Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Authn and authz are diverging under modern IAM pressure


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Authentication and authorization are the two core controls that determine who a system accepts and what that identity can do, and Opal Security uses a Deloitte breach to show how weak password-only access and overbroad permissions can cascade into enterprise-wide compromise. The lesson is that IAM programmes fail when verification and privilege governance are treated as separate problems instead of one control plane.

NHIMG editorial — based on content published by Opal Security: Authn and Authz: Two Sides of the IAM Coin

Questions worth separating out

Q: How should security teams balance authentication strength and authorization scope?

A: Security teams should treat authentication and authorization as one decision chain.

Q: Why do privileged accounts create such large breach impact?

A: Privileged accounts often sit at the intersection of identity, administration, and internal connectivity.

Q: What do security teams get wrong about MFA and access control?

A: Teams often assume MFA solves the access problem by itself.

Practitioner guidance

  • Strengthen privileged authentication Require phishing-resistant factors for all administrative and high-value accounts, and remove password-only access wherever a compromise would expose internal systems or data.
  • Reduce administrative blast radius Rebuild privileged roles so no single administrator account can reach broad internal assets by default.
  • Tie authorization to job function Review whether role assignments reflect current operational need or historical convenience.

What's in the full article

Opal Security's full post covers the detailed authentication methods, authorization models, and failure examples this post intentionally leaves at a higher level of analysis:

  • Factor-by-factor discussion of passwords, MFA, biometrics, geolocation, and behavioural authentication
  • Expanded walkthrough of RBAC, ABAC, DAC, MAC, and emergency access control models
  • The full Deloitte breach narrative with the access path, persistence details, and control failures
  • Practical examples of how contextual and conditional controls change authorization decisions

👉 Read Opal Security's analysis of authn, authz, and IAM failure modes →

Authn and authz are diverging under modern IAM pressure?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Authentication and authorization are no longer separable IAM disciplines. The article’s core lesson is that identity proof and privilege scope now fail together, because an attacker who crosses the first gate often inherits the second one too. That means IAM programmes must be judged on the combined strength of verification and authorization, not on MFA coverage or role design in isolation. Practitioners should treat the two controls as one continuous governance decision.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Another finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility.

A question worth separating out:

Q: Who is accountable when an overprivileged account is compromised?

A: Accountability usually spans identity owners, application owners, and security governance because the failure is rarely one control alone. The organisation must decide who approves privilege, who reviews it, and who is responsible when a role outlives its business need. That ownership should be explicit for every privileged account class.

👉 Read our full editorial: Authn and Authz expose the limits of human-scale IAM



   
ReplyQuote
Share: