Security Score for Non-Human Identities

The Security Score for Non-Human Identities (NHIs) is a quantitative metric, often expressed as a numerical score (e.g., 0-100) or a letter grade (e.g., A-F), that measures an organization's security posture and hygiene specifically concerning its automated machine accounts.

This score is calculated by continuously assessing various risk factors associated with NHIs—such as API keys, service accounts, and tokens—to determine the likelihood and potential impact of an attacker exploiting a machine credential.

Purpose and Function

The primary purpose of the NHI Security Score is to translate the complexity and high volume of machine identities into an actionable, easily understood metric for security teams and executive leadership. It functions as a single source of truth for identity security posture management (ISPM).

• Risk Prioritization: The score enables security teams to prioritize remediation efforts by highlighting NHIs that pose the greatest risk, often giving critical issues greater weight than low-severity ones.

• Compliance and Governance: It provides an objective measure of adherence to security best practices and regulatory requirements related to automated access.

Key Factors in Score Calculation

The score is influenced by a proprietary algorithm that aggregates data from continuous monitoring and compares the organization's NHI configuration against recommended best practices. The most critical factors include:

1. Credential Exposure (Secret Leakage): This measures if the NHI's secret (key or token) is hardcoded, stored insecurely, or publicly leaked into places like code repositories, which is a leading cause of compromise.

2. Privilege Level (Entitlements): This assesses whether the NHI adheres to the Principle of Least Privilege (PoLP). Over-privileged NHIs, such as those with broad administrative access, significantly degrade the score, as their compromise would have catastrophic impact.

3. Lifecycle Management: This checks for improper offboarding (e.g., orphaned or ghost accounts that remain active and unmonitored after their associated service is decommissioned) and the use of long-lived secrets.

4. Configuration Hygiene: This involves checking for fundamental security practices, such as the rotation frequency of static credentials and whether secure secrets management solutions are being used.

5. Anomalous Activity: The score may integrate activity-based risk by monitoring NHI usage for deviations from established behavioral baselines (e.g., an identity accessing a system it has never touched before).

The final score is a reflection of the extent to which an organization has adopted security features and controls to offset the inherent risks posed by its vast number of non-human identities.

ThreatNG is highly effective at helping manage the Security Score for Non-Human Identities (NHIs) because its platform is built to continuously and objectively measure the key factors that compromise this score: external exposure of machine credentials and the resulting expansion of the attack surface.

ThreatNG's Role in Quantifying NHI Security

External Discovery and Continuous Monitoring

ThreatNG performs purely external unauthenticated discovery, which is the foundational methodology for finding the exposed secrets that directly lead to a poor NHI Security Score. It finds credentials exactly where an attacker would look: in public code, mobile applications, and misconfigured external infrastructure. Through Continuous Monitoring of the external attack surface, ThreatNG ensures that the high-volume, dynamic nature of NHI credentials (NHI sprawl) does not create security blind spots, and any new exposure is immediately detected and factored into the score.

External Assessment and Examples

ThreatNG calculates a dedicated, high-level metric that directly serves as an objective external NHI Security Score:

• Non-Human Identity (NHI) Exposure Security Rating: This critical governance metric (A–F scale, with A being the best and F being the worst) quantifies the organization's vulnerability to threats originating from high-privilege machine identities, which includes leaked API keys, service accounts, and system credentials.

• The rating's certainty is achieved by continuously assessing 11 specific exposure vectors, including Sensitive Code Exposure and misconfigured Cloud Exposure.

• Example: The discovery of a publicly exposed Artifactory API Token or a Square OAuth Secret instantly degrades the NHI Exposure Security Rating, as these are high-privilege NHI secrets that grant unauthorized programmatic access to build systems or financial services.

Investigation Modules and Examples

The investigation modules provide the essential granular findings on credential exposure and poor hygiene:

• Sensitive Code Exposure: This module directly addresses the credential exposure factor of the NHI Security Score. The Code Repository Exposure submodule finds Access Credentials and Security Credentials in public code repositories.

• Example: ThreatNG identifies a public repository containing a hardcoded AWS Access Key ID, a Google Cloud Platform OAuth token, or a PGP private key block, all of which are critical NHI secrets that significantly lower the organization's security score.

• Mobile Application Discovery: This module scans mobile apps found in marketplaces for hardcoded NHI credentials.

• Example: ThreatNG discovers a hardcoded Heroku API Key or a Facebook Secret Key within the application content, revealing exposed NHI credentials that contribute to a lower score.

• NHI Email Exposure: This module identifies and groups exposed role-based email addresses (like system, svc, devops, jenkins, and service) that are typically tied to unmonitored NHI service accounts. Example: An attacker can target a discovered svc@company.com email address for compromise to gain control of the associated service account, which is a precursor to a lower score.

• Cloud and SaaS Exposure: This module identifies misconfigured infrastructure where NHIs operate, such as Open Exposed Cloud Buckets.

Intelligence Repositories and Reporting

ThreatNG enhances the NHI Security Score by providing threat intelligence and high-certainty reporting:

• Compromised Credentials (DarCache Rupture): If ThreatNG discovers an exposed NHI credential, this repository immediately checks to see if the same credential has been found in dark web dumps. This confirmation of active compromise risk escalates the severity of the NHI Exposure Security Rating.

• Context Engine™: The engine delivers Legal-Grade Attribution, which converts chaotic technical findings (like a publicly exposed service account key) into irrefutable evidence. This certainty is crucial for justifying the immediate, high-priority remediation needed to raise a poor NHI security score.

• Reporting: The NHI Exposure Security Rating is presented clearly on the A-F scale. The Prioritized Reports (High, Medium, Low) ensure that teams focus first on the most severe and exposed NHI credentials, facilitating rapid governance action.

Complementary Solutions

ThreatNG's external NHI findings can be integrated with internal systems to enforce the core strategies of NHI security, such as secure storage and lifecycle management:

• Secrets Management Solutions: When ThreatNG discovers a hardcoded credential (e.g., a Twilio API Key), this external alert can be automatically sent to the organization's Secrets Management tool. The tool can then use this alert to revoke the exposed key and enforce the secure retrieval of the new credential from the vault, mitigating the security risk and ensuring safe storage.

• Cloud Infrastructure Entitlement Management (CIEM) Tools: The discovery of a critical cloud credential leakage (e.g., AWS Access Key ID) is shared with a CIEM tool. The CIEM tool can then use this external finding to perform an authenticated internal analysis to determine the actual Privilege Level of the exposed key and automatically enforce the Principle of Least Privilege by revoking any unnecessary permissions or triggering a key rotation, thus improving the overall NHI security score.

• Security Orchestration, Automation, and Response (SOAR) Platforms: A critical alert from ThreatNG regarding a significant NHI Exposure can trigger a SOAR platform. The SOAR platform can automatically use this external finding to open a high-priority incident ticket, notify the security operations center (SOC), and initiate automated steps to quarantine the exposed code or asset, ensuring prompt governance and control.