NHI with Clutch Security

Video: https://youtu.be/81M86g-Cje0

Key Themes and Most Important Ideas/Facts

1. NHI: An Old Problem, Newly Recognized and Critical

• Historical Neglect: Historically, security focus was primarily on human identity (SAML, Okta, Ping, Microsoft). Machine identity, initially perceived as "boring," was largely limited to key management (Venafi) and secrets management (Hashicorp).
• Ubiquity and Abuse: NHI is not a new problem, dating back to "Windows NT4." However, its "abuse" is now a major factor in modern breaches.
• Driving Force Behind Recent Breaches: NHI is increasingly implicated in high-profile cyberattacks. Ofir states, "every time that… we got into that company and saw what happened some form of NHI some form of a secret or an API key or service account was… was involved and that was the tipping point of the breach." Examples cited include "Circle CI breach and the cyance and Cloudflare and Octa Department of Justice." The Octa breach leading to Cloudflare's breach involved an "Octa service account… that was… leaked."
• Definition of NHI: The industry struggles with consistent terminology. Clutch initially used "workload identities" and "programmatic identities" before settling on "non-human identities" for clarity. Gartner uses "machine identities," which Ofir finds imperfect as it suggests "devices assets."
• Clutch's Working Definition: NHI refers to "API keys, OAUTH applications, OAUTH tokens, service account certificates, SSH keys, personal access tokens... any type of identity or credential that's authenticating programmatically."
• Distinction between Identity and Credential: Ofir clarifies, "an API key is a credential, it's not tied to any identity."

2. Limitations of Traditional Secrets Management (Vaults)

• Secure Storage, Not Contextual Awareness: While vaults (like Hashicorp) are "great" for preventing "secret sprawl" by storing credentials in a "safe and secure location," they are "not enough."
• Lack of Context: A vault "doesn't know if something is in it but is also someplace else... It doesn't have any context on those secrets it's storing... and lastly it doesn't know anything about how this thing is being used what's it fetch from the vault."
• Widespread Distribution: NHI is "everywhere" – "API keys and secrets and tokens and service accounts and certificates and they're in active directory they're in a lot of SAS applications and they're still inside the code and CI/CD pipelines data warehouses." This makes it "hard to make sure that everything is is in there."

3. Attack Vectors and Breach Mechanics

• Programmatic Identities as Culprits: "Almost every breach I was… doing the remediation there was some form of programmatic identity some service account or API key as as the culprit."
• Human-Assisted and Direct Exploitation: Breaches often involve a combination:
• Hardcoded Secrets: Secrets "hardcoded in the code" that "leaked" are "handed to them on a silver platter."
• Lateral Movement: Attackers gaining initial human access (e.g., via phishing) then use "some sort of service account that's privileged and has access to the entire domain" for lateral movement.
• Accidental Leaks: Mistakes by developers (hardcoding, sharing on Slack, storing insecurely) create exploitable attack surface.
• Interconnected Ecosystem ("Clutch Terrain"): Breaches traverse "planes" or "terrains" (on-prem, cloud, SaaS, data warehouses). Traditional security solutions (CSPM, DSPM, SSPM) are "fixed on a single terrain," but "today SAS speaks to cloud speaks to onrem speaks to data it's a fully interconnected ecosystem and what's interconnecting those terrains is those identities."

4. The Fallacy of Routine Credential Rotation

• NIST's New Recommendation: "NIST came out last September with 863b where they recommended for the first time that a credential should not be rotated unless it's positively known to have been compromised."
• Attackers Operate at Automation Speed: Clutch's research demonstrated that leaked secrets were "found within minutes and exploited within minutes." Even with aggressive rotation (e.g., every 5 minutes), attackers can still exploit secrets before revocation.
• "Don't Rotate and Pray": Ofir advises against routine rotation because "attackers are not going to wait they move really really fast."
• Friction and False Sense of Security: Rotation "creates friction between teams" and "creates a false sense of security."
• Focus on Real-Time Understanding: The emphasis should be on "understand[ing] how that secret is being used" and real-time compromise detection.

5. Clutch Security's Vision and Product Pillars

• Holistic Approach: Unlike fragmented human identity management, NHI is "all over." A solution must be "holistic" to cover the "entire enterprise tech stack: cloud, SAS, on-prem, CACD pipelines, data warehouses, etc."

1. Core Product Pillars: Visibility/Inventory (Foundation): "Being able to have a single inventory across all the different places in the enterprise and being able to discover new ones as they get generated." This addresses the fundamental question: "if you don't know what you have how can you know what you need to secure?"
2. Lifecycle Management: Assigning "ownership," handling "orphaned identities," conducting "attestation and re-certification" (e.g., every 60-90 days).
3. Posture, Hygiene, Risk: Identifying "overprivileged" NHI and "rightsizeing it." Developers often grant high privileges to avoid friction.
4. Real-time Response: "Being able to respond quick and find those attacks in real time."

• Identity-Centric Focus: Clutch focuses on the "identity itself" and "traveling it wherever it goes," rather than being confined to single "terrains." This provides more comprehensive context across hybrid environments.
• Zero Trust and Continuous Verification: The long-term approach is "taking a zero trust approach and one of the pillars of zero trust is continuous verification and validation." This involves understanding in real-time if a service account has been compromised, allowing security teams "autonomy to put the controls in place themselves."

6. The Impact of Agentic AI on NHI

• Rapid Growth and Risk: "Agentic AI now enables even end developers to do work faster," which "creates risk."
• Enterprise Deployments vs. Shadow AI: AI agents can be officially deployed (e.g., Vertex, Bedrock) or emerge as "shadow agents/shadow AI" (e.g., developers hardcoding secrets for AI tools like MCP).
• NHI as the "Body" of AI Agents: Ofir posits, "an AI agent without an NHI couldn't really do a lot of damage because it's not really acting on anything but once you give it that access key or that token to be able to speak to that external system and do its thing that's where things become a bit more challenging." NHI provides the "agency" for the AI agent (the "brain") to perform actions.
• Increased Visibility Challenges: AI agents "make it a bit more difficult" to achieve visibility because they are "active and sometimes they're very short-lived."
• Future Implications: Agentic AI is an "inseparable part of the problem" and "definitely a subset of NHI." Standards and protocols are still evolving.

7. Future Outlook and Value Proposition

• Problem Worsens Before It Gets Better: The introduction of AI agents will make the NHI problem "a bit worse before it's going to get better" due to the "steroids" effect on visibility challenges.
• Continued Value Proposition:Year 1 (Visibility): "Getting the house ready and clean," achieving "holistic" visibility across the complex enterprise landscape. This acts as a "force multiplier" for understaffed security teams.
• Year 2-3+ (Automation and Policy Enforcement): Once visibility is achieved, the focus shifts to "picking those policies to make sure that everything is on autopilot" (e.g., automated ownership transfers for departed employees, continuous governance of AI agents).
• Beyond Point Solutions: NHI solutions must "hooking into all of those places in the enterprise where the real work happens and the real risk resides" with "detective controls compensating controls preventative controls to allow you to be on autopilot."
• Market Dynamics:Legacy vendors (e.g., CyberArk acquiring Venafi, Okta's recent announcements) are entering the NHI space.
• Clutch, as a pure-play, remains focused on "being customer obsessed" and solving the "most acute" problems in the enterprise market.
• Clutch's advantage stems from its team's "practitioner and an informed approach," with experience in "incident response" and understanding "how attackers behave."