Broken access control in hybrid cloud: is IAM keeping up?

TL;DR: OWASP’s latest Top 10 again places Broken Access Control at number one, reflecting how over-permissioned identities, static entitlements, and inconsistent enforcement across hybrid estates still leave authenticated users and workloads able to act beyond intended scope, according to P0 Security. The real gap is runtime entitlement governance, not login verification.

NHIMG editorial — based on content published by P0 Security: Why broken access control still tops the OWASP Top 10 and what it means for identity security in the era of hybrid cloud

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams govern access across hybrid cloud environments?

A: Security teams should govern hybrid access by measuring effective permissions, not just approved ones.

Q: Why does broken access control persist even when IAM policies exist?

A: Broken access control persists because policies are often static while infrastructure and identities are dynamic.

Q: What do teams get wrong about least privilege in cloud and on-prem estates?

A: Teams often treat least privilege as a provisioning decision instead of a runtime condition.

Practitioner guidance

• Inventory effective access across all control planes Build one view of effective permissions across AWS IAM, Azure roles, Kubernetes RBAC, and on-prem directories.
• Tie temporary access to task completion Replace persistent elevation with time-bounded access that expires when the work ends.
• Review cross-environment privilege combinations Look for identities that are benign in one system but dangerous when combined with rights in another.

What's in the full article

P0 Security's full article covers the operational detail this post intentionally leaves for the source:

• The OWASP Top 10 changes and how broken access control compares with the other ranked issues
• Examples of how AWS, Azure, Kubernetes, and on-prem identity models diverge in practice
• The article's own view of why runtime entitlement enforcement is harder than authentication hardening
• The original wording and context around just-in-time and continuous access governance

👉 Read P0 Security's analysis of broken access control in hybrid cloud →

Broken access control in hybrid cloud: is IAM keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →