Blog

A Defense-in-Depth Strategy for Identity Security

Chris Simmons

February 24, 2025

How resilient is your identity security strategy?

Once upon a time, the network was the perimeter. Firewalls, Intrusion Detection Systems (IDS), and endpoint security were the front-line defenders. But today? Identity is the perimeter. Every login, every session, every permission—these are the new battlegrounds.

If identity is the first and last line of defense, how do you ensure that your identity controls are resilient?

A strong defense-in-depth strategy for identity security doesn’t rely on a single layer of protection. Identity and Access Management (IAM) solutions alone won’t cut it. Even a well-deployed Identity Governance and Administration (IGA) and Privileged Access Management (PAM) solution isn’t enough. Identity Security Posture Management (ISPM), Identity Threat Detection and Response (ITDR), and continuous validation of identity controls are the missing links that separate a resilient security strategy from a high-risk house of cards.

Understanding defense in depth for identity security

The concept of defense in depth is not new to cybersecurity, but its application to identity security has never been more critical. Organizations today operate in a landscape where identity is the new perimeter—a shift brought about by digital transformation, cloud adoption, and remote work. This shift means that traditional network-centric security measures, such as firewalls and VPNs, no longer provide sufficient protection. Instead, securing user identities and access permissions has become critical factors in preventing unauthorized access, loss of data, and operational impacts.

At its core, defense in depth is about building redundancy into security controls. Following the mantra that no single technology or process is foolproof, it acknowledges that attackers are always evolving their tools, tactics, and procedures in the cat-and-mouse game played by attackers and defenders. This means that even the most robust identity infrastructure can be bypassed through misconfigurations, weak or stolen credentials, or social engineering. A multi-layered identity security strategy ensures that if one control fails, another is in place to prevent or mitigate the impact of a breach.

Gaps that Weaken the Identity Perimeter

When organizations lack a robust defense-in-depth strategy for identity security, they leave a number of gaps exposed:

Over-privileged accounts: Unnecessary privileges unwittingly increase the attack surface available to threat actors. They also create the potential for further privilege escalation and lateral movement, enable insider threats, and can result in non-compliance issues if not properly managed.

Orphaned accounts: Improper identity lifecycle management or mismanagement of the Joiner-Mover-Leaver (JML) process leads to lingering access through active accounts that can be exploited by cybercriminals.

Compromised credentials: Stolen, weak, shared, or reused credentials remain a primary cause of security incidents. If an attacker obtains valid credentials, they can gain unauthorized access to the organization’s systems without raising suspicion.

Central authentication bypass: SaaS apps often provide multiple methods for authentication, such as local accounts, single sign-on (SSO) integration, and consumer logins (e.g., social or personal email accounts). When SSO is enabled, if any other authentication method remains enabled, it provides a means to bypass the robust centralized controls, also known as SSO bypass, and become a hidden single point of failure.

Misconfigured Multi-Factor Authentication (MFA): For apps outside of SSO, Savvy research has shown that MFA is used less than eight percent of the time. This commonly leaves systems and their owners one password away from a breach. Combine a lack of MFA with another risk factor like compromised credentials and the popularity of credential-based attacks becomes clear.

Shadow Identities: Employees frequently adopt SaaS applications outside the organization’s sanctioned IT environment. Sometimes apps are intentionally left unmanaged, as is the case for apps with a low count of users and a high SSO tax. Another case is with partner and social apps where SSO is not an option. With all of these, identity blind spots form due to these shadow identities, sometimes also called shadow accounts or ghost logins. These identities commonly have reused credentials identical to a user’s corporate credentials. When a SaaS app is breached this unknowingly increases the risk to the corporate credentials.

Limited visibility and ongoing activity monitoring: Even when maximum effort is placed on closing identity gaps, bad things can happen. Without a means to detect when anomalous or non-compliant activity is happening, threats may be allowed to continue under the radar.

A single identity security failure can leave lasting impact to an organization. High-profile breaches at companies like MGM Resorts, Okta, and Change Healthcare have demonstrated that attackers don’t need to break into networks—they simply log in using stolen or mismanaged credentials. A true defense-in-depth approach ensures that identity remains a resilient security control—not a liability.

Building Identity Resilience: The Essential Layers

A Defense-in-Depth strategy for identity security addresses these risks by layering multiple protections that reinforce each other. The goal is not just to manage access but to ensure that identity controls remain effective over time.

IAM – The First Line of Defense

IAM systems provide centralized authentication and access control—but they are only as strong as their implementation and oversight. IAM alone does not ensure that identities remain secure; it simply defines how users should access resources. But what happens when those identities are misused, misconfigured, or bypassed? IAM systems must be continuously validated to ensure that permissions are correctly assigned.

IGA – Enforcing Least Privilege

IGA systems ensure that users receive the minimum level of access necessary and that access is reviewed regularly. However, IGA depends on accurate visibility into all applications and identity risks, something many traditional solutions lack. Without constant validation, over-provisioning, policy drift, and toxic access combinations can creep in unnoticed.

PAM – Securing Privileged Accounts

PAM systems control administrative access and reduce the attack surface of high-value accounts. But PAM solutions themselves must also be continuously validated—a misconfigured PAM policy can still lead to a breach. Attackers often target these accounts because once they gain control of an admin, they own your infrastructure.

ISPM + ITDR – Proactive Identity Risk Management

ISPM and ITDR systems proactively identify misconfigurations, policy gaps, and active identity-based attacks. These solutions provide real-time assessments of identity security posture and rapid detection of suspicious activity. However, most organizations lack a unified approach to validate their identity security stack across IAM, IGA, and PAM. In addition, current ISPM and ITDR solutions focus on activity passing through known identity controls only and have no means to provide visibility to non-compliant activity that bypasses them.

Savvy Security – Continuous Visibility and Assurance

Even with all these layers in place, who’s checking that everything is actually working? That’s where Savvy comes in.

Savvy doesn’t replace IAM, IGA, or PAM—it ensures they are delivering on their security promise. It answers the questions that most tools can’t:

Are your IAM security controls actually being followed, or are users bypassing them?

Are apps and identities outside of your SSO framework putting your organization at risk?

Do your users have weak or reused credentials that bypass MFA?

Are you unknowingly exposing your highly interconnected SaaS ecosystem to risk?

No other identity solution maintains the breadth of ground truth for identities-in-use like Savvy. With a multi-layered detection lattice that includes browser-level visibility, Savvy detects every app in use, maps identity risks across users and devices, and deploys real-time remediation to keep identity controls working as intended.

IAM Resilience: A Continuous Assurance Model

A popular analyst firm promotes a model for IAM resilience that goes beyond having IAM, IGA, and PAM tools in place—to include validating their effectiveness in real-time.

Savvy interprets this to mean:

Continuous Discovery: Detecting and mapping apps, identities, and risks that slip past traditional IAM tools.

Continuous Validation: Around-the-clock testing of IAM policies to ensure no gaps exist.

Automated Remediation: Programmatically enforcing security best practices without disrupting workflows and without overburdening identity and security teams.

Without these layers of assurance, identity security isn’t achieving defense in depth.

The Bottom Line: Identity is the Perimeter, But Who’s Protecting Identity?

IAM, IGA, and PAM solutions each play a role in securing identities. But without real-time validation and visibility, you’re left to assume they’re working as intended. Savvy provides the missing piece—ensuring your identity controls are airtight, continuously enforced, and resilient against evolving threats.

If your IAM security strategy doesn’t include continuous discovery, validation, and remediation, you’re leaving identity gaps unchecked. And in a world where identity is the new perimeter, unchecked identity gaps are often the fastest path to compromise.