Broken Access Control Remains #1 in the OWASP Top 10 — Here’s What It Means for Identity Security

Read full article here: https://www.p0.dev/blog/why-broken-access-control-still-tops-the-owasp-top-10-and-what-it-means-for-identity-security-in-the-era-of-hybrid-cloud/?utm_source=nhimg

Broken Access Control has ranked as the number-one security risk in the OWASP Top 10 for several consecutive years. Many assume it’s a traditional application security failure caused by incorrect authorization checks in code. But in 2025, Broken Access Control reflects something much bigger: the growing inability to govern identities and permissions across hybrid and multi-cloud environments.

Modern enterprises run workloads across AWS, Azure, GCP, Kubernetes, and on-premises systems. Each platform has different identity models, different privilege frameworks, and different enforcement mechanisms. When identities span those environments, access control failures no longer occur in the application layer alone — they occur at the infrastructure and identity layers.

This is why Broken Access Control persists, and why it is now central to identity security.

Why Broken Access Control Persists

1. Over-Permissioned Identities

Each cloud provider introduces its own IAM design — AWS IAM policies, Azure AD roles, Kubernetes RBAC, and on-prem LDAP entitlements. With every new environment, permissions multiply:

• Temporary elevated access becomes permanent
• Privileged roles accumulate over time
• Least privilege erodes as environments scale

Attackers exploit excessive entitlements because it’s faster than credential theft. One compromised identity can unlock lateral movement across cloud accounts, CI/CD pipelines, and production assets.

2. Static Permissions in Dynamic Cloud Networks

Hybrid cloud infrastructure is ephemeral and highly dynamic:

• Containers redeploy hourly
• Workloads move across regions and providers
• Short-lived compute nodes scale up and down automatically

Yet access policies are still largely static — long-lived roles, persistent groups, and inherited privileges that outlive the workloads they were intended for. This mismatch leaves authorization gaps that adversaries abuse post-authentication.

3. Inconsistent Enforcement Across Clouds

A conditional-access policy in Azure AD does not map 1:1 to AWS IAM, nor to GCP IAM, nor to Kubernetes RBAC. The result is fragmented enforcement:

• Strict least-privilege in one cloud
• Relaxed approximation in another
• Legacy exceptions on-prem

Attackers exploit the weakest environment and pivot into the rest.

4. Lack of Real-Time Visibility into Effective Access

Most security teams cannot answer the question:
Who can access what — right now?

Without real-time visibility into identity entitlements across clouds, privilege drift and misconfigurations go undetected until exploited.

These failures don’t occur during login.
They happen after authentication, when authorization logic breaks down. Broken Access Control has become a symptom of identity and entitlement sprawl across hybrid cloud estates.

The Shift: From Authentication Security to Authorization Governance

Authentication proves who you are.
Authorization governs what you’re allowed to do.

The persistence of Broken Access Control proves that authentication is no longer enough. Identity security now requires runtime entitlement governance — enforcing least-privilege continuously, not once during onboarding.

Three operating model shifts are critical:

Just-in-Time (JIT) and Just-Enough Access (JEA)

Replace standing privileges with:

• Ephemeral access based on need
• Time-bounded entitlements
• Automatic revocation

No identity — human or machine — should retain persistent high-risk access.

Continuous Visibility and Entitlement Analytics

Quarterly access reviews cannot keep pace with multi-cloud change. Organizations need continuous discovery and analysis of effective access across:

• AWS IAM
• Azure AD
• Google IAM
• Kubernetes RBAC
• On-prem directories

Drift, privilege escalation, and toxic role combinations must surface in real time.

Automated Least-Privilege Enforcement

Manual access approvals and spreadsheets cannot scale. Hybrid cloud environments require:

• Policy-based access
• Automated provisioning and revocation
• Integration with CI/CD and DevOps workflows

Least-privilege becomes sustainable only when automated.

Summary

Broken Access Control remains the top OWASP risk not because developers ignore the problem — but because identity and access management was never designed for the hybrid, multi-cloud world.

As OWASP emphasizes, the most critical vulnerabilities today arise after authentication, when excessive, outdated, or misconfigured entitlements grant attackers unintended power.

To meaningfully reduce risk, organizations must:

• Govern access at runtime
• Monitor entitlements continuously
• Replace static roles with just-in-time and scoped access
• Enforce least privilege through automation

Until authorization and entitlement governance span AWS, Azure, Kubernetes, GCP, SaaS, and on-prem systems, Broken Access Control will remain the most serious attack surface — and adversaries will continue exploiting the gap between authentication and access.