The State of Identity Security 2024: Navigating Challenges and Advancing Safeguards in a Multi-Cloud World

As organizations expand their digital footprint, identity security has emerged as a cornerstone in protecting assets across complex cloud environments. The Permiso Security State of Identity Security Report 2024 offers insights into identity management, multi-cloud adoption, and the evolving nature of identity-based threats. Based on surveys from over 500 organizations, the report highlights pressing security concerns, trends in identity management, and the significant shift toward securing non-human identities, which represent an increasingly substantial portion of cloud infrastructure.

In this article, we delve into the report’s findings, focusing on the challenges of managing identities across cloud environments and the steps organizations can take to safeguard their digital assets effectively.

The report offers insights into how 500 organizations globally approach identity security in a cloud-dominated world. It reveals that while companies are increasingly confident in their identity management practices, this confidence may sometimes mask underlying vulnerabilities.

Key Findings from the Report

1. Multi-Cloud Reality and IAM Challenges
   Organizations are embracing multi-cloud strategies, using an average of 2.5 cloud service providers, with AWS leading at 25%, followed by Azure and IBM Cloud. This diversity of platforms enhances flexibility but also complicates IAM, making it difficult to maintain consistent security policies across environments. Key risks include an expanded attack surface, complex IAM tools, and challenges in maintaining visibility across disparate platforms.
2. Growth in Non-Human Identities
   Non-human identities, such as service accounts, API keys, and automation scripts, now represent a significant portion of IAM efforts. Nearly half of surveyed organizations manage between 1,000 and 5,000 non-human identities, a figure that reflects increasing automation. However, many companies struggle to monitor these identities effectively, leading to potential blind spots.
3. Gaps in Identity Monitoring and Responsibility
   Despite high levels of confidence, a critical gap remains in identity monitoring. While 93% of respondents claim to track identity activity in real time, other sections of the report reveal inconsistencies, suggesting that organizations might overestimate their visibility capabilities. Additionally, identity security often falls under general IT departments rather than specialized IAM teams, potentially compromising security due to a lack of dedicated expertise.
4. Unauthorized Access and Compromised Credentials
   Unauthorized access incidents remain alarmingly high, with 46% of organizations reporting breaches. Most breaches involved sensitive data exposure and privilege abuse, often resulting from compromised credentials. SaaS applications, widely adopted for their convenience, emerged as the riskiest environment, exposing organizations to vulnerabilities related to inadequate security practices.
5. Persistent Threat Detection Challenges
   While organizations have made progress in identifying and responding to identity-based threats, the threat detection capabilities are not keeping up with the complexity of attacks. For example, the percentage of organizations able to detect compromised identities within 24 hours dropped from 90% in 2023 to 61% in 2024, indicating that security teams may be underestimating detection timelines.

The Multi-Cloud Reality and Identity Security
According to the report, nearly all surveyed organizations (93%) maintain an inventory of identities across their environments, including human and non-human entities. Yet, the multi-cloud approach complicates identity management. A typical organization uses an average of 2.5 cloud providers, with Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) leading the market. However, IBM Cloud and Oracle Cloud are gaining ground, reflecting the increasing diversification of cloud provider usage and highlighting the importance of cross-cloud identity governance to maintain unified oversight.

Non-Human Identities on the Rise
A significant trend highlighted in the report is the explosion of non-human identities, such as service accounts, keys, tokens, and secrets, particularly within cloud environments. These identities, often overlooked, play critical roles in automation and are increasingly seen as attractive targets for cybercriminals. About 42% of organizations now manage between 1,000 and 5,000 non-human identities, a sharp rise from previous years, signaling a need for adaptive, scalable identity management solutions that can handle this growing complexity without compromising security.

Challenges in Identity Management
While 85% of organizations report confidence in their ability to track identity usage across cloud environments, this optimism may be misleading. The report exposes a significant gap between perceived and actual capabilities in identity monitoring, particularly regarding non-human entities and the ability to monitor “who” is performing “what” across authentication boundaries. This confidence-capability gap poses a substantial risk, potentially leaving organizations vulnerable to identity-based attacks.

Further, only 46% of organizations allocate a dedicated identity security budget for all environments, reflecting a shortfall in investment in comprehensive identity management across cloud and on-premises systems. Additionally, unauthorized access remains an ongoing issue, with nearly half of all surveyed organizations reporting identity-related breaches.

Top 10 Recommendations to Enhance Identity Security

1. Implement Cross-Cloud Governance: Adopt cross-cloud identity management systems that enable a unified view of all identities, especially in multi-cloud environments.
2. Prioritize Non-Human Identity Security: Secure non-human identities by monitoring and regularly updating permissions associated with service accounts and automated processes.
3. Enforce Strict Access Controls: Use role-based access control (RBAC) and least-privilege principles to minimize unnecessary access and reduce potential attack surfaces.
4. Invest in Adaptive Authentication: Move beyond traditional multi-factor authentication (MFA) by adopting adaptive authentication methods that consider contextual data like location and device type.
5. Automate Identity Lifecycle Management: Automate the provisioning, monitoring, and de-provisioning of identities to prevent orphaned accounts and potential unauthorized access.
6. Increase Visibility with Continuous Monitoring: Deploy tools that provide continuous monitoring of identity usage and detect anomalies in real time.
7. Perform Regular Audits: Regularly audit identity and access controls to ensure they align with organizational policies and meet compliance requirements.
8. Educate Employees on Identity Security: Conduct regular training on secure identity practices to reduce the risk of human errors, particularly with credential sharing and password management.
9. Integrate Security Tools for a Holistic View: Use cloud-native security tools alongside traditional security platforms to create a cohesive, multi-layered defense strategy.
10. Prepare for Evolving Threats with Adaptive Policies: Continuously adapt identity policies to accommodate evolving technologies and the growing complexity of cloud environments.

Conclusion
The State of Identity Security 2024 report underscores the urgent need for organizations to evolve their identity management strategies. With the rapid rise of non-human identities and the complexity of multi-cloud environments, traditional identity and access management approaches are no longer sufficient. By investing in adaptive, cross-cloud governance solutions and adopting best practices for identity security, organizations can better protect their assets and reduce the risk of identity-based attacks.

As we move forward, the imperative is clear: identity must be at the center of any robust security strategy. This focus will enable organizations to navigate the complexities of modern cloud environments with greater confidence, ensuring that both human and non-human identities are secure.

Want to stay on top of cybersecurity news? Follow us on Facebook, X (Twitter), Instagram, and LinkedIn for the latest threats, insights, and updates!