The Perimeter Dissolved. Identity Remained.
In the traditional security model, the network perimeter was the castle wall. Firewalls separated the trusted internal network from the untrusted internet. If you were inside the wall — connected to the corporate LAN, authenticated to the domain — you were trusted.
That model is dead. Cloud computing moved applications outside the perimeter. Remote work moved users outside the perimeter. SaaS moved data outside the perimeter. Mobile devices, APIs, machine-to-machine communication, and third-party integrations mean there is no “inside” and “outside” anymore. The network perimeter is everywhere and nowhere.
What remains is identity. Every access request — whether from a human user, a service account, an API key, or an automated workflow — begins with “who are you and what are you allowed to do?” Identity and Access Management (IAM) is no longer a supporting function within cybersecurity. It is the primary control plane.
The numbers confirm this shift. According to CrowdStrike’s 2025 Global Threat Report, 79% of cyberattack detections were malware-free — attackers relied on credential abuse and hands-on-keyboard techniques instead of deploying malware. The Verizon 2025 Data Breach Investigations Report found that credential abuse was the leading initial access vector, responsible for 22% of breaches, while 88% of basic web application attack breaches involved stolen credentials. Access broker activity — the underground market where stolen credentials are sold — surged 50% year-over-year in 2024. The most common initial access vectors — phishing, credential stuffing, session hijacking, MFA fatigue attacks — all target identity.
The Identity Attack Surface
Modern identity infrastructure presents multiple attack surfaces:
Credential Compromise
The most straightforward identity attack: stealing usernames and passwords. Over 24 billion stolen credentials were circulating on dark web marketplaces according to Digital Shadows (now ReliaQuest) research in 2022, and that number has continued to grow as information-stealing malware surges. Infostealers (Redline, Raccoon, Lumma, Vidar) harvested 1.8 billion credentials in 2025 alone, exfiltrating them from browsers, password managers, and application storage to command-and-control servers where they are sold in bulk.
The Verizon DBIR 2025 found that only 49% of a user’s passwords across different services were distinct — meaning half are reused. Password reuse amplifies the impact: when credentials stolen from one breach are tested against other services (credential stuffing), success rates range from 0.5% to 2%, which means a dump of 1 million credentials yields 5,000-20,000 successful logins on unrelated services. The median daily volume of credential stuffing now accounts for 19% of all authentication attempts at enterprise-scale organizations.
MFA Bypass
Multi-factor authentication (MFA) was supposed to solve credential compromise. It helped — but it did not solve it. Attackers have developed multiple MFA bypass techniques:
- AiTM phishing (adversary-in-the-middle) intercepts session tokens after the user completes MFA, rendering the MFA irrelevant
- MFA fatigue / push bombing sends repeated MFA push notifications until the user approves one out of frustration or confusion
- SIM swapping convinces a mobile carrier to transfer the victim’s phone number to the attacker’s SIM card, intercepting SMS-based MFA codes
- Social engineering targets IT helpdesks to reset MFA for the attacker (the technique used in the MGM Grand breach by Scattered Spider in 2023)
- Voice phishing (vishing) surged 442% between the first and second halves of 2024 according to CrowdStrike, with GenAI-crafted phishing messages achieving a 54% click-through rate compared to just 12% for human-generated attempts
Token and Session Attacks
Once authenticated, users receive session tokens that grant ongoing access without re-authentication. These tokens — stored in browsers, applications, or cloud services — are increasingly targeted:
- Pass-the-cookie attacks steal browser session cookies from endpoints (via malware or physical access) and replay them on attacker-controlled devices
- Token theft extracts OAuth tokens or refresh tokens from compromised applications
- Golden SAML forges SAML assertions using stolen signing certificates, allowing attackers to generate valid authentication tokens for any user (the technique used in the SolarWinds attack)
Machine Identity Sprawl
Human identities are only part of the problem. According to CyberArk’s 2025 Identity Security Landscape survey, machine identities now outnumber human identities by 82 to 1. Service accounts, API keys, certificates, secrets, managed identities, and workload identities have exploded: machine identities grew from approximately 50,000 per enterprise in 2021 to 250,000 in 2025 — a 400% increase, while human identities grew by only 16%.
Machine identities are harder to manage: they often have excessive permissions, are rarely rotated, are shared across teams, and are not subject to the same lifecycle management (onboarding, offboarding) as human identities. Yet 88% of organizations still define only human identities as “privileged users,” despite machines having higher rates of sensitive access. A leaked API key in a GitHub repository can provide persistent access to cloud infrastructure for months or years before being discovered.
IAM: The Control Plane
Identity and Access Management (IAM) is the system that manages who (identity) can do what (access) to which resources (authorization). The global IAM market reached approximately $23-26 billion in 2025 and is projected to exceed $42 billion by 2030. Modern IAM platforms include:
Microsoft Entra ID (formerly Azure Active Directory) is the dominant cloud IAM platform, managing identities for Microsoft 365, Azure, and thousands of integrated SaaS applications. Entra ID provides single sign-on (SSO), conditional access policies, identity governance, and privileged identity management.
Okta is the leading independent IAM platform, providing SSO and adaptive MFA for multi-cloud and SaaS environments. Okta’s strength is its breadth of integration — over 7,000 pre-built application connectors. (Okta itself was breached via its support system in October 2023 — initially disclosing that 1% of customers were affected, the company later confirmed that data on all customer support users was accessed, underscoring that IAM providers are high-value targets.)
Google Cloud Identity and AWS IAM provide identity management for their respective cloud platforms, with Google also offering Cloud Identity as a standalone directory service.
Ping Identity specializes in enterprise IAM for complex environments (financial services, healthcare) with requirements for on-premises and hybrid identity management.
Zero Trust and Continuous Access Evaluation
The zero trust security model replaces implicit trust (you’re on the network, so you’re trusted) with continuous verification. Every access request is evaluated based on:
- Identity — Who is requesting access? Is the account compromised?
- Device — Is the device managed, compliant, and healthy?
- Location — Is the request from an expected location?
- Risk score — Based on behavioral analytics, is this request anomalous?
- Data sensitivity — Is the resource being accessed sensitive enough to require additional verification?
Continuous Access Evaluation Protocol (CAEP) extends this beyond the initial authentication. Instead of granting a session token that is valid for hours or days, CAEP enables near-real-time revocation — if a device falls out of compliance, an account is flagged as compromised, or the user’s risk score changes, the session is terminated immediately. CrowdStrike’s 2025 report found that the average attacker “breakout time” — the time before lateral movement begins — was just 48 minutes, with the fastest recorded at 51 seconds, making continuous evaluation essential.
Advertisement
PAM: Protecting the Keys to the Kingdom
Privileged Access Management (PAM) is a specialized subset of IAM focused on protecting the most powerful accounts in an organization — administrator accounts, root accounts, service accounts with elevated permissions, and any identity that can make significant changes to infrastructure, data, or security configurations. The PAM market reached approximately $4.5-5.5 billion in 2025 and is one of the fastest-growing segments in cybersecurity.
PAM solutions implement:
Credential vaulting: Privileged credentials are stored in an encrypted vault. Administrators never see actual passwords — they “check out” temporary credentials from the vault for the duration of their task. Credentials are automatically rotated after each use.
Just-in-time (JIT) access: Instead of permanent administrator access (“standing privileges”), users request elevated access for a specific task and duration. The request is approved (manually or automatically), privileges are granted, and access is automatically revoked when the time expires.
Session recording: All privileged sessions are recorded — every command typed, every screen viewed, every file accessed. Recordings provide forensic evidence for incident investigation and serve as a deterrent against misuse.
Least privilege enforcement: PAM analytics identify accounts with excessive permissions and recommend right-sizing — reducing access to only what is needed for each role.
Leading PAM vendors in 2026: CyberArk remains the market leader, having expanded to cover human, machine, and AI identities after acquiring Venafi for $1.54 billion in 2024 and Zilla Security for $175 million in 2025. BeyondTrust exceeded $400 million in annual recurring revenue in 2025. Delinea (formerly Thycotic + Centrify) continues to compete in the cloud PAM space. Microsoft’s Entra Privileged Identity Management (PIM) provides JIT access and approval workflows for Azure and Microsoft 365 environments.
Passwordless: The End Game
The long-predicted death of the password is finally underway. Passkeys — based on the FIDO2/WebAuthn standard — replace passwords with cryptographic key pairs stored on the user’s device:
- During registration, the device generates a public/private key pair. The public key is shared with the service; the private key never leaves the device.
- During authentication, the service sends a challenge. The device signs the challenge with the private key after the user confirms via biometric (Face ID, fingerprint) or device PIN.
- The service verifies the signature using the stored public key. Authentication is complete — no password was transmitted, stored, or interceptable.
Why passkeys are transformative:
- Phishing-resistant: The authentication is bound to the legitimate domain. A phishing site on a different domain cannot trigger the passkey.
- No credential database to breach: Services store only public keys, which are useless to attackers.
- No password reuse: Each service gets a unique key pair.
- Better user experience: Biometric authentication (face scan, fingerprint) is faster and easier than typing a password and waiting for an MFA code.
Adoption by the numbers: According to the FIDO Alliance Passkey Index 2025, over 1 billion people have activated at least one passkey, and more than 15 billion online accounts now support passkey authentication. 48% of the top 100 websites support passkeys — more than double the number from 2022. Google reports over 800 million accounts using passkeys, Amazon reached 175 million passkey users in its first year, and Microsoft made passkeys the default sign-in method for new accounts in May 2025, seeing a 120% increase in passkey authentications. In enterprises, 87% of surveyed organizations have deployed or are actively implementing passkey solutions.
Performance data reinforces the shift: passkeys achieve a 93% login success rate compared to 63% for traditional authentication. Sign-in takes 8.5 seconds with a passkey versus 31.2 seconds with traditional MFA — a 73% reduction — and organizations report an 81% reduction in sign-in-related help desk calls.
The challenge is the transition: passwords will coexist with passkeys for years. Most services offer passkeys as an optional login method alongside password + MFA, creating a period where both authentication methods — and their respective vulnerabilities — coexist.
Advertisement
Decision Radar (Algeria Lens)
| Dimension | Assessment |
|---|---|
| Relevance for Algeria | Very High — Identity-based attacks are the leading threat vector globally and Algeria is no exception; government services, banking, and enterprise systems all depend on identity security |
| Infrastructure Ready? | Partial — Organizations using Microsoft 365 have access to Entra ID; on-premises Active Directory is common but often misconfigured; PAM solutions remain rare outside large enterprises and telecoms |
| Skills Available? | Limited — IAM and PAM administration require specialized skills that are scarce in Algeria; most organizations have basic AD management but lack identity security expertise; no local FIDO2/passkey training programs exist |
| Action Timeline | Immediate — Enable conditional access and phishing-resistant MFA in existing Microsoft 365 tenants now; plan PAM deployment for privileged accounts over 6-12 months; begin passkey pilots within 12 months |
| Key Stakeholders | Government IT departments, Algerian banks (BNA, BEA, CPA), telecom operators (Djezzy, Mobilis, Ooredoo), university IT, enterprise IT teams, CERT.dz |
| Decision Type | Strategic-Operational — Identity is the foundational security layer; getting it right enables everything else |
Quick Take: For Algerian organizations already using Microsoft 365 (most enterprises and government agencies), the highest-impact immediate action is enabling Entra ID conditional access policies and deploying phishing-resistant MFA (passkeys or FIDO2 security keys) for all administrator accounts. This is available within existing licensing (Entra ID P1/P2 with Microsoft 365 Business Premium or E3/E5) and addresses the leading attack vector. For privileged access, Microsoft Entra PIM provides just-in-time access and approval workflows included in existing licenses. Organizations with critical on-premises infrastructure should evaluate CyberArk or BeyondTrust for comprehensive PAM. The passkey revolution is accelerating globally — with over a billion users and 48% of top websites already on board — and Algerian organizations should begin passkey pilot programs for internal systems now to build familiarity before passkeys become the default authentication standard.
Sources
- Verizon — 2025 Data Breach Investigations Report
- CrowdStrike — 2025 Global Threat Report
- CyberArk — 2025 Identity Security Landscape Survey
- FIDO Alliance — Passkey Index 2025
- Microsoft — Entra ID Documentation
- CyberArk — Privileged Access Management
- Okta — October 2023 Security Incident Update
- NIST — Digital Identity Guidelines (SP 800-63)
- CISA — Zero Trust Maturity Model
- MarketsandMarkets — IAM Market Forecast
Advertisement