Compliance

robot workers

A Practitioner’s Guide to Non-Human Identity Security

At some point in the last few years, most of us made a series of very smart decisions. We automated everything we could. Onboarding, offboarding, role changes, cross-system integrations, data pipelines — if it was repetitive, we scripted it, connected it, or orchestrated it. And honestly? It was glorious. Our teams got faster, our error rates dropped, and we stopped doing the digital equivalent of manually carrying buckets between buildings.

What we didn’t fully reckon with is that every automation we built came with an identity attached.

Service accounts. API keys. OAuth tokens. Machine-to-machine credentials. Workflow runner credentials. Integration platform secrets. Every one of these is a non-human identity (NHI) — an entity that authenticates to your systems and performs actions, just like a user does, except it never gets locked out for too many failed attempts, never takes a security awareness training, and never gets offboarded when a project ends.

And here’s the uncomfortable math: in most organizations today, machine identities outnumber human identities by roughly 100 to 1. The even more uncomfortable part? Most security programs were designed for the 1%, not the 99.

A Practitioner’s Guide to Non-Human Identity Security Read Post »

cat, nature, kitten, pet, pets, animals, housecat, feline, animal, sitting, funny, cute, adorable

CMMC – How to Start

standard method is to find the big spreadsheet of controls, and then start marking it up. This approach makes perfect sense, but as you work through, it quickly becomes unwieldy.

Not every control can be completed by the same team.

They request “evidence,” but what in the world do they want to see?

How are we to convert generic controls into actionable requirements?

What does “good” look like?

How do we know if what we’re doing will pass an audit?

If you’re asking yourself these questions, you’re not alone. In fact, what starts as a spreadsheet with a long list of controls, quickly turns into multiple sheets, and additional documents with policies and procedures. And when you dig into what the auditors are looking for, they are looking for multiples things, for each control.

CMMC – How to Start Read Post »

comical 3d animal pressing red button

Someone Clicked a Button. Now There’s a Lawsuit.

Somewhere in 2022 and 2023, Derek Mobley was doing what a lot of people do when they’re job hunting: applying. A lot. Over 100 applications, by his account, sent to companies that all had one thing in common — they used Workday to manage hiring.

He didn’t get the jobs. What he alleges is that he didn’t get them in part because an AI system was evaluating his applications and filtering him out — based, he claims, on his race, age, and disability status.

What happened next is where it gets interesting for anyone in IT or Security.

He didn’t just sue the companies that rejected him. He sued Workday.

Someone Clicked a Button. Now There’s a Lawsuit. Read Post »

frogs, yoga, figure, nature, animal, green, cute, fun, funny

Demystifying CMMC: Why It’s Not About Compliance—It’s About Growing Up Your Security

CMMC Isn’t the Threat—Your Security Debt Is. You shouldn’t be adopting CMMC because the DoD demands it.
You should be adopting it because your business deserves not to be the lowest-hanging fruit in the industry.

CMMC is not about auditors. It’s not about paperwork. It’s not about passing a test.

It’s about adopting the minimum baseline of maturity required to operate safely in a world where attackers don’t care how big you are—just how easy you are.

Demystifying CMMC: Why It’s Not About Compliance—It’s About Growing Up Your Security Read Post »

Scroll to Top