Non-human identities have increased our attack surface—and with it, the management headache that defines the modern stack of business technology.
Remember when every new project started with clearing rack space for a new server? Thankfully, I no longer worry about organizing ethernet cables, just like I no longer lose sleep over data migration and integration challenges. For those of us who remember, that standard experience was one of unique anticlimax: a wonderful sales demo full of bells and whistles, followed by a product install and a depressingly empty dashboard, only to be filled when you’d finished the heavy lifting of getting meaningful data into the product.
That’s all a distant memory thanks to the rise of non-human identities. As we create accounts across the internet, often the first thing we do is integrate those accounts with other apps to share data and create workflows, which helps to ensure quick value. The rise of SaaS as the dominant deployment model, coupled with standards such as OAuth, has made it easy for apps to start delivering pleasingly populated dashboards and meaningful insights from Day One. But this trend has also increased our attack surface—and with it, the management headache that defines the modern stack of business technology.
While “non-human identity” may conjure visions of little gnomes running around the internet doing our bidding, the reality is not far off: according to Bard, a non-human identity is “the digital credential and permissions of automated actors.” These are the service accounts, APIs, OAuth grants, and other accounts and permissions that we grant to allow apps to do things on our behalf, whether that’s synchronizing data across apps or executing updates or workflows. They are the culmination of those pop-up confirmations we accept as we busily stitch together our SaaS apps.
This effortless data sharing across apps is, in fact, the critical factor that enabled the modern SaaS ecosystem we all use today. Whether it’s the new vuln scanner hooked into GitHub, the signing tool integrated into our CRM, or the payment platform piping data into our accounting software, we have fully embraced the simplicity and autonomy of non-human identities doing heavy lifting on our behalf.
There is one simple driver behind the modern adoption trends of SaaS: productivity. We have reached our Cambrian explosion in business productivity, with purpose-built tools for almost every aspect of modern business. Meanwhile, as centralized offices have shifted to a distributed workforce, the SaaS ecosystem also provides easy-to-access, always-on services, delivered on whatever device we happen to be using.
In our customer base at Nudge Security, we saw the average adoption rate of SaaS apps double starting in March of 2020, rising from two new apps adopted each month to one new app adopted every week. Estimates today show a global spend of more than $240 billion across 30,800 SaaS apps. (Based on our own data, we believe this estimate to be short of reality, as we are currently tracking more than 100,000 SaaS apps.)
With this incredibly diverse ecosystem, there is a core challenge for SaaS providers: how can you most effectively deliver value in short order? A newly adopted app has just a small window to deliver on its promise, or the fickle consumer will move on to the next shiny toy.
This is a variation of the classic “Empty Room Problem” that plagued new social media platforms in the late 2000s. The crux of that problem was that nobody is excited about a social experience in an empty room—you need a critical mass of participants to create a compelling experience. This challenge led to the first mass adoption of non-human identities—early social media platforms made it possible to bootstrap your connections from other platforms in order to quickly build your social graph. This trend continues today. For example, when you sign up for Venmo, the app immediately asks for access to your phone contacts to quickly create a list of friends and family with whom you're most likely to exchange money.
In much the same way, today’s B2B SaaS app ecosystems grow like coral reefs—many symbiotic apps are centered around core data sets (found in Salesforce, GitHub, Zoom, Netsuite, ServiceNow), each providing incremental value. This would not be possible without non-human identities syncing data among these apps.
And with the rise of more intelligent integrations powered by modern AI technologies, we will no doubt see far simpler integrations, with even more intelligent data reconciliation and workflow automation. Code co-pilots will simplify development cycles, with potential for more dynamic integrations with an AI layer sitting in between the source and destination of the data, leading to an even more complex web of non-human identities.
All in all, the future certainly looks productive—but not without challenges. Our business will live in SaaS applications, and our employees will benefit from the productivity these apps unlock, but our data will be flowing fast and furious between these systems.
This flow will be outside of our traditional approaches to managing and tracking data, as our data no longer bounces into our managed networks—it moves from SaaS app to SaaS app. Your primary stores of data are really just feeders for the ecosystems of apps that grow around them. There are no longer a few dozen critical apps, but rather a few dozen primary sources and a few hundred secondary stores for your data.
The primary challenge for security teams will be to keep up with the data sprawl that inevitably follows SaaS sprawl. The first step, as always, is visibility. Clear and continuous visibility of not just this complex web app-to-app connections, but also of the full inventory of SaaS apps employees are using—the future stomping grounds for non-human identities.
