Over half of cyber-attack vectors involve compromised access to the cloud, a statistic that underscores a significant risk measured in millions of dollars.

This reality is all too familiar for organizations that fall victim to ransomware, often suffering severe reputational damage as a result.

According to a 2024 field study by the Secatscale community, 20% of surveyed companies experienced a cyber attack in the previous year.

• Why are access points such popular targets for attacks?
• What challenges do IT and security teams face as a result?
• How can this risk be reduced?
• Which tools are effective in addressing this issue?

Why are accesses targeted?

THE security challenge

Since 2010, the adoption and use of cloud applications have surged dramatically. On average, employees manage around 35 accounts, with some handling over 100. This trend is evident among our company's clients.

This rapid expansion, often referred to as "SaaS sprawl," has led to a significant issue: an increasing number of applications are operating outside the control of IT and security teams, a phenomenon known as Shadow IT.

‍

Let's focus on securing the thousands of access points.

Software publishers lack a unified standard for managing identities within their applications, resulting in a wide variety of options and practices:

• login/password association,
• login via link sent by email (magic link),
• multi-factor authentication (MFA),
• Single Sign-On (SSO) with OpenID Connect,
• SSO with SAML,
• Just-in-time Provisioning,
• SCIM Provisioning or Deprovisioning,
• etc.  

To cope with this variety and volume, the safety teams ideally offer employees:

• password manager for recording login associations and password.
• an SSO solution connected to the company's Identity Providers (such as Microsoft's Entra ID, Google Workspace, or Okta, for example).
• an MFA activation rule for critical applications or privileged accounts.

‍

However, these best practices for securing access are not always followed, making them a prime target for malicious actors. It would be unfair to place the blame solely on business access management policies.

While generally mature, authentication standards like SSO OpenID or SSO SAML are not universally offered by software publishers. Considering the scale mentioned earlier, out of an average of 200 to 300 applications used within a company, fewer than 100 provide strong authentication options such as SSO or MFA.

Moreover, provisioning standards like IMCS exist, but their implementation among publishers is often incomplete. Most applications lack these features, and those that offer provisioning APIs rarely support deprovisioning. As an IT team managing these applications, you typically lack the leverage to demand changes to these features.

Additionally, publishers often charge for these SSO options. This pricing policy can deter organizations from activating these functionalities for more than the 30 or so applications deemed critical in most medium-sized organizations. For instance, a company with 200 employees might face a €20,000 cost just to enable SSO via SAML and automatic user provisioning for the Slack application.

These limitations contribute to a systemic security issue, creating uncertainty around dozens, if not hundreds, of applications. This risk is not confined to SaaS applications alone; in modern information systems, all applications are often interconnected.

‍

Lateral Movement, another vector of attack

The attack surface expands with software interoperability, as data flows between applications. Attackers have capitalized on this by using lateral movement to access critical information. This involves exploiting vulnerabilities in one cloud environment to infiltrate another, more secure one.

Often, these information transfers are automated and managed by dedicated identities known as Non-Human Identities (NHIs). These include integrations via APIs and generic shared accounts, such as admin, billing, or support accounts, which allow multiple users to access various applications.

The permissions for these accounts are typically broad, and with multiple individuals sharing the same account, responsibilities and traceability become unclear.

In addition to employee access, the list of potential entry points continues to grow with external access.

‍

Generic addresses, external identities, and shared access all present vulnerabilities

Modern organizations are no longer confined to full-time employees working on-site. Today, they rely on a broader ecosystem that includes part-time staff, freelancers, consultants, and external contractors, both domestically and internationally. All these individuals require access to the company's information systems to contribute effectively.

However, this flexibility introduces new challenges. Identities are no longer limited to employee email addresses. Accounts are created for external service providers, who access systems using dedicated identifiers (e.g., @external.company.com) or as guests on specific applications (e.g., accounting@...).

Consider shared Google Drive folders and collaborative platforms (e.g., design, project management) where freelancers and consultants work alongside internal teams. If not managed rigorously, these multiple access points can become potential vulnerabilities for the company.

‍

An additional level of complexity with role management

Beyond the increasing number of identities to manage, the diversity of rights, roles, and permission models adds further complexity to identity governance. Each application defines its own access levels, which can vary significantly across platforms.

Moreover, the resources protected by these rights are diverse, including databases, customer information, meeting notes, designs, roadmaps, code repositories, and even machines and servers. Each environment has its own access rules, making the task of IT and security teams even more challenging.

Unlike legacy applications, where roles and permissions were often tailored to a company's organizational structure, SaaS solutions now require standardized models. These models are rarely granular enough to meet the actual needs of organizations. IT and security teams must navigate permissions that are often too broad or unsuitable while trying to understand and map access management for each cloud application in use.

This shift represents a significant generational change in identity and access management.

‍

What challenges do IT and security teams face as a result?

Given the numerous vulnerabilities and the diverse nature of identities, how can IT and security teams adapt to minimize the risk of compromise?

The shift from Castle-and-Moat to Zero Trust

Several schools of thought coexist and evolve, with new standards emerging. The traditional approach of securing an internal network (known as the Castle-and-Moat or "perimeter" model) has become obsolete due to the rise of cloud applications and remote access.

New, more modern positions have been adopted in identity management:

• List and block risk applications (in a VPN, and/or via a firewall)
• Monitor and analyse use to prevent risk (via a CASB)
• Strengthening security with each identification (via SSO, MFA)
• Limiting the roles of each identity to the smallest possible perimeter (least privilege)

‍

These best practices are not mutually exclusive or exhaustive. They are part of a zero-trust approach, an appealing concept that faces challenges in implementation due to legacy systems and varying interpretations of its principles.

One of the core principles of Zero Trust is enhancing identity governance.

‍

Identity Governance: The Cornerstone of Application Security

The security logic that applied to on-premises solutions has had to evolve with the adoption of cloud solutions. The benefits of SaaS, such as productivity gains, freedom of tool choice, improved workplace well-being, and increased innovation capacity, are further enhanced by AI. Modern security teams no longer aim to block the cloud but rather to work with it.

However, the challenge seems daunting: it involves limiting risk without reducing the attack surface or lateral movement.

‍

‍

Improving the governance of all identities is essential. However, there is no one-size-fits-all solution to meet this need.

In practice, expanding identity management inevitably leads to an increase in support tickets and a heavier workload for IT and security teams. While the Zero Trust model is theoretically sound, it faces operational challenges.

So, where should you begin?

‍

How Can the Risk of Identity Compromise Be Limited?

Implementing Modern Identity Governance

Ignoring the problem is no longer an option. Despite the systemic challenges, action is necessary. However, this should be approached methodically and with the right tools. The goal is not to increase manual efforts but to find solutions that enhance the team's ability to act efficiently, avoiding time-consuming and ineffective tasks.

Many organizations have already applied Zero Trust principles to their critical applications to meet safety standards such as ISO 27001, SOC2, or DORA.

The next step in modern governance is to expand this approach without compromising operational efficiency or overwhelming IT and security teams with an unmanageable workload.

Extend enhanced authentication wherever possible

Not all applications support SSO or MFA, but when they allow it, it is essential to ensure that all users have enabled them. How to proceed?

• Identify in-house applications that offer SSO or MFA, see if it is activated (and if applicable, estimate the risk/investment ratio to propose it)
• Continuously identify identities that have not activated the MFA on a compatible application and send an automatic reminder to the user.
• Continuously detect identities that have not activated the SSO (OpenID type) on a compatible application and send an automatic reminder to the user.
• Define alerts based on the use of an application or the criticality of its data to trigger the activation of the SSO or the zero trust.
• Manage exceptions by identifying applications that do not offer SSO or MFA in a dedicated inventory and by providing secure password managers to the employees concerned.
• Monitor databases of password leaks and automatically require a password rotation for impacted users.

Check offboarding and closing accounts

It is not enough to disable an email or an Identity Provider account to delete a user from all the applications they had access to. The user can still log in with his existing identifiers or via unexpired sessions, in particular on a device not controlled by the organisation.

• List all accounts created, officially or not, by the user during their collaboration with the organisation.
• Launch automatic deprovisioning on all compatible applications.
• Request the manual closure of the employee’s accounts to all application managers.
• Request the manual closure of the individual accounts directly from the employee when returning his or her equipment.
• Record accounts that do not fall within these categories as exceptions.
• Systematize application access journals to ensure the smooth running of these processes.

Apply Least-Privilege practices

Identity security is not limited to provisioning and deprovisioning at the beginning and end of the contract. The aim is to apply the principles of the Least-Privilege to minimise unnecessary access and reduce risks.

• Make a clear distinction between the applications that are absolutely necessary and those that are approved but optional.
• Create a simple and clear process of requesting applications for applications for employees.
• Representing the roles and permissions of applications as close as possible to reality in order to avoid errors in assigning rights.
• Subjecting requests for access to an approval principle by a supervisor, manager or enforcement manager, without unnecessarily slowing down the process.
• Regularly reoccert the roles and permissions of users by the manager and/or the application manager.
• Monitor the use of application accounts to identify and remove unnecessary access.

Discovery in real time, scale remediation.

Automatic detection of Shadow IT should not be a mere alert list, but a structured process that orients towards concrete actions. It needs to be configured as an automated intake form, to identify risks, react quickly and integrate relevant applications into the IS.

• Set up high-risk applications alerts based on the type of data stored, API connections to other services, known vulnerabilities, scams or phishing attempts.
• Immediately resert alerts by contacting relevant users and blocking dangerous applications if necessary.
• Educate users on good security practices when a non-risky application is detected, rather than systematically prohibiting it.
• Organize a formal review with the relevant teams where an application exceeds a certain threshold of adoption in order to assess its formal integration into the IS.
• Carry out regular access journals, at least annual, to measure the actual use of applications and eliminate unnecessary access.

What tools to use to secure (all) identities?

A common pillar already adopted

Each organization has its own context: size, sector of activity, normative framework, legacy of solutions already used and their interdependencies.

Most of the access security options cited in this article are generally already in place by the IT and security teams:

• Password managers for recording and securing login and password associations, and their possible sharing between generic identities (Bitwarden, 1password)
• SSO solutions connected to the company’s Identity Providers (e.g. Microsoft ID, Google Workspace, or Okta’s ID)

The implementation of governance is usually organised in a ticketing/helpdesk solution such as ServiceNow, zendesk or JIRA.

These same solutions can be connected to internal messaging (Slack, Teams) to facilitate requests from users.

As regards employee movements (onboarding/offboarding), it will be the HR management solution (HRS) that triggers the order to open or close the accounts concerned.

All these tools are interconnected, and workflows have been orchestrated from other SaaS (aapti, n8n, Make) or directly between two solutions.

The contribution of platforms dedicated to modern identity governance

In summary, the historical approach to identity and access management is limited to a limited scope of applications. Either by arbitration (some software packages considered critical), or by compatibility (seen above, with the example of SOS-compatible applications).

It also focuses on employee accesses. And don't take into account the reality of shared accounts, connectors, famous Non-Human-Identities (NHIs)...

Modern solutions complement these existing postures by proposing:

1. Expanding the scope of controlled applications to extend security
2. Automating remediation, delegation of tasks, to limit the number of tickets
3. Systematize access journals to simplify compliance

The company was created to provide IT and security teams with a concrete solution to these new security challenges. The evolution of usages has extended the attack area.

Rather than seeking to restrict what is a matter of a fundamental trend, we propose a flexible approach, in addition to existing tools, to rapidly improve the security of a wider scope of applications.

‍

‍

What Tools Should Be Used to Secure (All) Identities?

A Common Foundation Already in Place

Each organization has its unique context, including size, industry, regulatory framework, existing solutions, and their interdependencies. Most access security options mentioned in this article are already implemented by IT and security teams. These include:

• Password managers for securely storing and sharing login credentials among generic identities (e.g., Bitwarden, 1Password).
• SSO solutions integrated with the company's Identity Providers (e.g., Microsoft ID, Google Workspace, Okta).
• Governance processes managed through ticketing/helpdesk solutions like ServiceNow, Zendesk, or JIRA.
• Integration with internal messaging platforms (e.g., Slack, Teams) to streamline user requests.
• HR management solutions that trigger account creation or closure during employee onboarding/offboarding.

These tools are interconnected, with workflows orchestrated using other SaaS platforms (e.g., Zapier, n8n, Make) or directly between solutions.

The Role of Modern Identity Governance Platforms

Traditional identity and access management approaches are limited to a narrow scope of applications, often prioritizing critical software or those compatible with SSO. They primarily focus on employee access and overlook the reality of shared accounts, connectors, and Non-Human Identities (NHIs).

Modern solutions complement existing strategies by offering:

• Expanded scope of controlled applications to enhance security.
• Automated remediation and task delegation to reduce ticket volume.
• Systematic access logging to simplify compliance.

Our company was founded to provide IT and security teams with practical solutions to these emerging security challenges. As usage evolves and broadens the attack surface, we advocate for a flexible approach that builds on existing tools to rapidly improve the security of a wider range of applications.