Today, the many tactics, techniques, and procedures (TTPs) used by threat actors are constantly evolving, with AI-generated phishing and deepfake-based social engineering upping the sophistication of threats. What’s the biggest threat to your organization? According to Verizon’s Data Breach Investigations Report, the most common attack is the use of stolen credentials, making up 24% of total breaches.
The bottom line is that stopping credential theft, privilege escalation, and other identity threats needs to be front and center in your security strategy, as unauthorized access provides a swift mechanism to move laterally within a network undetected – hence identity threats’ popularity among cyberthieves.
Organizations have traditionally struggled to implement a cohesive security and network access approach that comprehensively addresses both identity and network threats, a task made more difficult as IT security and networking teams increasingly face security challenges in protecting a mix of on-premises, hybrid, and cloud environments. SASE has emerged as a popular approach to implementing identity-based security while implementing defense-in-depth.
The Relationship Between Identity and SASE
SASE solutions integrate identity into the infrastructure by enforcing identity-aware policies at every point of access to the network, including in the cloud, at the branch, and for remote users. By instilling identity into the fabric of security, SASE ensures that access decisions can be based on user identity, device posture, and context, or a combination of factors, rather than relying on just network location or initial authentication. This enables continuous verification and adaptive access control, reducing reliance on trust to mitigate risks associated with unauthorized access or compromised credentials.
Ensuring that your SASE solution integrates identity across all enforcement points strengthens Zero Trust principles due to the ability to dynamically adjust permissions based on real-time risk assessments. This reduces the attack surface while ensuring that users have access to only the applications and data they need and are authorized to access, regardless of where they connect from.
The Impact of Limited Access Controls
Unfortunately, many organizations have realized the consequences of failing to implement robust, layered identity controls across their infrastructure. One prime example is the breach of UnitedHealth’s payment processing systems. Attackers exploited stolen Citrix credentials that lacked multi-factor authentication (MFA) to gain unauthorized access to critical financial and healthcare systems. Once the infrastructure was breached, over-privileged access allowed attackers to move laterally within the network, expanding their reach and increasing the severity of the attack.
Least-privilege controls could have limited access for the attackers and the scale and scope of the breach, which cost the health system $872 million in damages and another $22 million in ransom payment.
Continuous Verification, Not Just “Access”
One of the core principles of an advanced SASE solution’s Zero Trust functionality is ensuring that users have access to only the resources necessary for their roles. Organizations should enforce identity-based least-privilege access by assigning permissions based on required access, limiting exposure to sensitive systems and reducing the risk of insider threats, privilege abuse, and data breaches. Dynamic access controls further enhance security by adapting permissions based on real-time risk assessments, while also helping to ensure compliance with security policies and regulatory requirements.
Implementing continuous verification ensures that identity-based security policies can dynamically adapt to evolving risks. Access can be monitored and enforced not just at the time of initial access, but throughout the entire session. For example, APT29 hackers used a password spraying attack to access a non-production account without multi-factor authentication, then escalated privileges via an OAuth app to reach critical systems. This is a good example of how attackers exploit weak authentication to move laterally, expand their foothold, and exfiltrate critical data.
Continuous monitoring of user and device behavior could have limited the impact by detecting anomalous activity, enforcing risk-based policies, and cutting off unauthorized access before it escalated. And by integrating advanced SASE solutions’ User and Entity Behavior Analytics (UEBA), organizations can enforce identity-aware, adaptive security policies that not only verify users at login but continuously assess their behavior throughout the session.
Continuous monitoring often involves three critical core steps:
- Identifying critical assets and data – Classify and prioritize sensitive resources that require heightened identity-based security controls.
- Enforcing least-privilege access policies – Restrict access based on user roles, device posture, and contextual factors to minimize the blast radius of a compromised credential.
- Continuously monitoring and auditing activity – Initial authentication alone is not enough. Even after access is granted, organizations must assess user behavior, device activity, and session context in real time to detect anomalies and revoke access when necessary.
Conclusion
A multi-layered approach combining SASE and Zero Trust ensures real-time threat detection, dynamic access controls, and proactive identity protection. By embedding identity-based security at every access point and leveraging a system that continuously assesses changes and risk, organizations can reduce exposure to credential-based attacks, unauthorized access, and lateral movement. Identity is now the frontline of cybersecurity. Strengthening it with the right approaches and strategies is essential to staying ahead of evolving threats.
Join our LinkedIn group Information Security Community!
