Access Granted: Bridging the Identity Security Gap in the Modern Workplace

“Attackers don’t break in, they log in” - Luke Elston, Microsoft Practice Lead, CyberOne 

In the digital-first era, identity security has become a critical focal point for organisations looking to secure their environments against ever-evolving cyber threats. This article draws on key insights from the recent CyberOne webinar Access Granted: The Identity Security Gap Exposing Modern Workplaces, which featured expert analysis by Luke Elston, Microsoft Practice Lead at CyberOne. 

With the increasing sophistication and scale of attacks, identity-based security gaps pose a significant risk to operational resilience and data integrity. This article examines the current identity threat landscape, draws insights from recent industry data and explores practical strategies for organisations to enhance their identity security posture. 

The Scope of the Challenge 

Microsoft's latest Digital Defence Report provides a sobering view of the modern threat landscape. The scale of attempted attacks is staggering:  Microsoft observes over 600 million cyber attacks daily across its global infrastructure. Identity remains as a primary attack vector, with the platform blocking approximately 7,000 password-based attacks every second. 

Even more concerning is that 99% of identity attacks are rooted in compromised passwords. This clearly illustrates the vulnerability of password-based authentication and underscores the urgency for organisations to move beyond traditional login mechanisms. 

Despite these risks, only 41% of enterprise organisations have adopted Multi-Factor Authentication (MFA) according to the same report. MFA is one of the most effective tools available to counteract password-based threats, yet the adoption gap leaves most businesses exposed to preventable risks. 

The Identity Security Gap 

The "identity security gap" refers to the disconnect between the increasing reliance on digital identities in the workplace and the inadequate protections in place to secure them. As organisations transition to hybrid and remote work models, identity becomes the new perimeter. Users, devices and applications access corporate data from distributed environments often beyond traditional network controls. 

This shift has outpaced many organisations' ability to adapt their security frameworks. Traditional security perimeters no longer suffice; attackers exploit this by targeting credentials and identity infrastructure to gain unauthorised access. The result is a heightened risk of credential phishing, account takeover and privilege escalation. 

Microsoft's own data supports this. As Luke Elston noted during the webinar: 

"Microsoft have said... they are on a mission to achieve 100% MFA adoption and currently... that is at 41% across enterprise organisations."  — Luke Elston, Microsoft Practice Lead, CyberOne 

Many of the challenges contributing to the identity security gap stem from weak governance practices and over-permissive access models. Common causes include: 

• Excessive permissions / privilege creep – Users often accumulate access rights over time without regular review. 

• Over-provisioned accounts – Both standard users and administrators are frequently granted more access than necessary, violating the principle of least privilege. 

• Permanent administrative rights – Instead of using just-in-time access, elevated privileges are often granted indefinitely. 

• Unmanaged supplier and/or partner access – External parties such as vendors, partners and suppliers may receive long-term access without sufficient oversight or revocation processes. 

• Active accounts beyond contract duration – These external accounts often remain active even after they are no longer required. 

• Shadow IT – Users may adopt unauthorised apps or services using corporate credentials, bypassing formal security controls. 

• Lack of real-time monitoring – Without continuous behavioural analytics, unusual activity can go undetected. 

• No credential boundaries – There are often no policies restricting the use of corporate identities to sign up for external services. 

• Inadequate identity governance and lifecycle management – Organisations may lack structured processes for managing identity changes throughout the user lifecycle. 

• Orphaned accounts – Departed employees may retain active accounts that remain unnoticed. 

• Absence of automated joiner-mover-leaver workflows – Manual processes can lead to delays and oversights in updating or revoking access. 

Traditional security perimeters no longer suffice; attackers exploit this by targeting credentials and identity infrastructure to gain unauthorised access. The result is a heightened risk of credential phishing, account takeover and privilege escalation. 

To address this, organisations need to evolve their security strategies to focus on identity as the foundational layer of defence. 

Moving Toward Zero Trust 

Zero Trust is not a product but a strategic security model that assumes breach and enforces least-privilege access by verifying every request as though it originates from an open network. Within the context of identity, Zero Trust emphasises continuous verification of users and devices, adaptive access controls and real-time monitoring of user behaviour. 

Achieving Zero Trust Identities with Microsoft Entra ID 

As organisations adopt Zero Trust, Microsoft Entra ID provides a strong foundation for securing digital identities. To operationalise this model effectively, here are five key recommendations that can significantly enhance your identity security posture: 

• Retire passwords in favour of phishing-resistant passwordless authentication methods such as Microsoft Authenticator, FIDO2 passkeys and Windows Hello for Business. 

• Additionally, block legacy authentication protocols like IMAP, POP and SMTP, which bypass MFA and are commonly exploited. 

• Implement Conditional Access Policies that evaluate user risk, sign-in behaviour, device compliance, geographic location and application context. 

• Enforce reauthentication for high-risk sessions, such as when administrators elevate privileges. 

• Manage all administrative credentials through Privileged Identity Management (PIM) to enforce Just-in-Time (JIT) access, require four-eyes approvals and monitor privileged behaviour through audit logs. 

• Tightly control external identities—including B2B and B2C accounts—using strong Identity Governance controls such as Access Packages. 

• Regularly review access, remove unnecessary accounts, validate permissions by role or project and configure automatic expiration of external access. 

• Automate Identity Lifecycle Management by integrating Entra ID with your HR systems. 

This ensures timely provisioning and deprovisioning of user accounts and enables real-time updates for all joiner-mover-leaver scenarios, reducing risks from orphaned or over-permissioned accounts. 

These steps help organisations implement Zero Trust principles in a practical, manageable way—leveraging existing Microsoft capabilities while addressing real-world identity security gaps. 

Zero Trust Identity Implementation at a Glance 

For organisations looking to accelerate their Zero Trust journey, the following focus areas offer a practical roadmap. These actions, when implemented using Microsoft Entra ID, help enforce consistent access controls, reduce privilege sprawl and ensure continuous visibility into identity-related activity. 

These five steps provide a structured and actionable approach to strengthening identity controls, leveraging capabilities already available within the Microsoft ecosystem. They complement broader Zero Trust strategies by focusing on proactive identity governance, adaptive access and continuous visibility. 

The Business Case for Identity Security 

Investing in identity security isn’t just about reducing cyber risk; it's also about protecting your personal information. It supports broader business objectives including: 

• Regulatory Compliance: Meeting requirements like GDPR, ISO 27001 and NIS2 

• Operational Efficiency: Reducing IT support requests related to account lockouts and password resets 

• User Experience: Enabling seamless secure access improves productivity and reduces friction 

• Customer Trust: Demonstrating strong security controls enhances brand credibility 

Identity Is the New Perimeter 

The statistics speak for themselves. As password-based attacks continue to rise and the adoption of security basics like MFA remains limited, organisations must urgently address their identity security gaps. A Zero Trust approach built on secure identity foundations is no longer optional—it’s essential for modern cyber resilience. 

With the right strategy and the smart use of Microsoft tools already at their disposal, organisations of all sizes can take meaningful steps to protect their identities, their data and ultimately their future. 

CyberOne’s Identity as a Service: A Strategic Solution 

One way to address the identity security gap is by adopting a managed identity solution that reduces internal complexity while maintaining strong protection. CyberOne’s Identity as a Service, powered by Microsoft Entra ID, supports Zero Trust principles by providing scalable access controls, robust authentication options such as MFA and passwordless login and continuous monitoring of user activity. Learn more about how this service can support your organisation's security posture at cyberone.security/services/identity-as-a-service. 

Stay proactive in your security journey. Missed the webinar? Watch it on-demand to gain actionable insights and real-world strategies from our session on bridging the Identity Security Gap in Modern Workplaces. 

Interested in tailored guidance? Book a free 1:1 consultation with a CyberOne expert to assess your current security posture and identify quick wins.