Integrating Human and Machine Identities
Key Points
- Bob Kalka (IBM) and Tyler Lynch (HashiCorp/IBM) introduce a new “cyber‑trust” series that shifts the typical split‑track conversation on human versus machine identities toward a unified approach.
- They note that ≈ 80 % of cyber‑attacks now exploit identity, highlighting how siloed teams and tools (e.g., separate IT and DevOps solutions, limited SIEM analytics) leave organizations vulnerable.
- The concept of an **identity fabric** is presented as a pragmatic alternative to vendor‑centric “replace everything” pitches: it layers AI‑enhanced capabilities onto existing technologies to create a cohesive, interoperable identity ecosystem.
- For human identities, they differentiate **workforce IAM (WIAM)** and **consumer/ citizen IAM (CIAM)** and observe that most clients can only name a product, lacking a broader strategic framework.
- The discussion stresses the need to manage both human and non‑human (machine/service‑principal) identities together, leveraging a fabric approach to close gaps and improve overall cyber‑trust.
Sections
- Bridging Human and Machine Identity - Bob Kalka and Tyler Lynch introduce a new series on cyber‑trust, highlighting how siloed human and machine identity management leaves organizations vulnerable and offering integrated IAM patterns and practices to address the majority of identity‑related cyber attacks.
- Legacy Identity Chaos in Hybrid Cloud - The speaker outlines how enterprises cling to decades‑old, homegrown identity systems and legacy applications that lack modern authentication, resulting in a tangled, insecure environment amplified by hybrid multicloud complexities.
- Managing Identity Mess with Observability - The speaker describes how scattered human and machine identity stores and hard‑coded secrets create a security nightmare, and introduces the top six client‑driven use cases, beginning with “identity observability” (aka identity security posture management) to uncover sloppy implementations like hidden directories and exposed credentials.
- Dynamic Secrets for Non‑Human Identities - The speaker explains how centralizing secret storage and shifting from long‑lived static credentials to just‑in‑time, dynamically generated secrets improves auditability, revocation, and security for API keys, database passwords, and cloud credentials.
- Identity Threat Detection and Response Challenges - The speaker highlights the struggle of fully deploying PAM, emphasizes the need for real‑time identity observability to uncover shadow assets and policy bypasses (MFA, ZTNA, VPN, secrets), and defines ITDR as moving threat detection and response directly onto identity engines.
- Accelerating Detection of Credential Abuse - The speaker explains that compromised, valid credentials normally take 292 days to identify, but real‑time behavioral analytics can flag misuse within seconds, emphasizing the need for comprehensive governance of both human and machine identities throughout their lifecycle.
Full Transcript
# Integrating Human and Machine Identities **Source:** [https://www.youtube.com/watch?v=fSLEm4Nz0Vo](https://www.youtube.com/watch?v=fSLEm4Nz0Vo) **Duration:** 00:17:05 ## Summary - Bob Kalka (IBM) and Tyler Lynch (HashiCorp/IBM) introduce a new “cyber‑trust” series that shifts the typical split‑track conversation on human versus machine identities toward a unified approach. - They note that ≈ 80 % of cyber‑attacks now exploit identity, highlighting how siloed teams and tools (e.g., separate IT and DevOps solutions, limited SIEM analytics) leave organizations vulnerable. - The concept of an **identity fabric** is presented as a pragmatic alternative to vendor‑centric “replace everything” pitches: it layers AI‑enhanced capabilities onto existing technologies to create a cohesive, interoperable identity ecosystem. - For human identities, they differentiate **workforce IAM (WIAM)** and **consumer/ citizen IAM (CIAM)** and observe that most clients can only name a product, lacking a broader strategic framework. - The discussion stresses the need to manage both human and non‑human (machine/service‑principal) identities together, leveraging a fabric approach to close gaps and improve overall cyber‑trust. ## Sections - [00:00:00](https://www.youtube.com/watch?v=fSLEm4Nz0Vo&t=0s) **Bridging Human and Machine Identity** - Bob Kalka and Tyler Lynch introduce a new series on cyber‑trust, highlighting how siloed human and machine identity management leaves organizations vulnerable and offering integrated IAM patterns and practices to address the majority of identity‑related cyber attacks. - [00:03:19](https://www.youtube.com/watch?v=fSLEm4Nz0Vo&t=199s) **Legacy Identity Chaos in Hybrid Cloud** - The speaker outlines how enterprises cling to decades‑old, homegrown identity systems and legacy applications that lack modern authentication, resulting in a tangled, insecure environment amplified by hybrid multicloud complexities. - [00:06:21](https://www.youtube.com/watch?v=fSLEm4Nz0Vo&t=381s) **Managing Identity Mess with Observability** - The speaker describes how scattered human and machine identity stores and hard‑coded secrets create a security nightmare, and introduces the top six client‑driven use cases, beginning with “identity observability” (aka identity security posture management) to uncover sloppy implementations like hidden directories and exposed credentials. - [00:09:31](https://www.youtube.com/watch?v=fSLEm4Nz0Vo&t=571s) **Dynamic Secrets for Non‑Human Identities** - The speaker explains how centralizing secret storage and shifting from long‑lived static credentials to just‑in‑time, dynamically generated secrets improves auditability, revocation, and security for API keys, database passwords, and cloud credentials. - [00:12:34](https://www.youtube.com/watch?v=fSLEm4Nz0Vo&t=754s) **Identity Threat Detection and Response Challenges** - The speaker highlights the struggle of fully deploying PAM, emphasizes the need for real‑time identity observability to uncover shadow assets and policy bypasses (MFA, ZTNA, VPN, secrets), and defines ITDR as moving threat detection and response directly onto identity engines. - [00:15:45](https://www.youtube.com/watch?v=fSLEm4Nz0Vo&t=945s) **Accelerating Detection of Credential Abuse** - The speaker explains that compromised, valid credentials normally take 292 days to identify, but real‑time behavioral analytics can flag misuse within seconds, emphasizing the need for comprehensive governance of both human and machine identities throughout their lifecycle. ## Full Transcript
Hi, I'm Bob Kalka, Global Identity Lead for IBM.
And I'm Tyler Lynch. I'm the field CTO for HashiCorp, now part of IBM.
And today we're kicking off a multipart series on cyber trust.
But we're focusing on identity and access management.
But we're looking at this from a perspective
that's different than the typical discussion
we have with clients today, because in most shops we walk into,
we have a separate discussion with IT
about human identities and a separate discussion with DevOps
or platform engineering on non-human and machine identities.
And the dis ... disconnect between the two in most shops
is evidenced by the fact that 80% of all cyberattacks today
involve identity somehow.
So it is clear that the way organizations
are doing this today—with disconnected teams and tools—uh ...
such as trying to turn on a user-behavior analytics
in the security information event management tool,
and the SOC, uh ... that just everybody does it, but it doesn't find much,
it's clear that we're not being enough
in managing human or machine identities, let alone doing it together.
Yeah. And so hackers aren't just hacking in anymore—they're
logging in.
And today we want to talk about patterns and practices for identity
and access management that you can apply today using the tools you have.
Since we joined IBM ... You know, we have focused on non-human identity traditionally.
As we've joined IBM, we've listened to feedback
from our customers and we've worked with them.
What we're finding is that the IT teams
typically own human identity,
and that can be defined as workforce identity and access management—WIAM,
and consumer identity and access management—CIAM.
But then the platform or DevOps teams own non-human identities,
which is essentially a principle
for your applications to run under. Exactly.
So we're going to talk about how do you address
managing both human and non-human identities.
And we're going to talk about it relative to a concept of an identity fabric.
What identity fabric means
is that a lot of vendors will go in and say, "Look,
the answer is throw out all that stuff you have and use my stuff." Right?
And that's not pragmatic at all,
especially with what we're going to show you here. So,
what the identity fabric concept is, is
take the technologies that you have,
augment it with some
AI-based capability, etc.
so it literally forms a fabric that works together better.
All right? So let's start with the human identity side. Whenever
we go into a client to talk about human identities—typically
to ITOps or and/or the CSO office—you
end up talking about the two basic types of identities.
You have your workforce users,
which of course, are your internal users.
And then you have your consumers,
or in public sector, the citizens, right?
And that's all your external users.
And when we go into a client and we say, "Alright,
okay, what's your strategy for handling that?",
almost 99% of the time
what we get as an answer is the name of a tool,
some identity provider—Okta, IBM,
Ping, ForgeRock, Microsoft, whatever.
And they'll say, "Well, uh ... we're based on ... uh ... moving to this new cloud-based tool
and we've got kind of a directory of users as well—typically,
Active Directory or something like that—and
that's what we're doing."
And we'll say, "The question was 'What's your strategy?'"
And that's the name of a tool.
And the response is typically, "Well,
you know, we kind of looked at everything out there
and we think this is the right one for us."
And then I'll say, "Well, what about all the other IDPs
you have, such as you probably have at least one,
if not more, for your workforce users?"
If we're being honest, what we typically see
is a 20- to 25-year-old
homegrown identity management system
that the organization has been trying to get rid of for 15 to 20 years
that's still there—some on-prem system and in some new cloud-based system. Now,
that alone is an issue, of course,
but then we get to the next level of the problem,
which is you find there are a ton of legacy applications out there.
And how do legacy applications—where
oftentimes the guy or gal that wrote them
isn't even with the company anymore.
They typically don't support multifactor authentication,
let alone passwordless technologies.
How do they do identity management today?
Well, they typically have either a side
file baked into the application
of user IDs and passwords, or they ... they're using a SQL table. Yeah.
Could be SQL table usernames and passwords.
If we're lucky, they might even be hashed passwords.
They could be local password accounts.
It could be any number of ways that we provided
authentication and authorization traditionally over
the last ten, 20, 30, 40 years. Exactly. See,
this is a mess. But we haven't gotten to the best part yet,
because then you got to add in your hybrid multicloud investments,
where you're managing identities in those as well.
But it's not just identities in those.
You're managing your workforce identities in those, so your folks can access those clouds
and take elevated privileged actions on those control planes.
And oftentimes, they're also managing your consumer identities
using native directories and tools inside those clouds.
So now this problem becomes even bigger
Even bigger, because all of this is just for the human identities.
We haven't even gotten to the much larger set of identities out
the non-human identities.
What is a non-human identity? Let's break that down a little bit.
We see non-human identities in four major categories.
First is machine identity.
This is the identity of the application or workflow that's operating.
We will then see identities around API keys and API access.
And there's a number of different ways to do this, but
let's just classify them as APIs.
We then have PKI, so
public key infrastructure.
This could be x509 in other ways.
And then we have AI and
AI agents.
Now, recently we did some analysis, and
80% of the Fortune 500 cited AI in their earnings report.
We know that this is a growing and evolving space.
We've been doing this for decades, but really, it's become in vogue.
And with AI, we're starting to see proliferation.
Not only do you have the identity for the AI agent, that's oftentimes elevated,
you have the identity of the person using that agent
the agent must act on behalf of. Exactly. So,
think about this picture, right?
If you pull in both the human and non-human identities, we have ...
Let's say you're doing zero trust focus in the organization.
You're going to have a policy that says least privileged access, who
has access to what.
Where do you actually enforce that policy?
Guess what?
Let's ... Go ahead.
We are managing it in all these different places.
And there's most likely a IDP of some sort
and a directory over here as well.
Any number of things can be used to support these.
So you see why this is such a mess:
is that both within human and non-human identities,
where oftentimes you're having secrets hardcoded into applications,
it just leaves itself to a lot of places
where the water can trickle through of a cyberattack. Right? So,
what we and HashiCorp have found
is that there's a couple of dozen different use cases of things
people would like to be able to do better and able to do,
but there are six that really stick out to us at every conversation
we're having with a client ends up on these topics.
So what we want to share with you are what are the top six
use cases that people would like to be able to do that
this mess is making next to impossible for them. Right?
So, the first use case
is what we'd call identity observability.
Now what is that now?
Cool kids might call this thing
identity security posture management or ISPN.
What this means is 'Can you find the sloppy implementations of human and non-human identities
that could lead to an attack being more effective?'
For example, can you find the secrets
hardcoded into applications?
Can you find a shadow directory
that some departments set up five years ago
that was supposed to be gone four years ago,
and now you have 3000 people using it,
and It has no idea that it's even out there?
Can you find the shadow assets, the shadow identities?
Can you find that stuff? Now, that's just within, say,
non-human identities and human identities.
The even bigger piece of identity observability
is being able to watch how the non-human
and human identities are interacting,
which nobody's been able to do until recently.
I'll give you a good example we're seeing all over the place. Um,
you'll have a non-human, uh,
machine ID on a server
getting access to backend systems,
and all of a sudden 20 human users start regularly, often using
that same non-human service account.
And of those 20 human identities,
eight of them were inactive for the previous year and a half.
That is clearly a potential problem.
But nobody's had that level of obs ... observability,
not just human and non-human, but how they're interacting.
So that's the first use case.
The second one
is frictionless access.
When we say frictionless access, we're removing the username
and password from the logged-in experience
and really making the user experience easy and seamless.
This can be with passkeys and other ways that we can do this,
but frictionless access to somebody—something that we're talking about a lot.
Yeah, because it ... it radically improves
the user's experience with your online systems.
At the same time, it radically increases the security of it.
So that's why people want to go there
and think about our discussion on legacy apps.
They don't even support MFA. How are they going to possibly ever get there? So,
people want to move there, but they're held back by the physical reality
of how the identities are handled.
Now, these two ... um ... are kind of like obvious ones,
but the next two are really focused on the non-human identities
because it is a huge issue.
And so what we talked about a lot is centralized secrets management.
And this is centralizing where you're going to store secrets for non-human identities.
This could be API keys, database credentials, root cloud credentials and the like.
So having a central control plane to store them
and to revoke them, but also to audit against
so we know who's accessing them, using them and how often.
And that's really where people start.
They start with centralizing their secrets, but they're oftentimes static secrets.
Raise your hand if you've ever had a database credential that you didn't change.
They're oftentimes very long-lived.
So what we want to do is encourage our customers where it makes sense to move to
dynamic credentials.
And dynamic credentials
are just-in-time created credentials when needed.
Application A needs to talk to application B
or web service B, and we can create them dynamically.
We can also bind them
so it's only that caller and that target that can be using them.
This becomes really interesting because if you have static secrets and somebody makes an oopsie
and accidentally commits code to GitHub,
we know with empirical evidence that people are scanning GitHub commits.
And as soon as the credential hits GitHub,
they're already being used in exercise to try to gain access.
It is almost instantaneous.
Dynamic secrets removes this risk from us.
So when we can move there, we want to move there.
But before dynamic secrets, we often get to just rotated secrets.
If you have static secrets, rotating them regularly—that
could be every week, every 30 days, every 60 days—get rotation.
Rotation also provides stability for immediate revocation.
So if a secret was to get leaked or compromised
for some reason, you already have mechanisms in place that are fairly easy
to operate, to rotate that secret and to reduce that risk.
So think about the gulf between where most shops are today
versus where Tyler just articulated
you can get to. You go from hardcoding secrets
into app to having an auditable static secret
all the way to dynamic secrets. Right?
And so you wonder why these are amongst the top use cases.
So let's close out the top use cases with the final two,
and you're all going to groan when I share this next one, right?
Because the next one is privileged access management.
I still remember when Sarbanes-Oxley came out in 2003,
and the first government bulletin was 'Thou shalt do PAM', right?
The most privileged users, you want to make sure, both human and non-human,
you want to make sure you spend extra careful attention to them.
And yet, the typical shop today is only rolled out
PAM controls to 20 to 70% of their privileged users,
leaving 30 to 80% unprotected.
Not only have auditors jumping all over this,
but the whole cyber insurance industry is being obsessed with this
because we know firsthand they're going into chief
information security officers, for example, and saying,
um, "Prove to us
you know where all your privileged users are
and that you've got proper PAN controls, or we're not going to renew your policy
or we're going to up the rate like this" or something like that.
Nobody wants to be responsible for that business problem, right? So,
PAM and getting it rolled out
to 100% has become a huge issue.
And then the final use case,
which is coming up in every conversation,
kind of takes the first one around identity observability
to find the shadow assets in the weak spots.
And it's what do you do in real time to protect the system.
And that's actually what a lot of people
would call identity threat detection and response,
or ITDR. That
is the ability to find
when a SOC is struggling
to find identity attacks.
How do we move the threat detection response
closer to the identity engines themselves?
That's what ITDR really is.
And it's being able to find
like the policy bypasses.
So one of the most common problems we're seeing today:
you'll have a user authenticating against a directory—hopefully
not one of those one shadow ones that you didn't know were there—and
it's accessing an app that according to the policy must go through MFA.
And yet, if you look at the network traffic or the cloud traffic,
they authenticated, they accessed the app,
but there was no activity against the MFA engine you've got to bypass.
Are you able to see that? It is so common, it's
unbelievable right now.
So MFA bypass,
ZTNA bypass, VPN bypass, even secrets management bypass.
Can you find those bypasses?
That's what ITDR is.
So those are the six use cases.
And I would ... I'm assuming you probably agree with us,
we're seeing this everywhere—if people want to be able to get here, but
they're struggling with how to do it.
So ... let's talk about how you get started. Yeah.
So in phase one we do inspect.
Inspect is the 'how do we find secrets', and
so secret identification and secret discovery. Where are they living? So,
we find secrets in all places—configuration, code,
confluence pages, Jira, wikis, ServiceNow tickets—we
find them everywhere. So being able to inspect
and do secrets discovery, to understand
what is the inventory of secrets
that are out there and how big is this problem for us.
Yeah. As a ...as a CSO told me once,
if you can't see it, you can't secure it, right?
And so finding the secrets
and then doing identity security posture measure of finding the shadow
identities, shadow directory, shadow assets etc. is huge, right?
Then what comes next—
protect.
So, protection is,
well, how do I protect these secrets that I know exist.
The first one is going to be centralized secrets management.
Exactly.
Second is going to be PAM, privileged access management.
Third ITDR and behavioral analysis.
So, let's talk about those final two for a minute
because ITDR once again ... ITDR is
gotten to be a hot phrase for the last two years, so
it's starting to lose its meaning because everybody says,
oh yeah, that's what I happen to do, right?
We're going to be very specific about what we mean by ITDR,
and that is finding those policy bypasses
as well as the attacks on the identity system itself.
Behavioral analysis is very interesting
because the number one identity attack right now
is leveraging a compromised, valid credential.
And when you leverage a compromised, valid credential, a
study came out from our cost of data breach study last year,
that it takes 292 days, on average,
to identify and contain an attack that originated
with leveraging a compromised, valid credential.
So doing behavioral analysis of things
like looking at typing rate of the user when they authenticate,
is when that leveraged compromised credential is happening, you
can watch it as it's happening.
You can find in the first 10 seconds as opposed
to waiting 292 days to actually go do that stuff.
That leads us then to the final step of the process, which is governing.
And so we can think about governing is ... governing
the lifecycle of our secrets and of our identities.
And so these machine identities, there's these human identities ...
really considering the full lifecycle and all the workflows that are involved—employee
onboarding, employee offboarding,
principal onboarding, principal offboarding, revocation, denial.
It is a full lifecycle,
and we need to treat it as such and treat them
as consistent workflows for human and non-human identity
So governance brings the consistency,
protection brings the little protect, and inspect
helps us find those hidden things that we couldn't see.
That's what we're going to talk about in this series around
managing human and non-human identities through an identity fabric.
So thank you for your time. Thanks for joining