The moat has shifted. The traditional network perimeter is starting to be replaced by virtualized security fences. In today's hybrid (on-prem and cloud) work environment, security fences for virtualized infrastructure, containers, and microservices often span multiple products. Managing human and machine identities and their access to birthright infrastructure and business applications has become the critical battleground where cybersecurity has been won or lost.  

As black hat attackers increasingly target the human element through sophisticated social engineering methods (e.g., phishing, malware, denial of services, man-in-the-middle attacks, Public Key Infrastructure (PKI) compromises), and Multi-Factor Authentication (MFA) fatigue attacks, organizations must fundamentally rethink their approach to three technologies and controls:  

1. Identity and Access Management (IAM)
2. Identity Governance and Administration (IGA)
3. Privileged Access Management (PAM) solutions. 

IAM, IGA, and PAM Together 

Identity & Access Management (IAM) is often synonymous with “Identity”, being the earliest and widest known of the above efforts. However, as Zero Trust is rapidly being adopted, these distinct components serve complementary roles with shifting dependencies in our evolving security paradigm. Let’s briefly look at each one. 

• IAM provides the technical and operational foundation and the mechanisms for verifying user identities and controlling access with regard to authentication and authorization. It includes user provisioning, authentication, authorization, and access lifecycle management.
• IGA operates at the strategic level, ensuring these mechanisms are properly governed, continuously monitored, and regularly reviewed for compliance and risk management (e.g. access reviews, segregation of duties, policy enforcement etc.).
• PAM provides solutions specifically addressing the security of privileged accounts, which have elevated access to critical systems and data. Solutions include tools to discover all systems in an organization and continuously control and monitor interactive and non-interactive accounts with approvals and maintain password policy rotation. 

This three-pronged approach to identity is essential because attackers don't distinguish between operational and governance gaps. Instead, they exploit all three. For example, a robust IAM, PAM system without proper IGA oversight can lead to privilege access creep and undetected anomalies. Conversely, strong governance without reliable operational controls leaves organizations vulnerable to (Cyber Security Framework) CSF threats. 

 Modern technologies are forcing these three initiatives to evolve. 

• Cloud, hybrid, and remote workforce environments requiring access-from-anywhere with rigorous access control.
• Virtualized and container host environments requiring least privilege across dynamically scaling and highly available infrastructure.
• Continuous release development pipelines (CI/CD), requiring security to be maintained during highly orchestrated releases of technology into our environments. 

It can be overwhelming trying to fit these pieces together. So, what should organizations focus on? Our guidance, although it doesn’t stop here, is to first prioritize hardening the new perimeter, implementing Zero Trust Architecture (ZTA), and strengthening Identity Governance.  

Shifting to the new perimeter 

Modern technologies, including virtualized networks, container management, cloud computing, and application firewalls, allow perimeters to be drawn tightly around the services and identities we are protecting. Shifting from organization borders to service borders requires rethinking “rule management.” Zero Trust replaces border security from being about where you’re from and where you’re going to who you are and what you want to do. 

Harden the New Perimeter with Thoughtful MFA 

Even the most well-intentioned security controls can be exploited against an organization if they are poorly planned or managed. Implementing MFA can sometimes be a box checked but do little for securing the enterprise. 

For example, with a wave of MFA fatigue attacks, bad actors are bombarding users with authentication requests until they approve one out of frustration or confusion. This is being combined with evolving AI-powered phishing emails, phone calls, or text messages to further improve attackers’ chances at convincing the user.  

So, what do you do? The solution isn't to abandon MFA, but to evolve it through risk-based adaptive authentication that considers context, location, device type, IP address, behavior patterns, and time and duration of access. Deploy phishing-resistant MFA methods like FIDO2 or certificate-based authentication that can't be easily manipulated. That’s a great first step. 

Also, your helpdesk represents one of the most vulnerable entry points into your organization. Recently, while coordinating vishing attacks for one of our customers, we identified a failure of procedure that allowed our caller to spoof his identity and gain unwarranted access. Internal attackers know this weak point and regularly impersonate employees to reset passwords or bypass security controls. Furthermore, with easily accessible deepfake voice spoofing technologies, this is becoming even easier to trick a helpdesk agent.  

Due to the availability and affordability of AI tools, even unsophisticated attackers can execute sophisticated attacks. Organizations must strengthen their verification processes, prioritize education and training for end-users, helpdesk agents, and admins about emerging threats, and implement automated systems (e.g. IDP/IPS) that limit or remove access when anomalies are detected. Support staff should be trained to recognize social engineering tactics, regularly updated on emerging threats, and follow a culture of "never trust, always verify."  

Throughout your efforts, lean on Zero Trust to guide you.  

Implementing Zero Trust Architecture 

Zero Trust Architecture (ZTA) principles will guide your transformation. Successful implementation of identity and application access management requires attention to key technical components, which are explained here. Each component should be taken into consideration as you change your reference framework, considering identity as the perimeter.  

• Micro-segmentation creates granular network boundaries around individual resources, ensuring that compromised credentials can't provide broad network access (it prohibits lateral movement by an attacker). Each identity-based access decision needs to become a checkpoint rather than a gateway to the entire environment.
• Comprehensive encryption protects data both in transit and at rest, ensuring that even successful identity compromises don't automatically lead to data breaches. Strong encryption everywhere is not just a feature, but a requirement of Zero Trust that enables the architecture to reliably provide a means of controlling access based on who someone is from anywhere. This should include encrypting internal communications, not just external connections.
• Real-time monitoring and analytics continuously assess identity behaviors, device health, and access patterns. Machine learning algorithms can detect subtle anomalies that traditional rule-based systems miss, enabling rapid response to potential threats. Without monitoring, you’re unable to properly manage risk to your systems.
• Dynamic policy enforcement adjusts access permissions based on continuously assessed risk levels, automatically restricting access when suspicious patterns emerge without waiting for manual intervention. These must be governed by Separation of Duty policies that must be followed. 

Strengthening Identity Governance 

From a governance perspective, your organization must implement multiple verification forms, including callback procedures to confirmed numbers and clear escalation protocols for high-risk requests. Support staff require training in social engineering recognition, regular updates on emerging threats, and a culture of "never trust, always verify." 

Lastly, keep in mind, elevated access remains the crown jewel for attackers. Organizations should implement Just-In-Time (JIT) access provisioning (governed by on-prem directory e.g. AD or cloud Azure), ruthlessly enforce the principle of least privilege, and deploy Privileged Access Management (PAM) solutions providing granular control and comprehensive auditing through Security Orchestration, Automation & Response (SOAR) or Security Information & Event Management (SIEM) solutions. 

The Strategic Integration 

The most effective defense emerges when IAM, IGA, and PAM work in concert within a Zero Trust Architecture framework. IAM systems provide the real-time decision points, while IGA ensures these decisions align with organizational policies and risk tolerance. PAM protects privileged user access and enforces policies across accounts and applications. ZTA components like micro-segmentation, stop lateral movement, and real-time monitoring create the technical foundation, while governance processes ensure sustainable, compliant policies, procedures operations. 

Summary 

The perimeter has shifted inward to identity. This transformation requires both operational excellence in identity and access management and strategic oversight through identity governance. Zero Trust Architecture provides the framework, but success depends on implementing its key components—micro-segmentation, encryption, real-time monitoring, and dynamic policy enforcement—while maintaining rigorous governance processes. 

Remember: In the age of identity-centric attacks, your strongest defense ensures the right people have the right access at the right time, and absolutely nothing more. This requires both the technical capabilities to make these decisions and the governance processes to ensure they remain accurate and appropriate over time.