Bringing Non-Human Identities Identity Provider: Enterprise IdP for NPEs (Activity 2.1.3 “Enterprise IdP Part 1”) 

We’ve established the importance of device inventory (Activity 2.1.1) and begun leveraging PKI to provide strong identities for devices and non-person entities (NPEs) (Activity 2.1.2). Activity 2.1.3 “Enterprise IdP Part 1” integrates these NPEs directly with the Enterprise Identity Provider (IdP). 

This activity extends  the reach of the Enterprise IdP – whether it’s a centralized platform or a federation of organizational IdPs (as established in Activity 1.9.1 Pt1) – to integrate Non-Person Entities (NPEs), specifically devices and service accounts. The goal is to bring these non-human identities under the same centralized or federated identity management framework used for human users. The activity also emphasizes the practical necessity of tracking this integration status, particularly for devices, by tracking integration in the Universal Endpoint Management (UEM) solution where applicable. For NPEs that, after assessment, cannot be integrated with the IdP, the activity requires a formal process: they are either marked for retirement or excepted using a risk-based methodical approach. 

The immediate outcomes of Activity 2.1.3 “Enterprise IdP Part 1” are: 

  1. Component NPEs are integrated with Enterprise IdP. 
  1. Where applicable, ensure tracking in the UEM solution. 

Ultimately, the end state goal is that all NPEs are assigned static attributes in an identity provider, provided an exception based on risk analysis, or marked for retirement, as part of the Enterprise Life Cycle Management plan 

Solutions for Achieving Enterprise IdP Part 1 (NPE Integration) 

Implementing Activity 2.1.3 requires leveraging your existing identity and device management infrastructure and establishing clear processes for integrating and managing NPEs:

 

  1. Leveraging the Enterprise IdP for NPE Identity Management: 
    • Your Enterprise IdP (centralized or federated) needs to be configured and utilized to manage the identities of NPEs. This involves defining schemas and attributes within the IdP’s directory to represent different types of NPEs (devices, applications, service accounts, etc.). 
    • Establish processes for creating, updating, and maintaining these NPE identities within the IdP, ideally integrating with discovery or management tools. 
  1. Integrating Discovery and Management Tools with the IdP: 
    • Connect your device inventory tools (ITAM/CMDB from Activity 2.1.1) and Endpoint Management/Unified Endpoint Management (UEM) tools (from Activity 2.1.1, 2.1.2) with your Enterprise IdP. This integration allows the IdP to receive information about devices and other NPEs, potentially automating the creation or updating of their identities within the IdP’s directory. 
    • Specifically, ensure that the UEM solution tracks which devices have been successfully integrated with the IdP 
    • Integrate your Privileged Access Management (PAM) solution (from Activities 1.4.1, 1.4.2) with the Enterprise IdP to manage the identities and credentials of service accounts and other privileged NPEs within the IdP framework. 
  1. Defining and Implementing a Risk-Based Approach for Non-Integrable NPEs: 
    • Establish a formal, risk-based process for evaluating NPEs that cannot be technically integrated with the Enterprise IdP. 
    • Based on the risk assessment, make a clear determination to either: 
    • Mark the NPE for retirement and eventual decommissioning as part of the Enterprise Lifecycle Management plan (tying into Activities 1.5.2). 
    • Grant a formal exception based on mitigating controls and documented risk acceptance. These exceptions should be regularly reviewed. 
  1. Assigning Static Attributes:  Ensure that for all integrated NPEs, relevant static attributes (e.g., device type, operating system, owner, function, criticality) are assigned within the IdP. These attributes are crucial for later access policy enforcement. 

Key Items to Consider: 

  • NPE Diversity and Integration Capabilities: The wide variety of NPE types presents a significant challenge. Not all devices or services readily support integration with an IdP using standard protocols. 
  • Data Synchronization and Consistency: Maintaining accurate and consistent data about NPEs across discovery tools, UEMs, PAMs, and the Enterprise IdP requires robust integration and data governance. 
  • Establishing Ownership and Lifecycle for NPEs: Defining clear ownership and lifecycle processes (creation, updates, retirement) for NPE identities is essential, mirroring the processes established for human users (Activity 1.5.1). 
  • Governance for Exceptions and Retirement: A strong governance framework is needed to manage the risk assessment, approval, and review of exceptions and to drive the retirement of non-integrable NPEs. 
  • Technical Integration Complexity: Integrating disparate management tools and legacy systems with the Enterprise IdP can be technically challenging and may require custom connectors or middleware. 

Relevant Technologies and Tools: 

Successfully implementing Activity 2.1.3 relies on the interplay of several key technology categories: 

  • Enterprise Identity Provider (IdP) / Identity and Access Management (IdAM) Solutions: The central platform for managing NPE identities, assigning attributes, and enabling authentication and authorization for non-human entities. 
  • Device Discovery / IT Asset Management (ITAM) / Configuration Management Database (CMDB) Tools: Provide the initial inventory of devices and other assets that need to be brought under IdP management. They serve as sources of truth for NPE attributes. 
  • Endpoint Management (EM) / Unified Endpoint Management (UEM) Tools: Essential for managing the lifecycle of devices, tracking their status, and in the context of this activity, tracking their integration status with the IdP. They may also assist in deploying configurations necessary for IdP integration. 
  • Privileged Access Management (PAM) Solutions: Crucial for managing the identities and credentials of service accounts and other privileged NPEs. PAM solutions often integrate with the Enterprise IdP to link these high-privilege non-human accounts to the central identity framework. 
  • Integration Platforms or Middleware: May be necessary to facilitate data exchange and process orchestration between various discovery, management, and identity systems, especially in complex environments with legacy tools. 

The Technical Buyer’s Non-Human Identity Integration Imperative: 

Activity 2.1.3 extends the core principles of identity management and lifecycle control to the non-human entities in your environment. It’s about bringing devices, service accounts, and other NPEs under the purview of your Enterprise IdP. For technical buyers, success in this activity means leveraging your IdP/IdAM solution’s capabilities for managing NPE identities, integrating it effectively with your device and asset management tools to populate and track these identities, and implementing a disciplined, risk-based process for addressing those NPEs that cannot be integrated. Achieving the end state where all NPEs are accounted for within the identity framework – whether integrated, excepted, or slated for retirement – is fundamental to gaining the comprehensive visibility and control required for a mature Zero Trust architecture. 

Pillar: Device 

Capability: 2.1 Device Inventory 

Activity: 2.1.3 Enterprise IdP Part 1 

Phase: Target Level 

Predecessor(s): None 

Successor(s):  

  • 4.7.4 Integration Solution(s) and policy with Enterprise IdP Part 1 
  • 2.1.4 Enterprise IdP Part 2 

Technology Partners