Why Identity Is the New Firewall – and Why IAM Strategies Still Fail

In a perimeterless world, identity is the last reliable control point. Yet reality tells a different story: Over 60 percent of all breaches begin with compromised credentials – not because IAM technology is missing, but because organizations implement it incorrectly.

TL;DR

Verizon DBIR 2022: 61 percent of breaches involve stolen credentials
Average time to detect compromised accounts: 187 days (IBM)
MFA adoption across privileged accounts in enterprises: below 50 percent
Identity Governance has become a mandatory requirement under NIS2

The End of the Perimeter – and the Beginning of the Identity Crisis

Cloud computing, remote work, and SaaS have dissolved the traditional network boundary. In an environment where employees access resources across ten different cloud services from anywhere, the question is no longer “Are you inside the network?”, but rather “Who are you – and are you authorized to do this?”

This shift makes Identity and Access Management (IAM) the most critical security discipline. Yet many organizations still treat IAM as an IT administration task – not as a core security strategy.

The Three Most Common IAM Mistakes

1. MFA only for VPN: Many companies deploy MFA for VPN access – but not for SaaS applications, cloud consoles, or internal portals. Attackers simply bypass the protected channel.

2. No lifecycle management: Accounts belonging to former employees, orphaned service accounts, and overprivileged test users are low-hanging fruit for every attacker.

3. No context-aware access control: Static roles are no longer enough. If a CFO accesses financial data at 3 a.m. from an unfamiliar country, the system must respond immediately – not wait for a SOC analyst to review the alert the next morning.

Zero Trust Requires Identity as Its Foundation

Zero Trust without robust IAM is an empty architecture. Every Zero Trust implementation begins with one fundamental question: “Can I reliably verify the identity of the requester?” Without strong authentication, the principle of least privilege, and continuous risk assessment, Zero Trust remains nothing more than a buzzword.

The combination of modern IAM (SCIM, OIDC), Conditional Access Policies, and Behavioral Analytics forms the foundation of a Zero Trust architecture that actually works.

Phishing-Resistant Authentication: FIDO2 and Passkeys

The next evolutionary step is eliminating passwords altogether. FIDO2-based authentication – using hardware keys (e.g., YubiKey) or platform authenticators (e.g., Windows Hello, Face ID) – is inherently phishing-resistant: the private key never leaves the device.

Apple, Google, and Microsoft have made FIDO2 mainstream through Passkeys. For enterprises, this means the path to passwordless authentication is now open – the technology is ready; adoption must follow.

Key Facts

Credential-based attacks: 61 percent of all breaches (Verizon DBIR 2022)

MFA effectiveness: Reduces account compromise by 99.9 percent (Microsoft)

Average cost per breach: USD 4.35 million – USD 150,000 lower with Zero Trust implementation (IBM)

Frequently Asked Questions

Is MFA alone sufficient protection?

MFA is essential – but not sufficient. Sophisticated attacks such as MFA fatigue (flooding users with push notifications) and adversary-in-the-middle proxies can bypass traditional MFA. FIDO2/Passkeys offer a far more resilient alternative.

What’s the difference between IAM and PAM?

IAM (Identity and Access Management) governs access for all users. PAM (Privileged Access Management) focuses specifically on highly privileged accounts – admin access, service accounts, root keys. Both are complementary.

How do I get started with Identity-First Security?

Three immediate actions: enable MFA for all cloud services, introduce quarterly access reviews, and inventory all service accounts. Then: plan Conditional Access Policies and a FIDO2 rollout.

About the author: Tobias Massow

Read article

Cloud-Sicherheit

Zero Trust