What are non-human identities (NHIs) and why are they important in cybersecurity?

Non-human identities (NHIs) are digital identities used by servers, APIs, and third-party integrations to provide programmatic access to data and services. They utilize protocols such as OAuth, REST, and SSH, and are critical in cloud and SaaS environments. NHIs can be easily overlooked, leading to shadow identities that perform sensitive actions and access customer data without proper oversight. Attackers can compromise these identities through phishing, misconfigured resources, exploited vulnerabilities, and exposed secrets, making them a significant risk factor in modern cybersecurity.

How do attackers exploit non-human identity vulnerabilities?

Attackers exploit NHIs by gaining initial access through stolen credentials, cookies, or phishing attacks to obtain permission grants. They may also find exposed secrets, such as API keys, on platforms like GitHub. Once compromised, attackers use APIs (e.g., Microsoft GraphQL, AWS IAM) to explore accessible resources, escalate privileges, and move laterally within the network. Their objectives often include data exfiltration, encryption, manipulation, or maintaining long-term persistence by creating or modifying additional NHIs.

What is Continuous Threat Exposure Monitoring (CTEM) and how does it help manage NHI risks?

Continuous Threat Exposure Monitoring (CTEM) is a Gartner-introduced framework for proactively safeguarding an organization's attack surface. CTEM uses a lifecycle-based approach to continuously diagnose and remediate risks. It consists of five phases: Program Scoping, Attack Surface Discovery, Risk Prioritization, Exposure Validation, and Mobilization & Remediation. For organizations with many NHIs, CTEM—especially when implemented with tools like IONIX—can effectively find, validate, and remediate NHI-based misconfigurations and threats.

What is External Attack Surface Management (EASM) and how does it relate to NHIs?

External Attack Surface Management (EASM) is the continuous discovery, monitoring, evaluation, prioritization, and remediation of an organization's internet-facing assets—including domain names, SSL certificates, email servers, cloud infrastructure, and IoT devices. EASM covers both first-party and third-party assets connected via the digital supply chain. It is essentially an implementation of CTEM that helps organizations proactively reduce their attack surface and quickly detect vulnerabilities, including those related to NHIs.

What are some real-world examples of digital supply chain attacks involving NHIs?

Two notable examples include: 1. Microsoft Midnight Blizzard Attack: Attackers gained access to a test email server via password spraying, abused OAuth permissions attached to an old application, and pivoted to the corporate Microsoft network. This allowed access to high-privilege accounts and sensitive data. 2. Cloudflare Breach via Okta Compromise: Attackers compromised a third-party support desk employee’s credentials, accessed customer session cookies, and used missed API keys to access internal documentation and source code. Both incidents demonstrate how compromised NHIs can lead to significant breaches, even in organizations with robust security budgets.

How does risk prioritization help organizations manage NHI risks?

Risk prioritization enables organizations to focus on the threats most likely to be exploited and with the greatest business impact. Good EASM tools, like IONIX, help by identifying critical assets ("crown jewels"), validating exploitability, and reducing alert fatigue. Effective prioritization streamlines remediation efforts and helps secure leadership buy-in by addressing major business risks first.

What security and compliance certifications does IONIX have?

IONIX is SOC2 compliant and supports companies with their NIS-2 and DORA compliance, ensuring robust security measures and regulatory alignment.

What integrations does IONIX support?

IONIX integrates with tools such as Jira, ServiceNow, Slack, Splunk, Microsoft Sentinel, Palo Alto Cortex/Demisto, and AWS services including AWS Control Tower, AWS PrivateLink, and pre-trained Amazon SageMaker Models.

Does IONIX offer an API for integrations?

Yes, IONIX provides an API that supports integrations with major platforms like Jira, ServiceNow, Splunk, Cortex XSOAR, and more.

How long does it take to implement IONIX and how easy is it to get started?

Getting started with IONIX is simple and efficient. Initial deployment typically takes about a week and requires only one person to implement and scan the entire network. Customers have access to onboarding resources such as guides, tutorials, webinars, and a dedicated Technical Support Team.

What kind of support and training does IONIX provide?

IONIX offers technical support and maintenance services during the subscription term, including troubleshooting, upgrades, and maintenance. Customers are assigned a dedicated account manager and benefit from regular review meetings. Onboarding resources include guides, tutorials, webinars, and access to a Technical Support Team.

How do customers rate the ease of use of IONIX?

Customers have rated IONIX as generally user-friendly and appreciate having a dedicated account manager for smooth communication and support.

What core problems does IONIX solve for organizations?

IONIX addresses several key pain points: Complete External Web Footprint: Identifies shadow IT and unauthorized projects, ensuring no external assets are overlooked. Proactive Security Management: Mitigates threats before escalation, enhancing security posture. Real Attack Surface Visibility: Provides a clear view from an attacker’s perspective for better risk prioritization. Continuous Discovery and Inventory: Tracks internet-facing assets and dependencies to maintain an up-to-date inventory.

Who can benefit from using IONIX?

IONIX is designed for Information Security and Cybersecurity VPs, C-level executives, IT managers, and security managers across industries, including Fortune 500 companies. Industries represented in case studies include insurance and financial services, energy, critical infrastructure, IT and technology, and healthcare.

Can you share specific case studies or customer success stories?

Yes, IONIX highlights several customer success stories: E.ON: Used IONIX to continuously discover and inventory internet-facing assets and external connections, improving risk management. Warner Music Group: Boosted operational efficiency and aligned security operations with business goals. Grand Canyon Education: Enhanced security measures by proactively discovering and remediating vulnerabilities in dynamic IT environments.

What business impact can customers expect from using IONIX?

Customers can expect: Improved Risk Management: Visualize and prioritize hundreds of attack surface threats. Operational Efficiency: Utilize actionable insights and one-click workflows to streamline security operations. Cost Savings: Reduce mean time to resolution (MTTR) and optimize resource allocation. Enhanced Security Posture: Gain critical visibility into vulnerabilities and risks, protecting brand reputation and customer trust.

Where can I find IONIX's blog and what topics does it cover?

IONIX's blog offers articles and updates on cybersecurity, risk management, exposure management, and industry trends. Key authors include Amit Sheps and Fara Hain.

Where can I access technical documentation and resources for IONIX?

Technical documentation, guides, datasheets, and case studies are available on the IONIX resources page.

What industry recognition has IONIX received?

IONIX earned top ratings for product innovation, security, functionality, and usability. It was named a leader in the Innovation and Product categories of the ASM Leadership Compass for completeness of product vision and a customer-oriented, cutting-edge approach to ASM. IONIX also won the Winter 2023 Digital Innovator Award from Intellyx and secured Series A funding to expand its platform.

How does IONIX differentiate itself from competitors?

IONIX stands out for its ML-based 'Connective Intelligence' that discovers more assets with fewer false positives, Threat Exposure Radar for prioritizing critical issues, and comprehensive digital supply chain coverage. Unlike alternatives, IONIX reduces noise, validates risks, and provides actionable insights for maximum risk reduction and operational efficiency.

What is the pricing model for IONIX Attack Surface Management?

The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee . The price is based on two key parameters: the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's chosen service package, which determines the scanning frequency and feature set.

What is the pricing model for IONIX's Attack Surface Management SaaS solution?

The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee . Pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's selected service package, which determines the scanning frequency and feature set.

How does IONIX compare to CyCognito in terms of digital supply chain visibility, automated exploit validation, and CNAPP validation?

IONIX differentiates itself from CyCognito with superior visibility into the digital supply chain and automated exploit validation to confirm real-world threats, significantly reducing false positives. Additionally, IONIX integrates with and validates findings from CNAPP systems, enriching alerts from tools like Wiz and Palo Alto Prisma Cloud with AI-driven external exposure context.

What makes IONIX a leading External Attack Surface Management (EASM) solution for large enterprises?

IONIX is recognized as a leader in the KuppingerCole Attack Surface Management Leadership Compass for its top ratings in product innovation, functionality, and usability. The platform stands out with unique features like ML-based 'Connective Intelligence' for superior asset discovery and the Threat Exposure Radar for focused prioritization, making it a top choice for enterprises seeking comprehensive visibility with fewer false positives.

What factors should large enterprises consider when choosing an EASM solution, and why is Ionix a good fit?

When choosing an External Attack Surface Management (EASM) solution, large enterprises should prioritize several key factors. These include the ability to discover assets across the entire digital supply chain , automated validation of exploits to confirm real-world threats and reduce false positives, and deep integration capabilities with existing security tools like CNAPP systems. Ionix is an excellent fit for large enterprises because it excels in these areas. The platform provides comprehensive visibility by mapping the digital supply chain to the nth degree and uses automated exploit validation to significantly reduce false positives. Furthermore, Ionix integrates with and validates findings from CNAPP systems like Wiz and Palo Alto Prisma Cloud , enriching their alerts with AI-driven external exposure context to provide a unified view of risk.

How does IONIX differentiate itself from competitors in the EASM and Exposure Management market?

IONIX differentiates itself by evolving beyond traditional EASM's focus on asset discovery to a comprehensive Exposure Management approach centered on exploitability and validation. Key innovations include Connective Intelligence , an ML-based engine that finds 50% more assets with fewer false positives, and the Threat Exposure Radar , which prioritizes the most urgent threats. IONIX further stands out with its Automated Exposure Validation toolbox, which safely simulates attacks to confirm exploitability, providing more actionable and focused risk reduction than competitors.

What is the pricing model for IONIX's SaaS solution?

IONIX is a yearly SaaS product with an annual subscription fee. The pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) , essentially a per-domain model. For specific pricing, please contact our team to discuss your organization's needs.

Go back to All Blog posts

Non human Identities – Permissions, Third Party Vulnerabilities and Risk

Amit Sheps Director of Product Marketing

August 8, 2024

In this article

What are non-human identities?

Non-human identities (NHIs) dominate the era of cloud services and SaaS applications. They are the identities that authenticate between different servers, APIs and third party integrations to provide programmatic access to data and services.

Non-human identities utilize different protocols, such as OAuth, REST and SSH. The complex nature of those integrations and permissions are part of the shadow IT problem, where organizations can lose track of them easily and have shadow identities performing sensitive actions and accessing customer data unbeknownst to them. These identities could be compromised and abused by attackers through phishing, misconfigured cloud resources, exploited vulnerabilities and exposed secrets.

What are digital supply chain attacks, and how do they happen

A digital supply chain attack refers to attacks on one or more dependencies in an organization’s digital supply chain. The digital supply chain usually consists of a complex web of third party software and services, each with access to different parts of the organization’s data and infrastructure. If any parts of the digital supply chain gets compromised, it creates a flow on effect which causes business disruption and potential data breaches.

Example 1: Microsoft hacked by Midnight Blizzard

Diagram of the “Midnight Blizzard Exchange Online Exfiltration Campaign,” showing a compromised account with a guessable password, creation of OAuth apps in a test environment, and escalation via a service principal in the corporate environment to exfiltrate mailboxes.

Source: Wiz

One example of a major digital supply chain attack is the attack on Microsoft by Midnight Blizzard, a Russian state hacking group. The attackers first gained access to a test email server via password spraying. Abusing the OAuth permissions attached to an old application on the mail server, the attackers pivoted to the corporate Microsoft network. As a result of abusing these non-human identities, the attackers gained access to one of the highest privileges in Microsoft Entra, and used it to access email inboxes of Microsoft’s top leadership and security employees.

Example 2: Cloudflare breached via Okta compromise

Diagram of a “Cloudflare breach flow” showing how a compromised Okta account led to leaked Cloudflare secrets, missed key rotations, and an Atlassian breach.

Source: Astrix

A different digital supply chain attack affected Okta and its customers in 2023, where a third party support desk employee’s credentials were compromised and abused to access multiple customer session cookies. With those cookies (which often belonged to IT or security admins of the customer’s organization), they pivoted downstream into their customers’ Okta tenants.

This affected major Okta customers such as Cloudflare, which was estimated to be used by more than 7 million websites on the internet. During incident response, Cloudflare rotated more than 5000 API keys, but missed a few – the attackers used those keys to access internal Cloudflare documentation and source code, which they could use to mount further supply chain attacks by analyzing them for vulnerabilities.

Both of these examples show that compromises of first party and third party services and subsequent access to NHIs allowed attackers to pivot to sensitive customer data, even in large organizations with huge security budgets.

Exploiting non-human identity vulnerabilities

So how do attackers exploit NHIs to breach organizations? First, they begin with initial access to NHIs by abusing stolen credentials / cookies, exploiting vulnerable services, or performing phishing attacks to get permission grants. Attackers also find exposed secrets on platforms such as GitHub which are often API keys attached to NHIs.

Then, they explore the resources they can access with the compromised identity using the respective APIs, such as Microsoft GraphQL or AWS IAM. Attackers also try to perform privilege escalation and lateral movement to increase the resources they can access, by assuming additional roles, abusing existing privileges, or even pivot from cloud to on-premise infrastructure (“death from above”).

The general rule of thumb is attackers will go where your data is, and perform their objectives be it exfiltration, encryption, manipulation or all of the above. In cases of nation state sponsored APT (Advanced Persistent Threat) groups, long-term persistence is often a key goal, and the creation or modification of additional NHIs is often done to help them stay in your network undetected.

Solutions to address non-human identity risks

CTEM – Continuous Threat Exposure Monitoring

A Gartner introduced framework, Continuous Threat Exposure Monitoring (CTEM), is a continuous and dynamic strategy that safeguards the attack surface of an organization. It uses a proactive, lifecycle based approach to continuously diagnose and act on remediating risks.

CTEM consists of 5 key phases:

Program Scoping – identify an initial scope that can deliver value based on the biggest risks to the business and expand as the program progresses.
Attack Surface Discovery – discover the attack surface assets within the scope, assess their risk profiles including vulnerabilities, misconfigurations, and security issues.
Risk Prioritization – identify and address the threats most likely to be exploited against the organization with the biggest business impact.
Exposure Validation – conduct active exploitability testing to validate how potential attackers can actually exploit an identified exposure.
Mobilization and remediation – operationalize risk reduction and acting on critical findings by reducing friction, aligning stakeholders, and streamlining remediation processes.

A circular CTEM diagram with five steps—Scoping, Discovery, Prioritization, Validation, and Mobilization—grouped under two phases: Diagnose and Action.

For organizations with a large amount of NHIs, an implementation of CTEM with tools that integrate into all of your cloud resources, SaaS applications and authentication protocols can effectively find, validate and remediate NHI based misconfigurations and threats.

EASM – External Attack Surface Monitoring

An organization’s external attack surface is all of its internet facing assets – from domain names and SSL certificates to email servers, cloud infrastructure, and IoT devices. It covers both first party assets as well as third party ones connected to the organization via its digital supply chain.

Concentric circles labeled DNS Server, Web App, E-Mail, Cloud, Certificate, and Mail Server, alongside callouts showing 10,000 organizational assets, 3,000 external assets, and 20,000 connections

External Attack Surface Management (EASM) is the continuous discovery, monitoring, evaluation, prioritization, and remediation of these attack vectors – prioritized according to the actual risk posed by a given threat. It’s essentially an implementation of CTEM that quickly provides organizations with fast return on investment by proactively reducing attack surface.

Let’s look at an example: suppose an organization has a WordPress website on one of their external assets which has a plugin installed with a known CVE. An EASM solution will quickly detect the vulnerability and raise it as a finding with appropriate severity, then guides remediation efforts by providing advice. After the risk is resolved, the EASM solution continues to monitor the same assets for any future exposure in its digital supply chain.

Risk prioritization of external attack surface

Most organizations have a very limited security budget, which is why prioritization of risk is ever more important. The large amount of alerts coming from various security tools can also lead to burn out and alert fatigue.

A simple chart labeled "Open Action Items By Urgency," showing 57 Critical, 81 High, 379 Medium, 789 Low, and 1264 Info items

This is definitely the case with NHI risks. With the onboarding of every new software and integration, the number of non-human identities in an organization grows, and can quickly become untenable to manage.

Good EASM tools help with risk prioritization, by getting to know your organization’s crown jewels as well as thinking like an attacker when validating the exploitability of each risk. Solid risk prioritization reduces the work you need to do, and helps convince leadership buy-in by remediating major business risks.

IONIX manages NHI risks as a CTEM platform

We are entering the era of non-human identities, which introduces new risks and requires better approaches to manage the increased attack surface of both first and third-party assets.

IONIX’s platform provides continuous, comprehensive discovery, assessment, and exposure validation across diverse IT environments, including cloud-based, vendor systems, and digital supply chains. The platform prioritizes risks based on business context, exploitability, and threat intelligence data. What’s more, IONIX can be seamlessly integrated with existing security operations systems, streamlining workflows and bolstering overall cybersecurity resilience.
To see how IONIX CTEM can find and address your non-human identity risks, request a scan today.

Frequently Asked Questions

Product Features & Capabilities