Looking beyond identity: How to reduce your attack surface

In today’s rapidly evolving cyber threat landscape, identity has become the new frontier of security. Gone are the days when firewalls, VPNs, and on-premise infrastructures alone could keep attackers at bay. Hackers no longer “break in”; they simply log in - exploiting weak identity and access controls.

How has the security landscape changed?

Organisations once relied on securing network perimeters to prevent unauthorised access. But the rise of cloud services, remote work, and distributed teams has made those perimeters porous. Recent incidents highlight this shift:

• October 2023: 23andme identity breach impacts 6.9 million users
• June 2024: Snowflake identity breach results in hacker extorting $2.7M
• July 2024: AT&T identity breach leaves 110 million users exposed

These breaches underscore a grim reality: focusing solely on authentication—verifying “who you are”—is no longer enough.

Authorisation: the overlooked frontline

While platforms like Okta and Azure Entra have made strides in authentication, they’ve often overlooked authorisation—“What can you do once inside?” Despite being a decades-old concept, with roots in practices like Privileged Access Management (PAM), effective authorisation remains a challenge.

Common pitfalls include:

1. Access Creep: Over time, employees collect permissions as they change roles, work on new projects, or take on temporary responsibilities. These permissions are rarely revoked, leading to excessive access rights. Attackers can exploit these over-permissioned accounts to access sensitive data or systems.
   
   
2. Distributed Tool Ownership: In modern workplaces, access to tools is often managed by different teams. For example, IT might handle infrastructure access, while HR oversees HRIS systems, and individual departments control their SaaS tools. This decentralisation creates gaps in oversight, making it nearly impossible to enforce consistent access policies.
   
   
3. Non-Human Identities: APIs, bots, and service accounts now make up a significant portion of access points. Unlike human users, these identities often lack strict management protocols, leaving them vulnerable to exploitation if not properly monitored or governed.
   
   
4. No Central Management: Many organisations rely on siloed systems and manual processes to manage access. Without a central system to track and enforce permissions, it’s easy for dormant accounts or redundant access to go unnoticed, creating a fertile ground for attackers.

Static access is failing

Traditional access management assumes a “set it and forget it” approach. Employees often receive broad, birthright access on their first day, based on their job role or title. Over time, these permissions are rarely revisited, leaving excessive access unchecked. The issue compounds when employees change roles or take on new projects; their access grows without limits, a phenomenon known as access creep.

Periodic access reviews, which are meant to catch these issues, often fail to close the gaps. Why? They are usually manual, infrequent (quarterly or even annually), and struggle to keep pace with the fluid nature of modern work environments. This outdated approach leaves organisations exposed to unnecessary risks, as permissions granted weeks or months ago may no longer align with an employee’s actual needs.

Why access needs to be dynamic

Access in today’s workplaces isn’t static—it’s in constant flux. Employees frequently move between projects, take on cross-functional responsibilities, and collaborate with external stakeholders. In these dynamic environments, permissions that were appropriate one week can quickly become excessive or unnecessary the next. Holding onto static access models in such scenarios is like locking the front door while leaving the windows wide open.

To address this, organisations must embrace a dynamic access model. This approach views access as something fluid and context-dependent. It focuses on granting permissions that match an employee’s current tasks and responsibilities while regularly revisiting and revoking outdated privileges.

How to shift to a dynamic access model

The journey toward dynamic access management begins with a clear understanding of the current state. First, organisations need comprehensive visibility into who has access to what and, more importantly, what they can do with it. This requires consolidating data across tools and platforms—from AWS to Salesforce—into a unified view. Without this foundational step, addressing over-permissioning is like solving a puzzle without all the pieces.

The second step involves transitioning to a least privilege model by implementing temporary and just-in-time (JIT) access. By adopting this model, employees receive access only when needed, and permissions automatically expire after a predefined period. This approach not only reduces the attack surface but also simplifies compliance and minimises the administrative burden of access reviews.

Trends driving dynamic access management

Several industry trends are accelerating the adoption of dynamic access. The rise of automation tools has streamlined provisioning and deprovisioning, while cultural shifts in security practices emphasise shared responsibility across teams. Additionally, open APIs have made it easier to connect access management systems with existing tools while advancements in SCIM protocols and SSO tools have paved the way for seamless access control.

Final thoughts

Static access models belong to the past. As modern workplaces continue to evolve, organisations must adopt a dynamic, data-driven approach to access management. By doing so, they can significantly reduce their attack surface while enabling employees to work more effectively and securely. The future of security is temporary and frictionless, and the time to act is now—before the next headline becomes your breach.

How Ploy can help

At Ploy, we've built a unified platform for access management & identity security. Combining the ability to manage access to any resource, together with our Shadow IT detection engine and access graph, security professionals finally have that single pane of glass where they can manage access horizontally and vertically.

In addition, our focus on being autonomous and frictionless means that temporary access measures enhance identity security whilst often times increasing employee productivity by replacing legacy, inefficient processes.