IAM

TL;DR If you’re leading or supporting an Identity and Access Management (IAM) program, you’re already touching all five functions of the NIST Cybersecurity Framework (CSF)—you just may not be thinking of it that way. This post breaks down how each function of the NIST CSF maps directly to your identity lifecycle, from provisioning to detection to post-breach recovery. 🧠 Background: Why NIST CSF Still Matters The NIST Cybersecurity Framework (CSF) remains a go-to model for organizations aiming to assess and improve their security posture....

TL;DR In 2025, non-human identities (NHIs)—like bots, service accounts, and automation agents—are no longer passive infrastructure components. They can now request access, trigger workflows, and even be AI-augmented. That makes them riskier than ever. This post breaks down how to spot bad practices, apply controls, and align your IAM strategy to handle NHIs like first-class identities. 🧠 Background: What Are Enhanced NHIs? Traditionally, non-human identities were limited to API keys or service accounts performing narrow tasks....

Introduction Identity and Access Management (IAM) is the foundation of organizational security. Yet, even the most well-intentioned IAM deployments are riddled with misconfigurations that open dangerous backdoors for attackers. In today’s cloud-first and hybrid work environments, a single oversight in IAM can lead to data breaches, compliance violations, and business disruptions. In this article, we’ll walk through the most common IAM misconfigurations—and how to avoid them using practical strategies, with real-world examples to highlight the risks....

Passwords in the Wild: Why Credential Hygiene Still Matters in 2025 In today’s digital age, protecting your online identity and personal information has become more crucial than ever. Cyber threats are continually evolving, and one of the most effective ways to safeguard yourself against these risks is by practicing excellent password hygiene. Here’s why it matters and what steps you can take to ensure your passwords are strong and secure....

The High Cost of Poor Privileged Account Management In the past year, several major security breaches were traced back to basic failures in privileged account management. Weak controls on admin-level accounts – from not using multi-factor authentication (MFA) to poor password hygiene – have proven to be low-hanging fruit for attackers. Microsoft reports that over 99.9% of compromised accounts lacked MFA, making them easy targets for password attacks ( Security at your organization - Multifactor authentication (MFA) statistics - Partner Center | Microsoft Learn )....

Zero Trust Human: Never Trust a Ping Without the Proof (Especially in 2025) In today’s hyper-connected world, our devices are constantly vying for our attention. Notifications, emails, and calls flood our screens, each demanding immediate action. A text message claims your package is delayed. An email warns your bank account is locked. A phone call demands payment for unpaid taxes. It’s tempting to react impulsively, but in an era increasingly shaped by sophisticated AI-powered scams, blind trust is a dangerous vulnerability....

Acceptable Use Policy Overview This Acceptable Use Policy (“AUP”) establishes clear rules and guidelines for the responsible, secure, and ethical use of company-owned or managed systems, devices, accounts, and data resources. Adherence to this policy helps safeguard organizational assets and maintain compliance with all applicable laws and regulations. Scope This policy applies to all employees, contractors, interns, consultants, temporary staff, and third-party users who access or interact with any company technology resources, whether on-premises or remotely....

Access Provisioning and Deprovisioning Policy Overview This policy establishes the requirements and processes for securely granting, modifying, and revoking access to company systems, applications, and data—for all identities, both human and non-human (e.g., API accounts, service accounts, bots). Its goal is to minimize unauthorized access risk, support compliance, and ensure all access is appropriate for the assigned purpose. Scope This policy applies to all information systems, applications, data, and resources owned, managed, or controlled by the company....

Data Protection and Classification Policy Overview This policy establishes standards for identifying, classifying, and safeguarding all company data—whether accessed by human users or non-human identities such as bots, APIs, and service accounts—throughout its lifecycle. The objective is to ensure data confidentiality, integrity, availability, and compliance with legal and regulatory obligations. Scope This policy applies to all data created, stored, processed, or transmitted by the company, including data handled by third-party service providers....

Device Security Policy Overview This Device Security Policy sets the minimum security requirements for all devices—whether assigned to human users or operated by non-human identities (such as bots, APIs, or automated systems)—that access company systems, networks, or data. The policy aims to protect organizational resources against loss, theft, or compromise, and to support regulatory and business requirements. Scope This policy applies to all company-owned, personally owned (BYOD), or third-party devices used to access company systems or data, including but not limited to laptops, desktops, smartphones, tablets, servers, IoT devices, and devices used by non-human identities (e....