Identity-based attacks are becoming the biggest challenge facing modern IT security. Dean Watson, Lead Solutions Expert, Secure Networking, Infinigate (UK&I), explains how managed service providers can build resilient IAM services and which technologies are key to this effort.
The attack surface of organizations has shifted significantly in recent years: cybercriminals are increasingly exploiting weaknesses in human identity as a primary gateway to sensitive data. This is no longer just about rapid data theft, but about infiltrating infrastructures through compromised identities and establishing long-term persistence.
Managed service providers must therefore offer far more than simple multi-factor authentication (MFA) licenses.
As recent incidents such as the breach at Figure Technology Solutions demonstrate, employee profiling has become a highly effective tactic. By combining publicly available information with easily predictable corporate email addresses, attackers can reconstruct valid credentials at scale, bypassing traditional security controls.
However, the real danger begins after the first successful login. Groups such as Scattered Spider exfiltrate entire identity databases to impersonate legitimate users through “masquerading.” Equipped with these digital master keys, attackers can move invisibly through networks without triggering alarms.
For IT service providers, this means that simply selling MFA licenses is no longer sufficient to protect organizations against today’s threats. An effective managed identity service must instead focus directly on monitoring user behavior and be built on three operational pillars.
The Architecture of Resilient Identity Services
Effective Identity Access Management (IAM) is not a one-size-fits-all solution. Customers’ unique needs, goals, and environments determine which identity controls are most effective. Rather than focusing on specific tools, organizations should define three core functions that a managed service must provide:
- Coverage: Eliminating Blind Spots
Without complete visibility, effective monitoring is impossible.
Coverage means the IAM solution acts as a “single source of truth” covering the entire enterprise ecosystem. In mature infrastructures, legacy systems represent a major risk because they often do not natively support modern authentication protocols.
Managed services address this challenge through proxy solutions or containerization, enabling legacy systems to integrate into centralized identity management.
- Correlation: From Log Files to Behavioral Analytics
Given the complexity of modern networks, manually reviewing login data is unrealistic.
Managed services provide value through correlation capabilities. Systems must automatically analyze login information and detect suspicious patterns. One example is the “impossible travel” scenario, where the same identity logs in from geographically impossible locations within a short timeframe.
The goal is to automatically flag anomalies so IT experts only intervene when a legitimate threat is identified.
- Reporting: Combating Alert Fatigue
The quality of an IAM solution should not be measured by the number of alerts generated, but by their relevance.
Effective reporting must deliver clear and actionable intelligence that enables rapid decision-making. Escalation paths should ensure that IT security teams and administrators are alerted only in the case of real threats, while automated processes filter background noise.
The objective is to reduce Mean Time to Respond (MTTR) through actionable data while preventing alert overload.
Technological Enablers for Managed Services
To implement these three pillars successfully, organizations require technologies that go beyond static permission models.
Risk-Based Authentication (RBA) acts as a dynamic control layer that triggers additional security verification only when defined risk thresholds are exceeded. Instead of applying rigid authentication barriers to all users, the system evaluates each access session individually based on contextual data.
The necessary data foundation is provided by User and Entity Behavior Analytics (UEBA). Using machine learning, UEBA builds behavioral profiles including typical working hours, devices, and IP locations. When activity deviates significantly from normal behavior, the system automatically requests additional verification or proactively blocks access.
Despite advanced analytics, passwords remain the weakest point in every security architecture. Therefore, integrating FIDO2 passkeys has become standard practice for managed services.
Hardware tokens and software-based passkeys virtually eliminate phishing and password-guessing attacks. Organizations that consistently implement FIDO2 can neutralize approximately 90% of anomalous login attempts because transferable credentials no longer exist.
Implementation: An Operational Roadmap for Channel Partners
Building a managed identity service requires a systematic transformation of operational models.
- Build Internal Resilience (Self-Audit)
Before offering identity services to customers, managed service providers must secure their own infrastructures. Administrative access should be protected with MFA and FIDO2 to mitigate supply-chain risks.
This serves both as risk management and as a validated blueprint for customer projects.
- Standardize the Solution Stack
Profitability in managed services comes through standardization.
Providers do not need to support dozens of IAM solutions. Focusing on one or two core platforms—often including Microsoft Entra ID—allows technical teams to develop deeper expertise and automate workflows across multiple customer environments.
- Develop an Onboarding Concept
Migrating existing user directories is often the biggest operational challenge.
Faulty migration processes can cause business-critical outages if permissions are transferred incorrectly or legitimate users are excluded. Standardized onboarding playbooks are therefore essential to regulate identity migration, legacy integration, and profile creation without disrupting operations.
- Continuous Review Cycles
Identity protection must never be considered static.
A mature solution includes quarterly reviews to adapt policies and risk thresholds to evolving threats and compliance requirements. The goal is continuous optimization of detection rates while minimizing false positives.
Conclusion: Identity as the Foundation of Cyber Resilience
The shift of attack vectors toward identity forces organizations and IT service providers to rethink cybersecurity.
As traditional security barriers are bypassed through techniques such as masquerading, continuous monitoring and correlation of access patterns become central components of defense strategies.
For channel partners, value creation is shifting from simple license sales to the continuous protection of identity infrastructures. A resilient managed identity service requires not only tools, but also the operational integration of monitoring and rapid response processes.
When the three pillars—Coverage, Correlation, and Reporting—are consistently implemented and reinforced by standards such as FIDO2, identity risks can not only be detected but proactively neutralized.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de