This blog was first published in 2021 and has been updated.
Identity security starts with authentication: proving you are who you claim to be is the first step in enforcing organizational security, but it is far from the last one. For too many organizations, what happens after authentication is a major blind spot. Access gets provisioned. Accounts accumulate permissions. People change roles or leave. And without a clear, continuously enforced understanding of who should have access to what, when, and why, the gaps compound quietly.
The pandemic nearly tripled remote work, leading to a significant spike in access requests. That scale made the gaps harder to ignore. Hackers breached Colonial Pipeline’s networks using a VPN account that was no longer in active use. It was not a sophisticated exploit. It was an access governance failure, and exactly the kind that identity governance and administration (IGA) is specifically designed to prevent. As hybrid work becomes the default, getting post-authentication security right is no longer optional.
Hybrid work didn’t just change where people work. It changed what organizations have to defend. When employees access corporate resources from home networks, coffee shops, and shared workspaces, the traditional security perimeter stops being meaningful. The question is no longer “is this person inside the network?” It’s “should this person have access to this resource, right now, from this context?” That shift introduces a set of challenges that perimeter-based security was never designed to handle.
Access sprawl
Remote work surged almost overnight during the pandemic, and with it came a flood of new access requests. Employees needed VPNs, SaaS applications, cloud resources, and collaboration tools, often all at once. Security teams provisioned access quickly to keep the business moving. But access that gets provisioned fast rarely gets reviewed carefully. The result is entitlement drift. Users accumulate permissions they no longer need, across systems that security teams can no longer fully see.
Orphaned and dormant accounts
Attackers don’t need to break in when a door has been left open. Dormant accounts, credentials that still exist long after an employee has left or changed roles, are exactly that kind of open door. The Colonial Pipeline breach is a well-documented example: attackers gained access through a VPN account that was no longer in active use. It wasn’t a sophisticated exploit. It was an access governance failure. And it’s far from unique.
Third-party and contractor access
Hybrid workforces rarely operate in isolation. Vendors, contractors, and partners regularly need access to internal systems to do their work. That access is typically granted as needed and rarely revisited. Organizations end up with a long tail of third-party credentials that sit outside normal provisioning and review cycles, creating exactly the kind of implicit trust that zero trust is designed to eliminate.
Lateral movement risk
Once an attacker has one set of valid credentials, the real question is how far they can go. In environments with weak access boundaries, the answer is often: very far. Lateral movement, using legitimate access to navigate deeper into a network, is one of the most common patterns in enterprise breaches. The best defense is not better detection after the fact. It’s ensuring that even a compromised account cannot reach systems it was never supposed to touch.
Visibility gaps
You cannot govern what you cannot see. In hybrid environments, identity data is rarely in one place. Employees authenticate into on-premises systems, cloud applications, SaaS tools, and infrastructure platforms, often through different directories and access controls. Without a unified view of who has access to what, security teams are left making access decisions with incomplete information, and access reviews become a best guess rather than a reliable control.
Balancing security and privacy
Getting security right in a hybrid environment means enabling access, not just restricting it. The goal of identity governance is not to lock everything down, it is to ensure the right people have the right access without creating friction for those who are doing exactly what they should be. That balance requires policy, automation, and governance working together, not just tighter restrictions.
A mature identity governance program addresses these challenges by building security directly into how access is granted, monitored, and revoked. The core components include:
- Identity governance and administration (IGA). The foundational layer. IGA defines who should have access to what, automates provisioning and de-provisioning, and creates an auditable record of every access decision.
- Role-based access control (RBAC). Assigning permissions based on job function rather than individual negotiation. RBAC limits the blast radius of any compromised account and makes access reviews significantly faster.
- Continuous access reviews. Periodic certifications that verify whether current entitlements still match current job responsibilities, catching privilege creep before it becomes a liability.
- Automated de-provisioning. Instantly revoking access when employees leave, change roles, or go offline eliminates the dormant account risk that enabled the Colonial Pipeline breach.
- Anomaly detection and behavioral analytics. Identifying unusual access patterns that may indicate a compromised credential or insider threat, even when the login itself appeared legitimate.
- Zero trust network access (ZTNA). Replacing implicit trust based on network location with continuous verification of identity, device health, and context before granting access to any resource.
Building a mature identity governance and administration (IGA) program starts with understanding the post-authentication gap and closing it. IGA provides the post-authentication security that today’s businesses need to maintain productivity while still ensuring security.
That means giving security teams the tools to automate access decisions, reveal anomalies, and control the identity plane at the scale that hybrid work demands.
In practice, that looks like:
- Understanding what happens when a pen-tester can gain access and move laterally within a corporate network, and how IGA can limit that kind of movement.
- Evaluating whether user-centric identity is still a possibility and how it aligns with IGA.
- Using role-based access control to authenticate users, systems, applications, and data in a way that is precise enough to protect the business without slowing it down.
RSA ID Plus can support users across environments, including in cloud, hybrid, and on-premises configurations. Learn more about the solution or start your free trial of ID Plus now.
IGA is the set of policies, processes, and tools that organizations use to manage digital identities and control access to systems and data. It goes beyond authentication to govern what users are actually permitted to do once they’re inside a network.
Zero trust assumes no user or device is inherently trustworthy. IGA operationalizes this by enforcing least-privilege access, automating access reviews, and continuously evaluating whether a given identity should still have access to a given resource.
Hybrid work dramatically increases the number of access requests, remote entry points, and entitlement combinations an organization must manage. Without IGA, this complexity creates gaps that attackers can exploit, including dormant accounts, over-provisioned roles, and unreviewed third-party access.
Lateral movement is when an attacker uses one compromised account to navigate deeper into a network. IGA limits this by enforcing strict access boundaries, so that even if one account is compromised, the attacker cannot access systems or data outside that account’s authorized scope.
