Identity and Access Management in a Zero Trust World

Identity is the new perimeter. This phrase has become a cliché in security architecture discussions, but the underlying reality it describes is not: as enterprise workloads have migrated to cloud environments and the workforce has distributed across remote and hybrid arrangements, the traditional network perimeter has become increasingly irrelevant as a security boundary. Employees access critical business systems from home networks, coffee shops, and managed devices; contractors access sensitive applications from unmanaged personal laptops; and cloud workloads communicate with external services through APIs that have no concept of a trusted network. In all these scenarios, the only consistent, enforceable boundary is identity — who is making the request, whether their identity is authenticated, and whether they are authorized to access what they are requesting.

The consequence of identity's centrality to modern security is that identity and access management programs must bear a security burden they were never originally designed to carry. Legacy IAM programs were designed primarily for operational correctness — ensuring that employees had access to the systems they needed to do their jobs, that terminated employees lost that access, and that auditors could document who had access to what. Security was a secondary consideration. In a zero trust security model, IAM becomes a primary security control: the quality of authentication, the precision of authorization, and the real-time risk assessment of identity decisions directly determine the security posture of the organization.

The Identity Threat Landscape

Understanding the specific threats that target identity systems helps prioritize IAM investment. Credential compromise is the single largest category of initial access vector across all breach types — an estimated 80 percent of breach investigations involve compromised credentials at some stage of the attack chain. The mechanisms of credential compromise have diversified substantially: phishing campaigns steal credentials directly, infostealer malware harvests credentials from browser storage and application memory, credential stuffing attacks test breached credential lists against corporate authentication endpoints, and adversary-in-the-middle (AiTM) phishing kits bypass MFA by proxying authentication sessions in real time.

Post-compromise identity attacks — attacks that leverage valid credentials to conduct malicious activity — have become the primary mode of operation for sophisticated adversaries because they minimize forensic artifacts and blend with legitimate user activity. Kerberoasting attacks request Kerberos service tickets for service accounts and crack them offline to obtain service account credentials with potentially broad permissions. Pass-the-hash and pass-the-ticket attacks reuse captured credential hashes without requiring the underlying password. Golden ticket attacks forge Kerberos tickets using the domain's krbtgt account hash, enabling the attacker to impersonate any user in the domain for an extended period. Each of these techniques exploits specific characteristics of legacy Windows authentication systems, which remain in use across most enterprise environments despite decades of security research demonstrating their weaknesses.

Modern Authentication Architecture

Moving enterprise authentication to modern standards — SAML, OAuth 2.0, OIDC — provides the foundation for phishing-resistant authentication and eliminates many of the attack surfaces exploited by legacy Kerberos attacks. But the transition from legacy to modern authentication in large enterprises is a multi-year project complicated by the heterogeneity of enterprise application portfolios, which invariably include custom applications built on legacy authentication stacks, third-party applications that support only NTLM or basic authentication, and OT systems with proprietary authentication mechanisms.

FIDO2 passkeys represent the current state of the art in phishing-resistant authentication and are rapidly becoming the preferred standard for new deployments. Unlike TOTP-based MFA, which can be bypassed by AiTM phishing attacks that proxy authentication sessions, FIDO2 authentication is cryptographically bound to the specific origin domain — a phishing page cannot successfully relay a FIDO2 authentication because the user's device will refuse to sign authentication responses for the attacker's domain. Deploying FIDO2 passkeys for the highest-risk authentication scenarios — privileged access, access to sensitive data repositories, external administrative access — should be a priority for organizations that have not yet done so, because it eliminates the largest remaining bypass vector for MFA deployments.

Conditional access policies — dynamic authentication requirements based on risk context — are the mechanism by which modern identity platforms implement adaptive authentication. A user accessing Microsoft 365 from a managed, compliant corporate device on the corporate network should face a different authentication requirement than the same user accessing the same service from an unrecognized device in a foreign country. Conditional access policies encode these distinctions and enforce step-up authentication or access restriction based on configurable risk criteria, providing a practical implementation of zero trust's "verify explicitly" principle in the authentication layer.

Privileged Access Management

Privileged access — access by accounts with administrative authority over systems, applications, or data — represents a disproportionate share of identity-related security risk. Compromised privileged credentials provide attackers with capabilities that dramatically accelerate attack progression: the ability to deploy software, modify configurations, access all data in scope, disable security controls, and cover forensic tracks. Every major breach investigation finds privileged credential compromise somewhere in the attack chain.

Privileged access management programs that go beyond simple privileged account inventory to implement just-in-time access provisioning deliver the most significant risk reduction. JIT access means that privileged credentials do not exist in a usable form until they are explicitly requested for a specific task, granted for the minimum necessary duration, and automatically revoked when the task is complete or the time window expires. This model eliminates the persistent privileged accounts that traditional PAM approaches manage — accounts that, once compromised, provide attackers with continuous privileged access — in favor of ephemeral credentials that have minimal value after the specific task window closes.

Service accounts — non-human accounts used by applications, automation, and integrations — are the most consistently neglected category in privileged access management programs. Service accounts frequently accumulate excessive permissions over time as applications are updated without commensurate access reviews, they often have passwords that have not been rotated in years or decades, and they are rarely monitored for behavioral anomalies because their activity patterns are assumed to be predictable and static. Attackers systematically target service accounts precisely because these management deficiencies make them high-value targets: kerberoastable service accounts with weak passwords and broad permissions are found in virtually every large enterprise Active Directory environment.

Identity Governance and Access Reviews

Identity governance — the processes that manage the lifecycle of user access from provisioning through regular review to deprovisioning — prevents the permission accumulation that creates the excessive-privilege risk that attackers exploit. In most enterprises, the primary failure mode is not that access is provisioned incorrectly at hire time, but that access is never effectively revoked when it is no longer needed. Employees who change roles accumulate permissions from each role without losing the permissions from previous ones, creating a profile that far exceeds what any current role justifies. Contractors who complete projects retain access indefinitely because there is no systematic process to trigger deprovisioning when the engagement ends. Service accounts created for temporary integrations persist for years after the integration is decommissioned.

Access reviews — periodic certification campaigns in which account managers review and affirm or revoke the access of accounts in their scope — are the standard mechanism for maintaining access hygiene, but their effectiveness varies enormously with implementation quality. Rubber-stamp reviews in which managers approve all access without meaningful scrutiny provide the appearance of governance without the substance. Effective access reviews present managers with context that makes informed decisions possible: the last time the user exercised each permission, a comparison of the user's access to peers in the same role, and flagging of specific access combinations that are unusual or high-risk. Without this context, most managers will approve access they cannot justify revoking, resulting in permission drift that access reviews were intended to prevent.

Identity Detection and Response

Identity systems generate some of the richest and most actionable security telemetry available in enterprise environments. Authentication events, directory changes, privilege assignments, and access patterns all flow through identity systems and provide behavioral signals that enable detection of credential compromise, privilege escalation, and lateral movement. But many organizations treat identity logs as compliance records rather than security telemetry, shipping them to a SIEM without deploying detection content that activates their value.

Identity detection and response requires detections tuned specifically to identity attack patterns: impossible travel (authentication from geographically inconsistent locations within a time window too short for legitimate travel), high-volume authentication failures followed by a success (password spraying pattern), privilege assignment to accounts that have not previously held those permissions, service account accessing resources outside its normal operational scope, bulk access to sensitive data by accounts with no pattern of similar access, and new MFA device registration from an unusual location. These detections require baseline behavioral models for each identity — what is normal for this account? — to distinguish anomalous activity from routine variation. Generic thresholds applied uniformly across all accounts are systematically less accurate than per-entity behavioral baselines.

Key Takeaways

• Identity has become the primary security boundary in cloud and distributed enterprise environments — IAM programs must be designed as security controls, not just operational tools.
• FIDO2 passkeys eliminate the AiTM phishing bypass for MFA and should be deployed for the highest-risk authentication scenarios as a priority.
• Just-in-time privileged access eliminates the persistent privileged credentials that attackers target, replacing them with ephemeral credentials that expire automatically.
• Service accounts are the most consistently neglected category in PAM programs and among the most targeted by attackers — inventory, monitoring, and password rotation are all required.
• Effective access reviews provide managers with usage context and peer comparison data, enabling informed approval/revocation decisions rather than rubber-stamp approvals.
• Identity detection requires per-entity behavioral baselines and detections specifically tuned to credential compromise, privilege escalation, and lateral movement patterns.

Conclusion

Identity and access management has evolved from a provisioning and compliance function into a core security discipline. The organizations that recognize this shift and invest in modern authentication standards, just-in-time privileged access, disciplined identity governance, and identity-specific detection capabilities will find that the majority of techniques attackers use to escalate privileges and move laterally become significantly harder or impossible to execute against their environments. Those that continue to treat IAM as an IT operations function with security as an afterthought will continue to find that credential-based attacks account for the overwhelming majority of their security incidents — because attackers target the weakest link, and poorly managed identity remains that link across most enterprises.