In Verizon’s Data Breach Investigations Report, the use of stolen credentials accounted for 24% of total breaches, topping the list. The tactics, techniques, and procedures (TTPs) used by threat actors are constantly evolving, with AI-generated phishing and deepfake-based social engineering enhancing the sophistication of attacks. Organizations need to be able to adapt their security posture to stay ahead of such evolving threats.
During discussions with our customers, we have observed a growing intersection between Secure Access Service Edge (SASE) and identity security. Security and networking teams increasingly face security challenges when securing hybrid, on-prem and cloud environments, making it essential to integrate identity-first security controls in their SASE deployments as the gatekeeper. This blog highlights simple tenets observed across our customers ranging from large enterprises to small companies.
First, we are often asked about the relationship between Secure Access Service Edge (SASE) and identity security. Identity threats, such as credential theft and privilege escalation, have become commonplace, enabling quick unauthorized access and a swift mechanism to move laterally within a network undetected.
SASE brings identity into the infrastructure by enforcing identity-aware policies at every point of access—whether at the branch, in the cloud, or for remote users. By integrating identity into the fabric of security, SASE ensures that access decisions can be based on user identity, device posture, and contextual factors or combination rather than relying solely on network location. This enables continuous verification and adaptive access control, reducing reliance on implicit trust and mitigating risks associated with compromised credentials or unauthorized access.
SASE combined with identity security across all enforcement points strengthens Zero Trust principles by dynamically adjusting permissions based on real-time risk assessments. This minimizes the attack surface while ensuring that users only have access to the applications and data they need, regardless of where they connect from.
Over the years, our customers have converged identity security and SASE to strengthen their security posture and implement defense in depth. Many initially struggled to implement a cohesive network access and security approach that adequately addressed both network and identity threats. Through these experiences, best practices have emerged that help our customers secure access, reduce attack surfaces, and enhance security resilience.
One of the core principles of Zero Trust security is ensuring that users only have access to the resources necessary for their roles. Enforce least-privilege access by assigning permissions based on required access, limiting exposure to sensitive systems and reducing the risk of insider threats, privilege abuse, and data breaches. Dynamic access controls further enhance security by adapting permissions based on real-time risk assessments, ensuring compliance with security policies and regulatory requirements.
The impact of limited access controls: UnitedHealth Breach
The consequences of failing to implement Identity controls across the infrastructure were seen in the breach of UnitedHealth’s payment processing systems. Attackers exploited stolen Citrix credentials that lacked multi-factor authentication (MFA), gaining unauthorized access to critical financial and healthcare systems. This breach resulted in $872 million in damages and a $22 million ransom payment.
Over-privileged access allowed attackers to move laterally within the network, expanding their reach and increasing the severity of the attack. Least-privilege controls could have limited access; and the scale and scope of the attack. Additionally, enforcing step-up authentication for high-risk transactions and critical systems would have significantly reduced the likelihood of compromise.
Implementing continuous verification ensures that security policies dynamically adapt to evolving risks—not just at the time of initial access but throughout the entire session. As an example, APT29 hackers used a password spraying attack to access a non-production account without MFA. Critically, they then escalated privileges via an OAuth app to reach critical systems. The breach shows how attackers exploit weak authentication to move laterally, expand their foothold and exfiltrate data.
Continuous monitoring of user and device behavior could have limited the impact—detecting anomalous activity, enforcing risk-based policies, and disrupting unauthorized access before it escalated. And by integrating User and Entity Behavior Analytics (UEBA) with Secure Access Service Edge (SASE), you can enforce identity-aware, adaptive security policies that not only verify users at login but also continuously assess their behavior throughout the session.
Continuous monitoring typically involves three core steps:
A multi-layered approach combining Secure Access Service Edge (SASE) with Zero Trust, and behavioral analytics ensures real-time threat detection, dynamic access controls, and proactive identity protection. By embedding security at every access point and continuously assessing risk, you can reduce exposure to credential-based attacks, unauthorized access, and lateral movement. Identity is now the frontline of cybersecurity—strengthening it with the right tools and strategies is essential to staying ahead of evolving threats.
Subscribe to the Versa Blog
Gartner Research Report
Trial
ROI
Contact