Diving into non-human identity


Who has access to what? That’s the defining question of identity and access management (IAM). It’s been that way since ye olden days. Delivering the right access to the right people at the right time has been core to the mission of workforce identity. Except…

… that wasn’t always really true. “What can the database administrator do?” We knew early on that there are enterprise functions that are more closely aligned with job responsibility than a specific person. And because of the proclivities of the systems being managed, multiple people ended up sharing the same highly privileged accounts. And so a raft of technologies from role-based access control to privileged user/account management was created. Problem solved; case closed. Except…

… it wasn’t that simple. Well, more accurately, our enterprise computing world got more complicated – a whole lot more complicated. The ability to automate, not just jobs in business systems, but the entire lifecycle of all the components that make up those business systems, became commonplace. And with the associated complexity in automating literally everything came a massive governance burden; one that existing IAM technologies and techniques were not equipped to handle.

Now the question is not just who has access to what, but also what has access to what. Where the “who” was often constrained to employees, contractors, partners, and customers… the “what” in what has access to what is a much larger set of things. Workloads, secrets, service principles, underlying mTLS certificates… and the list goes on. More importantly, many of these kinds of “what” are force multipliers, especially in bad situations. Allow a certificate to expire and whole systems fail to communicate. Exfiltrated static tokens lead to unfettered API access. Unmanaged workloads at the minimum means unexpected costs. These pose bad-things-at-scale (BaTS) problems.

While I know a decent amount about dealing with human identity in the workforce and well beyond; I definitely am not as strong when it comes to non-human identity. Said differently, I can give you dozens of techniques to help answer who has access to what, but I just don’t have that same depth of knowledge when it comes to answering what has access to what. And it’s high time I learn.

Part of the joy of Weave Identity is that it enables me to work in areas of identity, security, and privacy, where I want to learn more and to grow. I get to see a wider breadth of problems to be solved. I am forced to up my game in new (at least to me) domains. And I love it! It allows me to continue to grow.

And that’s why I am so excited to start working with Natoma. They are tackling hard non-human identity problems, ones that I am only beginning to fully understand, ones that enterprises grapple with everyday. It’s an honor to work with such a great team; it’s a privilege to have the opportunity to continue to grow. I can’t wait to help answer the question of what has access to what!