Identity Security

Identity security, also called identity protection, refers to the frameworks and technologies used to manage and secure digital identities within a business. Identity security controls protect against unauthorized access, data breaches, and identity theft. Strong identity security practices enforce the principles of least privilege and segregation of duties. It ensures only authenticated and authorized users can access the proper resources, and continuously monitors and audits access.

In recent years, transformative shifts in technology, including how and where we work, have vastly expanded the identity attack surface. Many aspects of digital transformation, such as a dissolving perimeter, have made securing identities more important than ever.

No identities are more critical to protect than privileged identities, which are those identities and associated accounts possessing elevated access above that of a standard user. Today, SaaS accounts proliferate across enterprises, with hundreds of thousands of permission types. This account dynamism within the cloud blurs the definition of what a privileged user is.

In addition, a default permission or misconfiguration can unintentionally provide an access escalation path to an identity, presenting an unseen risk. This is why the most important piece of identity security today is managing and protecting privilege and privilege escalation pathways. These paths are frequently nested, hidden, or indirect. If a threat actor discovers them, they can exploit these paths to escalate access. They can then execute lateral movement and other techniques to advance an attack.

A digital identity refers to the online persona or set of attributes that uniquely identify an individual, organization, or machine (application, device, etc.) A human identity typically exists as a one-to-one relationship between the human user and their digital presence. A digital presence can consist of multiple accounts, credentials, and entitlements associated with an individual. All machine / non-human identities (NHIs) should have a human owner.

Various pieces of information, known as identity attributes, make up identities. They can include usernames, passwords, biometric data, digital certificates, and personal identification numbers (PINs), among others. All of this information requires protection and management. Digital identities facilitate interactions on the internet, enabling access to services, transactions, and communications. They play a critical role in cybersecurity by serving as the basis for authentication (authn) and authorization (authz) processes.

Identities vs Accounts

Two key terms serve as the foundation for describing how companies provision and manage access controls:

• An 'identity' is the overall representation of an individual or entity, encompassing all attributes and credentials associated with them.

• An 'account' is a specific instance within a system where the identity is used. Thus, a single identity can have multiple accounts across different systems, each requiring proper management and security.

From the diagram above, you can see how each ‘Account Type’ of the identity can contain a multitude of different credential types. This includes both human and machine identities.

Identity security is important because digital transformation initiatives, such as cloud migration and expansion, have vastly increased the number of digital identities across organizations. As a result, the identity attack surface has expanded.

Modern identity protection practices are imperative for preventing identity theft, data breaches, system outages, and other security incidents. These attacks could lead to significant financial losses, damage to reputation, non-compliance, and even legal repercussions. Attackers can even compromise the identity infrastructure itself, such as an identity provider (IdP) like Active Directory and Okta, or an IAM solution. This could give them the ability to compromise identities wholesale across the enterprise.

Recent statistics highlight the importance of identity security:

• 86% of organizations incurred an identity-related security event over the past year.

• Almost half (46.4%) of security alerts observed in Google Cloud during H2 2024 were due to overprivileged service accounts.

• Nearly 1 in 3 attacks observed in 2024 used valid accounts, making it a top method for gaining access to victim environments

Today, remote work and cloud-based services are increasingly the norm. Identity security should enable secure access management across diverse environments. Secure identity practices should ensure users (internal or vendors, etc.) can safely access the data and applications they need, regardless of their location. These approaches should not only improve security, but also enhance user experience and operational efficiency.

Identity-based security also supports compliance with regulatory requirements that mandate the protection of personal and sensitive data, such as GDPR, HIPAA, and numerous others.

In summary, identity security is vital for protecting the integrity, confidentiality, and availability of enterprise information assets.

Cybercriminals leverage many tactics, frequently chained together, to compromise identities and their accounts. Some common examples include:

1. Social Engineering involves manipulating human users through various means of communication to steal credentials and access confidential information or systems. Examples include phishing emails, vishing phone calls, social media, and even deepfakes.

2 . MFA Fatigue Attacks aim to subvert multifactor authentication defenses by persistently “bombing” a user’s device with MFA requests. These attacks aim to overwhelm the user until they approve one of the requests—either inadvertently or due to frustration. This approval then enables the attacker to login and gain access to secured resources. To succeed, the attacker must first have access to a user’s compromised credentials.

3 . Credential Stuffing occurs when attackers use stolen account credentials from one breach and attempt to login to other services. It takes advantage of reused passwords across multiple accounts, which is a common practice. Attackers typically use a tool that can automatically scan for services. The tool will then try to auto-inject the credentials at scale, in hopes they will provide authentication somewhere.

4. Keyloggers are malware that record keystrokes on a victim's device, capturing everything typed, including passwords and other sensitive information.

5 . Brute Force Attacks involves attempting to guess a user's credentials by systematically trying numerous possibilities, typically aided by automated software.

6. Password Sprays are a type of brute-force attack where an attacker tries a few common passwords against many accounts. By targeting several accounts at once, they avoid triggering account lockout mechanisms.

7. Hash-Based Attacks exploit weaknesses in hash functions, allowing attackers to reverse or duplicate hashed data. Pass-the-hash (PtH) is one common example of such an attack.

8. Kerberoasting is an identity-based threat technique where attackers extract service tickets (Kerberos tickets) from a network. They then attempt to crack the tickets offline to obtain service account passwords.

9. Account Takeover (ATO) refers to attackers gaining unauthorized access to accounts, leveraging various methods. The attackers often change the account details to lock out the legitimate user and exploit the account for malicious purposes.

10. Lateral Movement occurs after the attacker gains a foothold by compromising an account. The attacker can then use a combination of methods, such as any privileges or access rights, to compromise additional accounts and assets.

11. Privilege Escalation encompasses multiple techniques, such as exploiting vulnerabilities or misconfigurations, to escalate privileges and gain higher-level permissions. Privilege escalation attacks ultimately expand a threat actor's access and control over more identities, accounts, and systems.

AI/ML Identity Threats

Threat actors increasingly leverage artificial intelligence (AI) and machine learning (ML) technologies to enhance the sophistication and effectiveness of their attacks. By employing AI/ML, attackers can better automate the discovery and exploitation of software and identity vulnerabilities. These approaches make it more efficient to target potential victims at scale.

AI and ML-powered technologies are also enabling the development of more advanced phishing campaigns that mimic human behavior and writing styles. These emerging technologies can deceive even the most vigilant users. AI-driven malware can adapt to its environment, evading detection by changing its behavior or appearance based on the security tools it encounters.

In an audacious 2024 identity-based attack in Hong Kong, threat actors leveraged deepfake technology to perpetrate a $25.6 million heist. The attack simulated an entire video conferencing environment, using deepfake to impersonate a prominent Hong Kong CFO and other meeting participants. The impersonation convinced a finance employee to transfer $25.6 million into five different Hong Kong bank accounts.

In addition, enterprises may use AI agent identities across their organization. These AI identities differ from human identities in significant ways, for instance, in the scale of data they can process. AI agents can work autonomously to collect data and perform actions that may be privileged in nature, which makes AI agent identity governance critical for reducing risk if those identities are compromised. These AI agents may also be "shadow AI" created and used by workers, without explicit company permission. Just as with shadow IT, the proliferation of shadow AI identities can create a hidden attack surface that puts the organization at risk.

Identity security and zero trust are complementary concepts, with significant areas of overlap.

• Identity security centers around the management and security of digital identities. It verifies that individuals or entities are who they claim to be before granting access to sensitive information and systems. In addition, it ensures that identities use granted access appropriately. Identity security aims to protect against unauthorized access and potential security breaches. It does so by managing and monitoring who has access to the what, when, and where of resources, based on verified identities.

• Zero trust encompasses a broader security framework that operates on the principle of "never trust, always verify." Zero trust assumes that threats can exist both outside and inside the network. This framework differs from traditional security models that automatically trust users and devices within an organization's network. Therefore, zero trust requires verifying the security status and authorization of users and devices, regardless of their location, before granting access to resources. This approach enforces continuous authentication, least privilege access, and micro-segmentation to minimize the attack surface and limit the potential impact of breaches.

Identity security is a critical component of the zero-trust model, focusing on the verification of users and their access rights. However, zero trust extends beyond identity. It can also include validating device security postures and enforcing policies that govern access and utilization of resources.

As cyber threats grow more sophisticated and IT environments become more complex, organizations must evolve their identity security strategies. It is crucial for them to properly safeguard user identities and access to critical resources. With that said, 5 areas of focus provide the fundamental framework for holistic identity protection. These focus areas, known as the 5 As, include Authentication, Authorization, Administration, Analysis/Assessment, and Audit. These strategies not only help verify user identities, but also ensure organizations appropriately manage access rights and continuously monitor them for potential security threats.

Let’s delve deeper into each of the 5 A’s and understand how they contribute to a strong identity security posture.

1. Authentication (Authn)

Goal: To ensure a user is who they claim to be.

Strategies: Mechanisms like passwords, biometrics, multi-factor authentication (MFA), and single sign-on (SSO) are examples of authentication types. MFA is increasingly important, especially for protecting privileged accounts. MFA requires an extra security factor to prove the identity. This multi-layered approach protects against several account hijacking attack methods, such as password reuse threats. SSO allows users to access multiple services with a single set of securely managed credentials, reducing password fatigue while improving user experience.

2. Authorization (Authz)

Goal: Define and enforce what authenticated users or entities are permitted to do within the system. This includes resources that users or entities can access, the conditions under which they can access them, and which actions they can perform.

Strategies: Policies, role-based access controls (RBAC), attribute-based access control (ABAC), and other contextual rules often control the authorization process. Organizations establish these rules according to their specific needs and security protocols. Privileged Access Management (PAM) is a key technology here for controlling authorization. PAM solutions manage privileged accounts and sessions and implement granular least privilege controls. Application control, often combined with Endpoint Privilege Management, is also important for tightly managing which applications specific users can install or run.

3. Administration

Goal: Manage the entire lifecycle of digital identities within an organization. This includes provisioning and deprovisioning users and their access rights (referred to as the Joiner, Mover, Leaver (JML) process). It also encompasses the continuous management of identity attributes, roles, and policies.

Strategies: Identity and access management (IAM) solutions can provide processes and automation to help ensure proper security hygiene across the lifecycle of an identity. Within IAM are two important subdisciplines:

4. Analysis / Assessment

Goal: Understand your identity estate inside and out. Analysis and assessment help optimize the security and operation of identities and identity infrastructure through ongoing monitoring and evaluation.

Strategies: Continuously assess your entire identity estate, including accounts, privileges, entitlements, permissions, and their relationships for all identities—human, machine, employee, vendor, etc.

5. Audit

Goal: Ensure compliance with regulatory standards and internal policies by recording and reviewing logs and transactions related to access and authentication.

Strategies: Auditing helps in identifying any anomalies or unauthorized activities, providing traceability, and facilitating post-incident analysis to improve security measures. Organizations should analyze and audit privileged session activity and privileged user behavior. These audits should ensure that no identities abuse access rights, and/or run afoul of compliance.

In addition, organizations should perform regular user access reviews and apply the findings to adjust access policies when needed. These policies should ensure that teams only provision access if and when a specific identity needs it.

The Identity and Access Management (IAM) umbrella is a broad identity-based security framework. It encompasses numerous policies and technologies that ensure the right individuals have the proper access to technology resources and use that access appropriately. For decades, IAM has played an essential role in managing enterprise user identities and regulating access privileges.

However, IAM infrastructure and tools still leave gaps and silos that sophisticated attackers can exploit. Modern identity management and security practitioners have begun to address these gaps in recent years. One notable evolution in the identity security space over the last several years is Identity Threat Detection and Response (ITDR). ITDR solutions, comprised of multiple products and integrations, seek to bridge gaps across traditional IAM silos. They also aim to proactively eliminate risks, as well as detect threats and orchestrate responses.

Identity security solutions cover a variety of disciplines, with examples such as Identity and Access Management (IAM), Identity as a Service (IDaaS), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Governance and Administration (IGA), Enterprise Password Management, Active Directory (AD) Bridging, Cloud Infrastructure Entitlement Management (CIEM), Customer Identity and Access Management (CIAM), and Identity Threat Detection and Response (ITDR).

Now, we will dive deeper into each of these sub-categories under the identity security umbrella:

Identity and Access Management (IAM) is a comprehensive framework of policies and technologies that ensure the right individuals have appropriate access to organizational resources. IAM solutions encompass the entire identity lifecycle, from creation and maintenance to deactivation, and include capabilities such as authentication, authorization, and user provisioning. Some solutions offer capabilities via the cloud as identity as a service (IDaaS).

By implementing robust IAM practices, organizations can enhance security, improve operational efficiency, and ensure compliance with regulatory requirements. Within IAM, as represented in the diagram above, there are numerous sub-disciplines and distinct product sets.

Privileged Access Management (PAM) is arguably the most essential identity-based security practice and technology set. PAM focuses on managing and auditing privileged identities and access. PAM solutions enforce the principle of least privilege, ensuring identities have the minimum level of access necessary to perform their roles. By auditing and managing privileged access, PAM helps organizations mitigate risks associated with privileged accounts while maintaining compliance with regulatory requirements.

PAM solutions provide robust mechanisms to secure, control, and audit access to high-value systems and data, particularly for accounts with elevated privileges. This reduces the risk of breaches from compromised privileged accounts and ensures that sensitive resources remain protected. While integrated PAM platforms may be comprehensive, the space consists of discrete practices areas that providers might offer as different products. Traditional PAM includes:

• Privileged Account and Session management (PASM) is also referred to as Privileged Password Management or Enterprise Password Management. Privileged Password Management products discover, onboard (within a safe or vault), and manage privileged identities, accounts, sessions, and credentials (passwords, DevOps secrets, SSH keys, certificates, etc.). PASM helps manage people, such as employees and third-party vendors, and non-human identities (NHIs) such as machines.

• Privilege Delegation and Elevation Management (PEDM) products enforce least privilege across identities and endpoints (desktops, servers, network devices, IoT, OT, and non-traditional endpoint types). Endpoint Privilege Management is another way to describe these products. Endpoint Privilege Managers also incorporate application control capabilities, such as allow listing, block listing, and even advanced fileless malware protection.

A modern PAM platform may also provide directory bridging, MFA, CIEM, ITDR, and other capabilities, which are each separately described below. Modern PAM should work equally well across cloud and on-premises environments.

Learn more about PAM solutions.

Identity Security Research Kit (Collection of Analyst Reports and other Research)

The Guide to Identity Security Defense in Depth (Best Practices Guide)

2026 Microsoft Vulnerabilities Report (Research)

The Forrester Wave™: Privileged Identity Management Solutions, Q3 2025 (Analyst Research)

2025 Gartner® Magic Quadrant™ for Privileged Access Management (Analyst Research)

2025 KuppingerCole Enterprise Secrets Management Compass (Analyst Research)

2025 GigaOM Radar for Cloud Infrastructure Entitlement Management (CIEM) (Analyst Research)

Complete Buyer’s Guide for Privileged Access Management (PAM) (Guide & Comparison Checklist)

Operationalizing AI Security: How To Govern AI Agent Identities Before Attackers Exploit Them (Research Blog)

Restless Guests: The True Entra B2B Guest Threat Model (Research Blog)

Identity Security Content Channel (Hub)