Why You Need Joiner, Mover, Leaver Processes for Non-Human Identities

Just as human employees go through onboarding, role changes, and offboarding, NHIs have lifecycles that need to be managed meticulously. The JML framework can be applied to NHIs: Creation (Joiner), Rotation (Mover), and Deletion (Leaver)—or, for acronym lovers, CRD—to ensure that NHIs are appropriately handled throughout their existence.

Creation (Joiner): Setting Up New Integrations and Services

When a new integration or service is introduced, an NHI, such as a service account or access token, is created to facilitate its operations. This step is crucial:

• Access Control: Define the minimum necessary permissions for the NHI to perform its functions, adhering to the principle of least privilege.

• Documentation: Capture details about the NHI, including its purpose, permissions, and associated systems, to maintain an accurate inventory.

• Security Configurations: Apply security best practices like strong authentication methods and encrypted communication channels.

Why It Matters: Proper creation of NHIs prevents unauthorized access and reduces the attack surface. It sets a strong foundation for the NHI's lifecycle, ensuring that it serves its intended purpose without posing security risks.

Rotation (Mover): Adapting to Changes and Policies

Over time, NHIs may require updates due to policy changes, security patches, or operational shifts. Rotation involves:

• Credential Updates: Regularly updating passwords, API keys, or certificates to prevent credential compromise.

• Policy Compliance: Adjusting permissions and settings to align with new security policies or regulatory requirements.

• Trigger-Based Actions: Initiating rotations when specific events occur, such as an employee associated with the NHI leaving the organization.

Why It Matters: Rotation minimizes the risk of credential theft and unauthorized access. It ensures that NHIs remain compliant with current security standards and that any potential vulnerabilities are promptly addressed.

Deletion (Leaver): Decommissioning Unused or Dormant NHIs

When an NHI is no longer needed—perhaps the associated service is retired or an integration is obsolete—it should be properly decommissioned:

• Revoking Access: Remove the NHI's permissions and disable its credentials to prevent any future use.

• Audit and Documentation: Update records to reflect the NHI's decommissioning, maintaining an accurate inventory.

• Data Handling: Ensure that any data associated with the NHI is handled according to data retention and deletion policies.

Why It Matters: Deleting unused NHIs reduces security risks by eliminating potential entry points for attackers. It also helps maintain a clean and efficient system environment, free from clutter that can complicate management efforts.

Benefits of Implementing JML Processes for NHIs

• Enhanced Security: Regularly managing NHIs through their lifecycle reduces vulnerabilities and protects against breaches.

• Regulatory Compliance: Proper handling of NHIs helps meet legal requirements for data protection and access control.

• Operational Efficiency: Streamlined processes prevent disruptions caused by outdated or orphaned NHIs, ensuring smooth operations.

• Accountability and Transparency: Clear records of NHIs and their statuses foster accountability within the organization.

Conclusion

Non-Human Identities are integral to the functionality of modern organizations, yet they often exist in the shadows of identity management practices. By applying Joiner, Mover, Leaver processes to NHIs, organizations can significantly bolster their security posture, ensure compliance, and enhance operational efficiency. It's time to bring NHIs into the light and manage them with the same rigor we apply to human identities.