ask Lala, what are we doing about non human identities? What's the right answer if you're a practitioner?
Like, how do you even think about that question? Look, it's the we could talk for hours on this. Doing an elevator pitch on NHIS. It's quite challenging. You know, when we started an NHI program at a more recent investment bank, my CSO said to me that why can't we fix this in a year? And we then had an incident that occurred a little bit later, which I can talk about if we've
got time. But look, the real fundamental issues at the moment with NHIS is there's so many of them out there, right, that the stats that will quote NHIS are number human identities 25 to 50 X. Some will even quote 100X and these numbers will go up, you know, significantly more as we've got identic AI coming in. But generally non human identities are unmanaged, right? They have very weak controls. They're kind of the forgotten problem chart.
You know everyone focused on human controls and Pam and protecting your barriers but managing non human identities and the secrets that are associated with them. Were typically not, you know, always an afterthought. You know, focus was on just delivering software as quickly as you can and security was an afterthought. So you have a lot of issues, right? With secret sprawl, you have a lot of weak control. So look, some of the issues you're going to get with NHIS,
they're easy to discover. You'll find them hard coded in source code repositories, Confluence, SharePoint, Slack channels, you know, understanding how many you have, right. There have never really been any ways to kind of fully manage and inventory, you know, NHIS that's very hard to do. You know, a lot of these accounts are static in nature and that's kind of the core
issue with kind of NHIS. Whilst we can talk about what we can do more strategically and zero trust maybe later in the discussion, the vast majority of NHI stays static, right? So they've been created, They have in most cases no ownership. They may have been created 1020, thirty years ago. People don't know what they are. Are they still used? We've worked to organizations where 5060% of the accounts that we've uncovered have not been used.
And clearly that increases the surface area of risk. You know, you have humans that are using these accounts and bypassing controls. We saw that when we turned on Pam controls at a, at a bank, they said, look, we don't like the Pam Corolla controls. So they started using NHIS as a way to bypass, you know, entry to, to production. You know, NHIS typically, right, because they're running your crown jewel apps, they're going to have high privileges.
So again, these are targets for both internal and external threat actors. And there's many other issues that you have, you know, with with NHI. So unfortunately, you know, they've always had these issues. And now with all the hyper fragmentation that we've talked about, the problems just kind of exploded exponentially. So look, it's a huge elephant in the room.
I would say it's probably one of the toughest challenges you'll face in your career in terms of solving much, much complex than solving kind of the human identity problem, which is much more mature. And a lot of the tool sets to a point you made earlier just aren't fit for purpose or at least the traditional tool sets. And we can talk about that if we want to dig deeper to to meet the requirements around sort of NHI life cycle processes. OK. I think we're on the 1st floor now.
They've come all the way down on that elevator ride. I kind of feel like the original NHIS, at least that I dealt with, were service accounts, right? So you had these service accounts and I, I kind of feel like the life cycle is not probably managed all that well in a lot of organizations, But you know, privileged access management can do a good job of discovering and rotating passwords. It still doesn't have MFA, but you know, privileged access management probably knocks out
some. We could probably use the governance processes in IGA to a certain extent. I know there are some tools out there, but service accounts isn't the whole ball game, right? And and what you pointed out with like GitHub repos, you could probably scan them and find these things like you could put controls around them with existing tools or maybe adding
to your portfolio some. But I kind of feel like we're entering or we've entered this era now where there's this new crop of non human identities, whether they are device specific or they are more or less like these ephemeral identities that get created with like and infrastructure as a service type platform where it's not going to create the identities to roll out the cloud infrastructure that it needs and then potentially deactivate those identities.
But you have to have your arms around it to some extent, right? And maybe it's not just those things. I mean, you just take in, take the whole cloud into scope and man, there's just tons of identities there. And I wouldn't think that the traditional privilege access management tooling is going to do a good job at that. So one thing, So OK, so that's one thing, which is that I think there's all these new types of identities.
The other thing is, and this is what I've always kind of said, would it be nice if we manage non human identities the same way we manage humans, which is we have some source of record like an HR system or something. That's where you start by creating the identity there and then it gets provisioned, you know, through automation, ideally to the point where you wanted it. It can be checked on, the password could be rotated. You no longer need it.
You're the source of record. Shut it off and it shuts it off anywhere that's being used. But it's not really like that,
right? I mean, people spin up a server, they either manually or by automation create accounts to go and do those things, server or database or whatever they're spinning up. So the approach to managing these non human identities is not like linear where you start the process here point A and then the end of end of life is point Z. It's you're finding these things and then you have to wrap them up in layers of security management so that they are more secure.
And I don't think it goes from like not secure at all to 100% secure. But to me, that's the the big thing is that, hey, there's these new identities and they are not easily managed and the tools you have today don't do a good job of managing them. And that to me, that's like why it's hot. It's like all of a sudden we're inundated with all these places that are now creating identities and none of the tools that we have traditionally do a great job at managing them. Did I get that right?
Yeah. Look, I think you've summarized that very, very well. Look, even if you look at the human space where you've got all the cloud tools that are out there, right, that have come along because sort of, you know, move beyond sort of the traditional IGA and Pam even for just kind of the human use case, but with kind of non human identities. You know, there isn't a single source of truth like you might have with human identities.
You know, there's going to be many places where they get provisioned, you know, in the cloud on your, you know, on Prem environment, you can have a lot of local accounts, maybe on legacy databases, Active Directory, you're going to have many, you know, ID PS Right. So there's going to be like, you know, 10s of places where a typical organization is going to have these NHIS kind of provisioned. But generally they get provisioned.
You know, they typically come if they're static with some keys and passwords. They get shared around, you know, maybe in an e-mail or in some other communication channel, in a ticket to the requester. So there you go. You know, problem one already, right? The credentials are known by humans. And then they'll, you know, they'll take the easy route. They'll just put them into source code, hard code, the credentials. So you've got all the challenges around, you know, vaulting,
removing hard coded credentials. Look, so yes, a Pam solution can help with some of that, but a Pam solution isn't really going to solve your whole inventory problem. And discovering all these identities that are out there, you know, once you've discovered them, you need to understand who's the owner, what's the level of permissions, how broad
is the access right? And classify them, you know, and then you can start doing things like posture management, you know, have they got excessive permissions, misconfigurations, what's inactive, you know, what's shared. And clearly, you know, with, you know, the growth in cloud, the number of privileges that you can get in the cloud, just kind of a crazy rather 10s of thousands of difference of
combinations. So people take the easy path out and say, look, rather than following least privileged principles, let's just go with, you know, an Uber kind of privilege. So you see a lot of, I think the clouds kind of encouraged kind of more excessive privileges to, to these identities. So you've got, you know, them all out there. And you, you talked about
scanning. You know, that's another area that traditional tools would not have done right is to scan and look for these credentials in source code, in repos and other places. And then, you know, the big task is once you've found all the things, yes, you can do some hygiene, some clean up, but you're then going to secure the, the, the secrets if they're hard coded. You know, had a previous org that I wrapped up last year, you know, we had to secure over 100,000 NHIS that we were
uncovered in source code. And our initial scan that we did found over a million potential hard coded secrets passwords. So you can see the size of the problem and then to make those changes, move those credentials into a vault, you know, the amount of changes you need to make to your code to remove those credentials, the operational risk. And then you talk to him about cycling right and rotating these
credentials 1 is securing them. But reality is people still know the, the, the, the passwords, the secrets. And as people leave, you know, and then with Cloud API keys, you know, you can take that information with you, right, to another organization or compromise those accounts, you know, even if you've left an organization. So rotation becomes something that you need to do. And whenever there's a breach, right, the first thing is rotate
your keys. But again, you know how those credentials used in many places in your code, How do you know when you rotate? You know that all the code, you know, is using the same, you know, vault solution to source their password. If you miss one of those dependencies out, you could end up causing operational impact. And we've seen that so much have many orbs where you didn't realize a credential was, you know, used.
You missed a piece of code or you found, oh, some other app you've given the credential to, you know, like to another team that needed to connect to your database. You give them the password and they're using it as well. So there's a lot of legacy that's been created and that's why a traditional IGA or a Pam tool is not going to solve these problems. That's why you've got a new crop of pure NHI products that have come into the market.
And then also now we're seeing a lot of movement with the traditional IGA and Pam players that are now investing significant sums to build, you know, NHI capabilities. So it's definitely the existing tool sets just could not support
these use cases. It's much, much more complex then what we talk about for humans, you know, and then you've got to think about monitoring, you know, if someone inappropriately using your, your NHIS coming from some unknown IP addresses that are human using them. And then they are already being compromised. And then you get into the, you know, what's the target state, right, which is kind of ephemeral just in time zero
trust. You know, our previous org, we also implemented prevent controls. When you check in your code, we're actually looking runtime to see, have you checked in an API key or a password to an NHI credential? And we actually block the check it. So if you look at the overall life cycle, we've published one of these on our portal. It's a huge, huge problem to solve if you want to try and tackle the whole thing holistically from a life cycle
standpoint. So from an organizational standpoint, I think you're going to take a balance, which is try and do some things more strategically. You know, do kind of dynamic ephemeral secrets with your workloads. You know, more of a zero trust model, maybe with your Genentech staff or your grand duels as you re engineer. But you've also got to deal with your existing kind of state that's out there, which is static in nature, and you've got to get that under control.
So you're going to have to always think of a hybrid approach to dealing with the NHI problem, you know, a lot of legacy and figure out how you kind of strategically kind of stop the bleeding, you know, over time as well. So listening to a couple of points. It certainly did, but it opens up some questions for me because I'm listening to the two of you talk here and now I'm wondering, you know, whose fault is this? Where does the blame lie?
Because I feel like this is where privileged access management was supposed to have been the solution for this. We've been sold this bill of goods by Pam vendors for decades that hey, this is where you go to manage your non human identities. We didn't call it that. We called IT service accounts. We called it keys, right, All that kind of stuff. But listening to the two of you makes me feel like, OK, well, OK, what do you mean? I thought Pam was supposed to do that and it's not doing it.
And that has opened up the door for these new vendors to come in and specialize in this version of Pam 2 point O or three-point O or whatever you want to call it. But I almost have a feeling of a little bit of remorse here. It's like, all right, well, Pam was supposed to do this. Why isn't it doing it? And I don't know if that's a fair assessment based on the conversation so far or just kind of my my experience with Pam solutions, but I'm curious.
I'll like to see. Look, I think it's different. Sorry to interrupt. No, please go ahead. Look, I think, well, if I if you asked me did was Pam designed to
solve NHI, I would say partly. Like my background in dealing with Pam was really driven from kind of a human standpoint where you had like core admin accounts, ROU accounts, service accounts, right, that I needed to operate, you know, your your infrastructure, your software, you know, So the definition we gave on NHIS, but usually the Pam element there was around humans and controlling people that needed to elevate their privileges, right to impersonate pseudo become that account, you
know, to maybe deploy the software or maybe when there's a support issue, go in and, you know, become that account so they could then deal with support issues. So yes, it was there to protect kind of your keys to your Kingdom, like your most privileged accounts. But I think non human identities are much, much poorer than just
Pam, right. I think you know, like, you know, if an application's got an account that it uses to connect to a database, is that a privileged account that's really just an account that that process needs to operate and communicate with other services. Yes, it has privileges, but is it a privileged account like in the traditional Pam sense? I'm not sure it is. But yes, the the the the idea of what Pam tools did, you could argue could cater for some of the life cycle processes for an NHI.
But you know, again, like take a vote like Hashi, all they do is capture the secrets, right? They don't deal with the life cycle processes. They don't natively deal with cycling or scanning or inventory or ownership. So many of these existing tool sets only deal with a really small part of the overall life cycle of Nhis. Yeah. And I think that's go ahead, Jeff. I say. So I think the the important distinction here then is the first word of Pam privileged, Does privilege connotate non
human identity? And then does non human identity equate to privileged? Right. I think that's kind of what I got from your answer was not every, not everything is equal. You can have a non privileged non human identity. I'm kind of thinking about what maybe you can give me an example of what that might look like. Because if I think of non human identity, I'm thinking of something that's sitting behind the scenes. It's a service account, it's a script, it's an API.
It's, you know, some sort of thing that is accessing a data or a resource. And you know, I guess maybe it's like what the cafeteria menu or or something like that. I don't know what would be an example of a non human identity that is not privileged. Well, I think every non human identity will have privileges, you know, permissions, you know, to whatever identity it needs to operate.
But I guess the privilege when I when I think of the Pam, it's really, you know, where you're trying to elevate and you know, get sort of higher privileges and what you had today as a human right to perform some elevated role from your basic credentials as you know, a human identity.
So I, my always view of Pam was around how you elevated, you know, the human use case to, to, to, to get access to those non human identities versus Pam being the, the, the thing that managed everything, every NHI that's out there. I'm not sure I've quite answered your question.
Well, I like how this I like how this conversation is going, because I think we've as least privileged people as identity people, lifers, if you will, we want everything to be done great, But we know that the reality is that we have to take some kind of a risk based approach. And so it's all about setting priorities. I was going to ask the question a more, you know, from the
beginning, like a huge elephant. I mean, when you talk about non human identities and you talk about the the pure scale, even in like a small to mid sized organization, we talk about a large enterprise. You could be talking about literally millions of identities. How do you wrap your arms around that? Where do you start? And I think it's got to be based
on risk you got to look for. And so when we talk about privilege, I mean, of course, like every account has some privileges, but we've got to go for those ones where it's like, oh, that's. That's one or maybe it's the type of an account where like, hey, if these got compromised in
our Active Directory, what? And like, I'm sure there's some people out there scoffing at the Active Directory, but normally when companies get completely ransomware and completely shut down, it's because the hackers got the Active Directory. They have control of the Active Directory and they can basically turn off your business and make it so you, you know, your e-mail doesn't work, People can't log into their laptops, can't get to their files. I'm sorry, that's lights out.
And so whether or not you like Active Directory, hear me out. Those kind of accounts have got to be like at the, the top of your pecking order. And then I think it would be applications that are, you know, the quarter of your business. So do you agree that like that's how you go about prioritizing? And I'm, I'm assume whether you agree or disagree, how do you then choose your technology stack to solve that?
Because to your point earlier about Hashi, great, great vault technology and maybe that, you know, you say I'm going to take on risk #1 and that's what I need. But then you can't be doing that evaluation each time you go. Like what is your technology approach to make sure that you have the right number and the right strategic alignment of technologies in your portfolio so that you can manage your NHI problem? Hey, look, it's a great
question. I get to ask this a lot and I recently talked about this at AIC and next week I'll be doing a seminar talk at Identiverse, A practitioner's guide to NHIS. So look, when I ran my last NHI programme at a large investment bank, you know, we took took step back first and took a holistic approach and clearly our mantra was you're going to take your risk based approach. You can't tackle the elephant in
the room. So some of the things Jim you've talked about you have to look at where are your clearly your highest risks. So you have to go after your most privileged, you know, accounts like your admin accounts, your domain controllers, you know, etcetera, your root accounts on servers, databases. And you know, the other thing you're going to need to do is look at what controls you have around those accounts per
platform. Now, you may have interactive logins enabled on your Windows service accounts, which we all know is really, really bad, right? So you can then interactively get in and start to become that account, sort of. There's lots. You do first need to understand what your control maturity looks like. You know, where do you have strong controls or processes? And maybe you know, your Linux state might be very well secure because you don't have
interactive logins. No one knows the password for any of the counts, but your Windows ADS, right, where everybody knows the passwords and never cycled and they're interactive, right? So you know, you need to understand kind of your control levels across your tech stack. You clearly need to go for your highest risk accounts, right? You need to look at things like lateral movement, right? Because typically folks will first find some non prod environment and then laterally move.
You know, we see a lot of service accounts that don't have environment segregation and that applies to any NHIS where the same account has access to prod and non prod. So once you're in, you can laterally move. So you really need to understand all your controls and then come up with more of a holistic approach of how you're going to, you know, go for, you know, the areas that have got the biggest
risk exposures. Like at a previous org, we felt the database estate was our biggest risk, right? Because you can't turn off interactive logins there. As long as you know the credential, the password, you can log in and you know, you know, you can do anything once you're once you're in. And then there's a lack of monitoring of what you're doing. The other thing I think is really important that people forget is you've got to really look at this top town from a management standpoint.
Look at kind of your policies, your standards, your controls, and make sure you educate folks. And look, you may not have all the best tech stack out there. You may not even have a vault, you may not have scanning in place, but you need to let people know. Look, security first development is the way to go, right? They have SEC OPS.
And while some of the automation through your CICD pipelines and integration to your vaults and other controls may come over time, they need to know that this stuff is unacceptable, right? So we're checking in hard coded credentials into source code. And you know, they need to realise that our previous org, you know, we basically said to folks, if you continue to repeat the mistakes of the past, you know, you will be disciplined and even, you know, lose your
job. So we had those things top down. Education training is really, really important. And then it's about defining controls. Like what is the bar that people need to adhere to? You know, it was shocking. At a previous org, there was no requirement to cycle passwords for NHIS. As long as the password was 15 characters in length and complex, that was it. No requirement to cycle. And a regulator comes in and says, do you cycle passwords?
No bang, huge regulatory point. So you have to start with the basics and to a point, Jim, you made earlier, a lot of the controls are very similar from a human standpoint as well around, you know, the life cycle processes, what is the way you provision? How do you deal with the provisioning? So always focus on the basics. Make sure you've got the basic control processes in place and
then people process technology. Continue to mature out your processes and then continue to mature out your tech stack. And it may mean then you buy a solution and it may mean you supplement your existing IGA products and Pam products or do something in the middle, right? It really depends where you are in your organization and the complexity of your environment. So, you know, I think with anything, it's just start with the basics first, right? The fundamentals.
I love the idea of the basics because it gets overlooked so often. And it's, you know, the fundamentals need to be there. You want to build on a solid foundation. And if you skip that step, you're probably going to have a bad time down the road. And you can't just buy a product and say, well, this is going to solve my problems. You know, there's a lot of, you know, governance and the people in the process that go along with that to actually address the issue.
I mean, I'll give you a great example. Hashi, right? We used some of the previous organization. Yes, you can put passwords into a vault for service account and any other kind of NHIS, right? But if you don't think about when you onboard that to the vault, if you don't set up the right metadata, what is the account name? Where is it used? What database or server is it used on?
If you don't provide that metadata, I mean just Chuck in the password and give it A tag like password 1, password 2 when you don't need to move on to cycling. Oh, I've got something in a vault, you know, I know the password, but I've got no idea what it is that it's actually a database account on server XYZ, right? So again, you've really got to plan this stuff end to end. And maybe some of this stuff is basic.
You think you would do that, but you won't believe the number of groups that have just chucked stuff into a vault without having proper metadata when it's really burnt them, you know, later on. So you really need to think about this from a strategy and architecture standpoint and design your whole solution around NHIS end to end is is
what we would recommend. So why don't I ask you a little bit of a deep question and then we'll end on a lighter note to kind of get us out of the deep water. And here's my deep question. Is there anything that scares you about NHI? Look everything excuse me about NHI. That's why anything that doesn't I'm. Doing.
How about that? Maybe that's a better way to do it. Look, but the problem that scares me is, you know, the fact that this problem has been there for 2530 years, ever since computers existed. And we haven't really moved the needle that much, right? And it's only really been in the last few years where some of the vendors and the focus from everyone has been in the space. And yes, there's vendors that deal with governance and posture management. How do we deal with kind of zero
trust based architectures? You know, there's a lot of good standards, spy, spy whimsy that are coming, right, that are helping define how you can build kind of scalable workload dynamic based kind of architectures for managing your workloads and follow zero trust principles. But all that stuff is still not baked.
But I think the one thing that's really scary, right, is kind of obviously you're probably going to guess what I'm going to say like a gentic AI and, and the ramifications for NHIS, given that they're so weakly managed already, right? So if you continue to use the same processes for your gentic AI, they're probably going to be even more privileged, right,
than regular Nhis that are used. And as they become interconnected and can elevate their privileges dynamically, if you don't apply, you know, sort of strong zero trust privileges around that, it's scary what could happen, right, with people compromising AI agents, which obviously under the covers using NHIS. So I think we've got a long way to go that the agentic AI stuff is just moving so fast.
But I just don't think at the moment we've got the right controls and solutions to solve NHIS fundamentally anywhere at the moment, let alone, you know, the fast moving pace of agentic AI. So that probably the thing that worries me the most and probably is the most hotly discussed topic at the moment in the kind of agentic AI and NHI space. I mean, I can see a, a, you know, a scenario say, well, we just built an agentic AI product to solve our agentic AI product.
OK, so you know, we're in this, you know, dog chasing its tail type of scenario. I don't know. All right, let's shift to a little bit wider note because I know that's if for people who aren't watching this on YouTube, you have a very impressive vinyl collection behind you of I don't know how many thousands of records you might have. First of all, let's talk there. How many, how much do you have behind you? Let's start there.
I guess I've been collecting vinyls since I was a student at university, so that's over 30 years. So you can probably guess my age now. But yeah, I've probably got somewhere in the region of about 2000 kind of LP's, 12 inch records. So it's been a lifelong ambition to grow my collection. It's all soul, swing, sort of hip hop, R&B. The genres mainly in the sort of 70s, eighties, 90s kind of is where most of my collection comes from.
I feel like vinyl's having a little bit of a resurgence here the last, you know, few years, but it seems like it kind of went away when C DS and, you know, the laser discs I think were were part of that as well. But was there a lull in that collection where it's like, man, it's just getting harder to find, you know, modern artists putting out their content on that format of vinyl? Yeah, good question. I've not really been buying a lot of newer stuff.
It's mainly in that sort of 70s to 90s kind of era. I did probably stop buying stuff for quite a few years as I was working in investment banking. But then as kind of the last few years, I started to grow my collection again and bought a lot from, you know, the collectors on eBay. And there's a great story where I ordered a batch of albums from someone that I got to know very well.
And I was just going through them cleaning some of the records, record cleaner and out popped out about 150 lbs in very, very old British notes. So I went told the guy that I purchased them, that I found this money in his in one of his record sleeves. I went to the bank, got the money converted because it was not legal tender anymore and
send the money back to him. So maybe tells you a little bit about me that what I'm like if I'm in that kind of dilemma that I would definitely give the money back to the the rightful owner. But that was a big shock to find money. And apparently he does quite a lot hides money in his. He has 10,000 plus record collection. So you might start buying more albums from him and then any more money in all the secret
stashes. Now, yeah, I guess I probably need to go through my 2000 now and see if there's any more I can find in there. You never know, there might be a few more looking out there. So of that 2000, I'm going to ask you to pick your first what, what's the one that you remember first getting? What's your best album or record or vinyl, I guess? And then what's your favorite
one out of that set? Yeah, I'm not sure I can remember my the first one, but it would probably be something like Luther Vandross, Freddie Jackson, Marvin Gaye, probably something in that kind of sort of era. I think in terms of like kind of my most cherished kind of favorite album for 12 inch is probably from a British band called Loose Ends. Have a lot of great records out there. And I had the fortune to sort of see them play in a bar a couple of years ago and a big fanatic
of their music. I took all my kind of albums, LP's with me and I was waving them around on the dance floor. And then at the end of the night the bands, I said look, come and join us. And then they signed all my my albums, both on the outside and the inside. So that was a real special moment for me. So what was the other question you've asked her? Is there a best 1? And I guess maybe best not the
same as favorite bike? Do you have something that's like, oh this is a real find in in the space of vinyl? I don't know if it's something rare maybe or something has a lot of value other than sentimental. There was one tune by a singer called Tammy Payne, and she sings a song called Free that probably very few people have heard, but it's just one of those classic sort of soul songs. That first time I heard it, I just felt I've got to have this and it's always been in my top
five. And it took me a year to sort of source this when I was at university and as a kind of poor student, I think I paid about 3040 lbs for it, which was a lot of money in in those days for just one record, but it was from a specialist kind of reseller. And then a few weeks later, I'm rumbling through a sort of a record shop and I found another copy of this same thing that I paid 3040 lbs for. And it was on for like 50 P or a pound.
So I was guided that, you know, just in a week I played over the odds. But you know, but that's the one I probably cherish the most because it was the one I wanted to to get for a very, very long time. And it took me ages to find. But then I found two quick succession. So you have one for playing and then one for like display or you know, keeping, right? Jim, I want to pay it over to you. What is your first, best and favorite album?
I guess I'm not sure I know. I'm pretty sure you don't click vinyl, but give me a first, best and favorite. So I'm going to mention three and interestingly none of them were vinyl. So the first one was 8 tracks.
And so get this, I don't know if you remember, but in the 80s, early 80s to put in magazines, Columbia Records would put these inserts where you can tape a penny to It was like a postcard and mark off a bunch of albums that you wanted and you get them in a track format or vinyl format. So I ordered like, I forget it. I think it was like 6 for a penny. I thought, look, this the best bargain ever. I was like 6 years old and I got Devo. You remember that song Whip it?
I got Michael Jackson, Thriller, and I got Led Zeppelin 4, Stairway to Heaven and I loved it. My mom was not happy because then she had to buy like 5 more albums at full price, which I think was like $30.00 an album. So anyway, yeah that was a funny story. So that's first I think best I'm going to say. So I had, you know, I was into hip hop music before they even called it hip hop music. It was Beastie Boys licensed to
ILL on cassette. I played that thing and flipped over my tape deck so many times that all of the ink on it was worn off. So I mean, it must have played that so many times. I think eventually the cassette player ate the tape. Remember, that used to happen, like, get garbled up. And then as far as favorite, I think I'm going to go to my college days on CD. I'm going to pick Pearl Jam 10 because I must have played that a million times. And that was such like an anthem
of that grunge era. And I've loved music ever since. And I've had other things. But those three events stick out in my mind as first, best, favorite. Jeff, your turn. Well, those are good ones and, and I got into music probably much later than both of you. I don't think I got my first album until I was probably either senior in high school or just out of high school. I just, it wasn't a thing that I did, but I very remember, very much remember getting CDs. That's how I started.
I I mean, I had cassettes and stuff like that, but it was all just like, you know, you'd tape it off the radio, you know, that kind of thing. But the first C DS I bought were two. It was Offspring, the smash album and Green Day's Dookie album. Those are the first two things that I ever bought. So that's the first. Let's see. The best is probably a box set from Metallica called Live Blank Binge and Purge. And they had a double CD of a,
of a live show that they did. I think it was in Mexico. It had a video performance. Yeah. Just a great, just a great thing. But it was like a full box set and it had like a, you know, chest or whatever. And I don't know if I necessarily have a favorite album. I feel like there's so many good ones out there. And my listening patterns have changed into more of a hunt and Peck. You know, pick one song from this artist and then go to this other song from another artist.
There's a lot of really good albums. But you know, maybe it's actually, you know, maybe I'm going to go with Korn. I love the Untouchables album. I think it's fantastic. So I'm going to I'm going to go with that as my final answer. Jim Korn. You are a hard rocker, man. I got to give you that. Give that to your three choices. We're all basically heavy metal. It was a choice between, you know, rock. There's some electronic albums I like too.
But yeah, I just remember playing the Untouchables album over and over and over and over again in the car. And, you know, that was on my, I think at the time I had like one of those CD discman things, right, that you'd have in your car and use the cassette tape adapter to get it into your stereo and, you know, all that good stuff. But I don't know allow it does does any of the stuff.
Just a final joke. Yeah, Yeah, I was just about to say those are a set of non human identities that I don't recognize and have not discovered. You could argue, you could argue that all those things, vinyl, CD are all potentially non human identities as well. Identity, right? They won't have a code. So. We got to hit stop and record a new one where we argue about that for the next half hour. But we want to establish provenance, right? It's like also the same thing too.
It's like, what is the the provenance of this album? Is it legit? Is it, I mean, at some point it's going to be is this AI or is this X band right doing the real thing? So that'll be interesting when we start talking about non human identities for non human identities. All right, this has been in just a fascinating conversation. All that. I'm glad you were able to get you onto the show. I feel like kind of finally this happened. So that's great. I'm looking forward to seeing
you on Identiverse next week. And for the time, people of times listen this, you know, your workshop will have been overdone have been done at that point. So would encourage people to go check out the Identiverse. I think things are going to be recorded. I'm not sure if your workshop is going to be well let. Do you know if that's if that's the case? Yeah, workshop will be recorded, but the pavilion sessions won't.
But yeah, I'm looking forward to seeing you both there with some crazy things that you're going to do at the Pavilion and looking forward to spending some time with you next week. Yeah, that's going to be a lot of fun. So we'll go ahead and wrap it up for this week. I'll have links in our show notes to while it's a LinkedIn page, as well as the non human identity management group and HIM g.org. You go check out there For more information, which has a lot of good content.
So, you know, hats off to you for a while for really kind of spearheading this and and taking the mantle of of Mr. Nhi. So I'm not sure what the next step is past Mr. Would it be? Do we just go to different languages like Senor NHI? Do we go to like professor or doctor like have you? Do you have a graduation strategy for Mr. NHI? Someone's already started to call me the father of NHI and then the Godfather of NHI, so maybe that's the natural evolution. Godfather sounds nice.
I meant to ask, when you were in Germany, were you hair NHI? No, that didn't come up, thankfully. All right, next time. Well, thank you so much for being with us here and yeah, spending your time and, and helping us understand the space a little bit more. We'll go ahead and wrap for this week. You can find us on the web, IDC, podcast.com.
Do all the things that Jim asked you to do earlier in the episode, like subscribe, share with your friends, share with your enemies, share with your agentic AII don't care. As long as people listen, that's all that matters. So with that, thanks for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and
review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.
