skip to Main Content

Preventing Unauthorized Usage of Non-Person Entities (NPEs)

What is an “NPE”?

For those not working at a Federal agency, the acronym ‘NPE’ may be foreign. Or you may know it as service accounts for non-federal organizations. Like any other industry, the US Federal government often has a language of its own. In this instance, NPE stands for non-person entity and is defined as “An entity with a digital identity that acts in cyberspace but is not a human actor.” This cyberspace includes machines, organizations, hardware devices, software applications, code, containers, and information artifacts. For those outside the federal government, think of NPEs as service accounts in the commercial sector.

Why you should be monitoring NPE behavior

74% of data breaches start with privileged credential abuse. [Forbes]

Federal agencies and commercial businesses rely on a stable and secure foundation of infrastructure, applications, and data. Protecting this foundation has become a huge security challenge given the diversity and ever-expanding types of devices, applications, and workload types (cloud, virtual, containers, bare metal) while maintaining operations and services. To exacerbate this, add the potential risks associated with undetected or unmanaged non-person entities. Where is an agency or team to start?

NPEs have a long shelf life, as they are deployed to support administrative or infrastructure processes (used to act on behalf of a person) mostly to support applications. They are not easily traceable to an individual user, which enables them to be run unbeknownst to security teams, enabling unfettered access. They run in the background, execute system commands, and are rarely rotated, which makes them valuable targets for attackers. Once compromised, unmonitored NPEs can enable a “free for all” across your infrastructure and sensitive data without you knowing they are there – helping themselves to a bountiful harvest.

The Federal government has put forth a memorandum M-19-17 from the Office of Management and Budget (OMB) that defines managing identities, credentials, and access in modern government. Within this memorandum, the Government states, “Agencies shall manage the digital identity lifecycle of devices, non-person entities (NPEs), and automated technologies such as Robotic Process Automation (RPA) tools and Artificial Intelligence (AI), ensuring the digital identity is distinguishable, auditable, and consistently managed across the agency. This includes establishing mechanisms to bind, update, revoke, and destroy credentials for the device or automated technology.”

Overall, “as technology evolves, the Government must offer flexible solutions to meet changing technology needs and shift the focus from managing the lifecycle of credentials to the lifecycle of identities.” Without key controls around detecting and managing the risks of these entities, bad actors can “live off the land” and move laterally and with impunity once the NPE credentials have been accessed.

Enabling real-time visibility to manage NPE risks

 Security teams of all kinds – federal and commercial focused – need to take a focused approach to NPE risk protection. It’s essential to

  1. Enhance visibility – establish an inventory of users, identities, non-person entities (NPE), and service accounts, where and how they are used across the infrastructure and all applications.
  2. Improve risk posture – identify the risks associated with NPEs and know where and how they are used across the application environment.
  3. Profile and baseline normal behavior – profile the behavior of all NPEs across the application environment in real-time to automatically establish allow-list policies and interactions based on known and normal behavior.
  4. Proactively detect and respond in real-time – detect anomalous NPE behaviors inconsistent with the known normal behavior, generate alerts only on suspicious behavior, and respond in real-time to compromised NPEs.

Whether they are called NPEs or service accounts, we automatically detect, report, and enforce usage policies across servers, workloads, and applications, notifying security teams and agencies of suspicious behavior that strays from established normal, approved actions.

Share This


Related posts

What is shadow code?

Finding and Understanding Shadow Code

The risk of unsolicited deployments in agile development and how to detect and manage shadow code  In today’s business world of fast-paced software development, “Agility…

Back To Top

Truefort customer support

TrueFort customers receive 24×7 support by phone and email, and all software maintenance, releases, and updates

For questions about our support policy, please contact your TrueFort account manager or our presales team at

Support Hotline

Email Support