Non-humans are everywhere these days. Sure, you\u2019ve seen the much-deserved hype about how AI-powered tools like ChatGPT are going to change everything. But there are plenty of more mundane non-human entities that you interact with in your daily life: the smart thermostat program that knows to cool down your house at a certain time every day, the application on your phone that suggests directions to a place you\u2019ve searched for, and many others. Non-human identities pervade every aspect of our lives, both personally and professionally.\n\nIn fact, machine identities outweigh human identities by a factor of 45 to 1, according to CyberArk research. Machine identities like bots in robotic process automation (RPA) workloads and microservices running in the cloud are growing at an exponential pace as more companies transform digitally. They\u2019re automating many formerly mundane tasks and increasing many functions\u2019 operational efficiency. These non-human identities rely on secrets (including passwords, SSH keys, and API keys) to access critical resources and do their jobs. And those secrets need to be secured, just as privileged credentials for humans do.\n\nThere are likely several areas across your organization that house non-human identities using secrets that need to be managed and secured. Below, we walk through seven types of the most common non-human identities you may find in your organization and some security challenges for each type when it comes to secrets management. Understanding these challenges (and seeing how different they can be for each identity type) is the first step to building a cohesive plan on how to mitigate them.\n\n1. Cloud environments and cloud-native apps\n\nMany organizations use multiple cloud service providers (CSPs) to maintain pricing control, enable flexibility, and avoid cloud vendor lock-in. Each CSP has its own method for storing, accessing, and managing secrets. Additionally, cloud-native applications built in these platforms are continually updated using CI\/CD processes and often use secrets to communicate with other microservices in the cloud environment to run. The main issue to address when it comes to the cloud is ensuring your security is as flexible and dynamic as the environment your developers are working in.\n\nSecurity Challenges:\n\n2. DevOps tools, CI\/CD pipelines and the software supply chain\n\nDevOps tools typically require a high level of privileged access to perform their tasks. Thus, CI\/CD pipelines and other DevOps tools are known as \u201cTier Zero\u201d assets, meaning if an attacker gains access to these assets, they can then access more privileged credentials. The software development lifecycle moves fast, and the tools used within it can become a big vulnerability if your DevOps teams aren\u2019t fully aware of necessary security measures.\n\nSecurity Challenges:\n\n3. Automation tools and scripts\n\nAutomation tools and scripts can be powerful and perform complex IT and other related tasks. But they can also be very simple, such as a basic PowerShell script used infrequently. While these simple scripts may not jump out as being a large vulnerability, these automation tools and scripts often require high levels of privileged access and have been responsible for some high-profile breaches in the past.\n\nSecurity Challenges:\n\n4. COTS and ISV applications\n\nCommercial-off-the-shelf (COTS) and independent software vendor (ISV) applications both require a high level of privileged access to do their jobs. Because these apps aren\u2019t owned by your company, they have some unique security needs that should be addressed, including ensuring that they are integrated with your security tools.\n\nSecurity Challenges:\n\n5. Robotic process automation (RPA) workloads\n\nRPA bots help development and operations teams (and other \u201ccitizen developers\u201d) automate many formerly mundane tasks, speeding up workflows. But manual credential rotations for these bots do not scale, especially when an organization is using a large number of unattended bots without a human supervisor. The biggest challenge for security teams is the need to ensure that they are enabling RPA velocity while also centrally managing policies to stay compliant and defend against attacks.\n\nSecurity Challenges:\n\n6. N-Tier\/Static homegrown applications\n\nWhile many of the above applications harness newer digital innovations such as the cloud and automation, most organizations still depend on a variety of internally developed applications. These applications include a variety of traditional environments (such as Java) and operating systems, including Unix\/Linux, and because they are hosted on-premises, they can pose some different challenges to the other types of identities.\n\nSecurity Challenges:\n\n7. Mainframe Applications\n\nLike N-tier applications, applications hosted on mainframes (such as zOS) are still widely used by enterprises for specific use cases. These are the most mission-critical applications an enterprise has, and it\u2019s vital that these applications do not experience outages or have their processes interrupted by security procedures.\n\nSecurity Challenges:\n\nSo how do you keep track of it all?\n\nYou can see how overwhelming secrets management can get when you\u2019re working with a large number and variety of non-human identities. Each group has its own nuances and stakeholders that need to be considered when creating security policies. Being aware of all the different identity types in your organization and understanding all the different security needs that must be considered are the first steps to building a cohesive program to manage and secure these identities and the secrets they use.\n\nThat\u2019s where centralizing secrets management can help. Our eBook \u201cKey Considerations for Securing Different Types of Non-human Identities\u201d walks you through best practices for securing secrets in each of these categories. It also provides a phased approach on how you can build a more effective secrets management program.\n\nKristen Bickerstaff is a senior content marketing manager at CyberArk.