Academia has always been about pushing boundaries—whether in knowledge, technology, or collaboration. But as research grows more complex and reliant on technology, so too does the need to address a hidden layer of identity management. I’m talking about non-human identities (NHIs): those workloads, APIs, batch jobs, and software systems that work tirelessly behind the scenes. This is more than service accounts and bots. This is the underlying infrastructure for modern IT systems.
NHIs aren’t a new concept, but how we manage them today isn’t just outdated—it’s risky. Let’s dig in.
What Are NHIs?
Think about the processes that underpin research in a university. Automated data collection? That’s an NHI. Research simulations running on high-performance computing (HPC) systems? Also NHIs. APIs that manage sensitive student and research data? You guessed it—NHIs. These identities are everywhere, yet we still treat them like human users in many cases, with joiner/mover/leaver workflows and directory mappings.
And while this “fit them into the human box” approach might work on a small scale, it doesn’t secure the infrastructure they’re tied to. That’s a problem.
Why NHIs Are a Challenge
NHIs often inherit the same challenges as their human counterparts, only amplified by scale and complexity. Here’s a snapshot of the issues:
- Token Sprawl: OAuth account tokens being passed around like candy at Halloween. (I feel like I need to make an analogy about cavities and decay, but I’ll just leave that here because iew.)
- Access Management: Misaligned permissions, often shared across workloads, create opportunities for breaches.
- Auditing and Compliance: Many HPC environments and collaborative research projects struggle to track what access NHIs have, much less prove compliance with regulations.
- Security Gaps: Relying on directories and manual processes doesn’t cut it when workloads operate across different systems and organizations.
A common example? Research collaboration in HPC environments. These systems often involve shared resources accessed by NHIs with wildly varying permissions. Without precise controls, compliance becomes a nightmare, and auditing feels like playing whack-a-mole with invisible targets.
Directories: The Bottleneck We Can’t Ignore
But wait! We have directories to keep everything organized! Won’t that help? (All my enterprise IAM friends just did a full-body cringe reading that.)
Here’s the thing about directories: they’re fantastic for managing human identities in traditional environments. But when it comes to NHIs, directories quickly become a bottleneck. Why? Because they assume every identity—human or non-human—can be neatly slotted into a joiner-mover-leaver model.
For NHIs, this model is fundamentally flawed:
- No Natural Lifecycle: Workloads, APIs, and batch jobs don’t “move” or “leave” in the same way people do. They’re created and destroyed based on operational needs, often spinning up and down in milliseconds. A directory simply can’t keep pace with this churn.
- Token Dependency: OAuth tokens are often used as a workaround, passed around to grant temporary access. But this approach doesn’t scale—it’s prone to sprawl, lacks visibility, and creates security risks when tokens are misused or stolen.
- Lack of Context: Directories were designed for human-centric workflows, meaning they lack the context required to manage the nuanced relationships NHIs have with systems, resources, and data.
The result? Academic IAM systems often end up overburdened and unable to scale to the demands of modern, complex environments. Imagine trying to cram a sprawling HPC infrastructure into a directory originally built to manage faculty and students—it’s like forcing a square peg into a round hole.
The Role of DevOps, IT, and IAM Teams
Managing NHIs isn’t a one-team job—it’s a cross-functional effort. DevOps and IT teams usually own the operational infrastructure, while IAM teams handle policy enforcement. But these groups often speak different “languages,” making collaboration tricky.
That’s where standards and architecture frameworks come in. Efforts like the IETF’s WIMSE draft aim to create a shared understanding of how to secure NHIs in multi-system environments. It’s a step in the right direction, but adoption isn’t straightforward.
Building Better NHI Management
So, how can academia start tackling the NHI problem more effectively?
- Establish Clear Ownership: Decide who is responsible for managing NHIs, from provisioning to decommissioning.
- Adopt Standards: Leverage frameworks like SPIFFE and WIMSE to create consistent, scalable trust models. Learn how to use the Shared Signals Framework and the Continuous Access Evaluation Profile (CAEP).
- Invest in Automation: Automate the boring stuff, like token issuance and revocation, to reduce human error. (Hot take: CAEP can help here, too.)
- Foster Collaboration: Create spaces for DevOps, IT, and IAM teams to align on priorities and processes.
Looking Ahead
The future of NHIs in academia isn’t just about solving today’s problems—it’s about enabling the next generation of research. Imagine a world where workload identities are as dynamic as the systems they operate in, seamlessly supporting complex collaborations across institutions. Standards and open-source tools will be key to making that vision a reality.
But here’s the catch: it’s not just a technical challenge. NHIs require governance, funding, and attention from leadership to ensure they’re managed sustainably. Without these, even the best tools won’t fix the problem.
I’ll be talking about this at the 2024 Internet2 TechEx in Boston. If you’d like my slides, drop me a note on LinkedIn and I’ll be happy to share!
Reach out if you want to learn more about navigating this process or need support with standards development. With my experience across various SDOs, I’m here to help guide you through the complexities of Internet standards development.