Identity-First Security: A Multilayered Approach to Reducing Identity Attack Risk

Identity Is the New Perimeter—And It's Fractured

In 2025, identity isn't just a security issue—it's the battleground. And too many organizations are getting caught flat-footed.

Organizations today must reckon with complex hybrid environments that contain interconnected endpoints, servers, cloud services, DevOps systems, identity infrastructure, and much more. And with enterprise systems no longer fitting neatly into a single network perimeter, the identities used to interact with these systems have become the new perimeter.

A strong cybersecurity foundation starts with clear visibility that puts risk in content. Identity security is no different. However, in practice, identity management systems are anything but centralized.

Building IDs and access to physical offices are handled by one system. Logins to Windows machines are generally managed with Windows domains and Active Directory—but what about Macs and Linux machines? Companies use Okta, Ping Identity, or the equivalent for single sign-on (SSO) to SaaS applications, but not every application supports SSO. Then there are all the connections to cloud-based assets—virtual machines, Kubernetes clusters, AWS and Azure infrastructures.

Each of these identity systems is often owned by different teams, with different tools, and different blind spots.

Silos Multiply Risk—and Attack Paths

The proliferation of different identity silos creates hidden attack pathways that threat actors can traverse. Each team tends to look at only their piece of the puzzle, but attackers see the whole board.

Machine identities and service accounts add even more complexity and risk. Sysdig's 2025 Cloud‐Native Security and Usage Report found that machine identities are 7.5x more risky than human identities, and can outnumber human identities—by 45 to 1!

Unlike human accounts, machine identities typically lack extra security layers, like multi-factor authentication (MFA). They often persist beyond the tenure of the employee(s) with which they're associated. In addition, machine identities tend to be poorly documented—and they often hold privilege.

Orca Security's 2024 State of Cloud Security Report found that 70% of organizations have unencrypted secrets in code repositories. This includes API keys, certificates, and OAuth tokens. Development teams may store credentials in insecure configurations or fail to regularly rotate them. Combine that with improper offboarding and weak governance, and you've got ticking time bombs.

The 2025 OWASP Top 10 Risks for Non-Human Identities report lists improper offboarding as the #1 risk. And rightly so—machine accounts are rarely tracked with the same scrutiny as user accounts. While HR and IT disable employees' human accounts when employees leave the company, rarely do they remove all the non-human accounts those employees created.

Lack of accountability for machine identities also leaves future IT staff with scant documentation of what those service accounts were originally intended to do, or which assets they touch. So, in practice, IT tends to leave service accounts alone for fear of the unknown and potential unintended consequences. Yet, many of these unmaintained machine identities are privileged and access a lot of disparate systems, making them a perfect target.

Clearly, there are many moving parts to account for in securing identities and their associated privileges, entitlements, and accounts. Over time, this adds up to many thousands of uncontrolled identity entry points across your infrastructure.

Modern Identity Security Requires a Layered Strategy

To gain control, IT and security practitioners need to answer some core questions:

1. How do I manage and limit who can take various, specific actions on the assets I want to protect?
2. How do I assess who has the rights to take various actions across systems so I can ensure that I have set privileges correctly?
3. How do I prevent unauthorized use of valid credentials?
4. How do I give temporary privileges to identities who need them to execute privileged tasks, without adding overhead?
5. How do I detect if an identity is doing something suspicious and respond quickly?

Answering these requires more than good IAM hygiene. It demands a modern, intelligent, and streamlined approach

What follows are the key, fundamental layers for achieving modern identity security defense-in-depth. While each of these layers is typically addressed by a different tool, it's important to pick tools that integrate with each other, or that are integrated via a single platform. You can't gain cohesive visibility, intelligence, and control of silos across your environment with siloed solutions.

Layer 1: Conducting identity threat modeling and assessment

We commonly see attackers establish a presence on one system and use the privileges found there to set up access for themselves on other systems, especially those systems more directly connected to their ultimate target. Attackers can use this privilege-chaining technique to hop from machine to machine until they reach their goal.

That's exactly how Russian hackers gained access to a major software company's executive email accounts and source code early in 2024. That breach exploited trust relationships between identity silos spanning on-prem and cloud systems.

A pivotal component of any identity security program is gaining a holistic understanding of identity risks, illuminating weaknesses, misconfigurations, and potential attack paths across your entire ecosystem. This is the purpose of an identity security risk assessment.

Such an assessment should:

• Discover every identity across all systems
• Inventory all elevated access (entitlements, privileges, roles, policies, etc.)
• Determine whether identities from one system can be misused in another system to gain unintended privilege

While some companies conduct periodic identity audits, these often fail to assess risk across identity boundaries. Cloud platforms like AWS, Azure, and GCP may have tens of thousands of IAM permissions and actions across various types of identities and accounts. This scale of permissioning demands specialized tools built to uncover hidden privilege pathways across siloed systems.

Such identity security tools should synthesize identity and privilege data from sources across your siloed identity fabric—on-premises Windows Active Directory, cloud IAM, SaaS applications, and third-party identity providers like Okta and Ping Identity—and centralize it into a unified data warehouse. From there, the data can be used to:

• Map relationships between identities and privileges
• Automatically score identity risk using AI and machine learning
• Recommend privilege adjustments to reduce threat risk

An example graph showing the relationships between identities on different systems

The result? A dynamic, cross-platform view of your identity estate that is always evolving as your environment changes. Used regularly, these tools don't just support audits. They enable continuous hardening of your identity attack surface.

Layer 2: Preventing unauthorized use of credentials and limiting system entry

What prevents someone from stealing and using highly privileged credentials to attack your systems? According to the 2025 OWASP Top 10 Risks Associated with NHIs, secrets leakage ranks as the second most critical threat.

To combat this, two control layers are essential to an effective identity security defense-in-depth strategy: restricting access to only known, trusted identities, and protecting the credentials those identities use.

The most common way to restrict access is through IP allowlisting and VPNs, which help ensure only known endpoints can connect. More advanced architectures introduce bastion hosts and jump points, acting as secure gateways between external users and internal systems.

These advanced systems offer several advantages, including the ability to force all RDP, SSH, HTTPS, VNC, and other connection types through a single, monitored pathway. By funneling traffic this way, you significantly reduce the number of paths into your systems while also simplifying auditing.

Credential and secrets vaults add another essential layer. These tools automatically encrypt and manage sensitive credentials like passwords and SSH keys, reducing the risk of theft or misuse. Best-in-class solutions offer features like automated key rotation and integration with hardware storage modules (HSMs) to keep secrets protected at rest and in motion.

Even better? Many vaults now integrate with bastion hosts to automate credential injection from your vault to your connection sessions, so users never see or handle the credentials themselves. This significantly reduces the risk of interception in transit, including "man-in-the-middle" attacks.

Layer 3: Limiting privileges on the endpoint to prevent insider attacks

As Edward Snowden so publicly demonstrated, vaulting credentials and limiting external access won't stop a malicious insider with excessive privileges from doing serious damage.

Privilege management solutions help mitigate insider threats by controlling what actions a credentialed user or service account can perform once inside your environment. While cloud platforms like AWS and Azure offer granular privilege controls, traditional operating systems like Windows, macOS, and Linux fall short out-of-the-box.

On a fresh Windows install, all users are administrators by default. On Linux, anyone can elevate privileges via "sudo" without centralized oversight. Windows offers group policy objects; Linux relies on "sudoer" files for a layer of enterprise control—but neither integrates cleanly with broader privilege management strategies, and both are difficult to manage at scale. Endpoint Privilege Management (EPM) tools augment and improve on the native OS management of privileges by providing:

• Granular control over user and application privileges on endpoints
• Centralized policy creation and enforcement
• Flexible elevation workflows based on risk and role

On Windows and macOS, EPM tools go far beyond User Account Control by letting you define policies for individual users and applications. Need to let someone install software without granting full admin rights? Endpoint Privilege Management can make that distinction—safely and consistently.

For Linux, EPM centralizes privilege decisions via a policy server, rather than relying on individual machine configurations. This allows for separation of duties, centralized auditing, and scalable policy enforcement.

Such tools also give you control over how privilege elevation requests are handled. You can:

• Require MFA or service desk ticket approvals for access to sensitive assets
• Auto-approve requests for lower-risk actions based on predefined criteria
• Log and audit all elevation events in one place

The result: fine-grained, auditable control over what any identity can do on any endpoint—without sacrificing operational agility.

Layer 4: Implementing temporary, just-in-time privilege elevation

In nearly every discussion of identity and privilege management, the developer dilemma comes up: how do you balance security with the access developers think they need to work efficiently?

Developers often argue they need full privileges for everything to do their jobs, and that anything less harms their ability to efficiently work. But even if you trust them, leaving permanent elevated access in place turns every developer account into a high-value target. One stolen credential and an attacker inherits their privilege.

That's where just-in-time (JIT) privilege elevation comes in. Instead of standing access, privileges are granted only when needed, and only for as long as they're needed. This is particularly important for cloud environments, where entitlement sprawl is particularly pervasive.

A JIT access approach is critical to minimize security risk for cloud/SaaS developers and DevOps teams managing mission-critical systems. JIT access tools enable controlled, self-service elevation, with privileged access to systems auto-revoked after:

• A set duration
• Ticket resolution
• On-call rotation

While each major cloud platform offers some form of JIT access control, third-party enterprise tools offer some advantages. They can:

• Manage JIT elevation across multiple clouds from a single interface
• Integrate with SaaS applications to centralize access governance
• Provide consistent workflows that eliminate the need for juggling native tools

Some tools also allow you to define multiple privilege sets into "bundles" for different identity groups, making it easy to manage access by job function. Many also support approvals via collaboration tools like Slack and Teams, so access can be requested and granted without breaking developer flow.

Layer 5: Detecting active identity threats

Unfortunately, no matter how prepared an organization thinks it is, with enough diligence, an attacker is going to find a way around or through its defensive barriers. That's why continuous monitoring, paired with intelligence that accurately separates non-malicious or harmless activity from what you should care about, is essential.

Most security assessment tools on the market today look solely for known attack types. They're great at spotting yesterday's threats but are blind to zero-days, novel behaviors, or privilege misuse that falls outside a known pattern.

Machine learning and AI are improving anomalous behavior detection, especially in identity behavior. But these systems still struggle to balance signal and noise. False positives waste time; false negatives cost everything.

Human-based security operations centers (SOCs) remain critical. Analysts can recognize subtle indicators of compromise, understand context, and take action when automated tools fall short.

To be effective, your identity security toolset should:

• Integrate directly with existing SIEM tools
• Highlight anomalies in identity access and privilege usage
• Provide easily digestible dashboards with context around privilege changes and identity behavior

When implemented, these steps will give you a strong approach to see, prioritize, and defend against the threats that matter. With that said, you will need to continuously assess and refine this process, applying data, M/L, and AI. Because in identity security, stagnation is regression. You're either improving, or you're in jeopardy of falling dangerously behind.

Minimize Risk by Managing Identity as One Cohesive Layer

Security tools often address identity in fragments—IAM here, vaulting there, maybe some EPM. But attackers don't think in product categories. They follow privilege. To outpace modern threats, you need to treat identity as a single, cohesive, always-evolving attack surface. And you need an integrated, multilayered defense.

To reduce the risk of identity-based threats, you must augment the IAM tools in your security arsenal with:

• An identity threat modeling tool that reveals potential attack paths across identity silos
• Access control tools that limit system entry only to valid, verified identities
• Password and secrets vaults to secure credentials and eliminate risk of theft
• Endpoint Privilege Management (EPM) tools that enforce granular, context-aware privilege policies
• Just-in-time (JIT) privilege elevation capabilities, ensuring users get access to privileges only when and for as long as they are needed.

You can't defend what you can't see—and attackers are counting on that. With these layers in place, you're no longer guessing where identity risks live. You're defining and defending them.

Learn more about how to implement a practical, layered approach to identity protection and risk management, read The Guide to Identity Security Defense-in-Depth.

About the Author: Neal Goldman is Principal Product Manager for BeyondTrust’s Endpoint Privilege Management for Linux. His background encompasses 30 years of product management, marketing, and business development experience at a variety of technology companies, including Google, Black Duck, EMC, and Symantec. Neal was an industry analyst at the Yankee Group where he was a frequent author and speaker.