Reigning in cloud identity security: Expert insights | Nerdy 30, Episode 5

Introduction

Ben Baker: Welcome everyone to episode five of the Nerdy 30. This is a special Christmas-themed episode, and I’m excited to dive into one of the most critical challenges facing security teams today: cloud identity security.

According to our most recent quarterly threat report, 74% of the incidents our SOC investigated in Q3 involved some sort of identity-based compromise—up 6% from Q2. That trend is going up and to the right, and it’s not slowing down.

When I think of identity compromise or identity chaos, my mind immediately goes to the cloud, where roles and permissions extend into the thousands and involve both humans and machines. It’s a lot to wrap your mind around. So I wanted to invite two cloud experts to help us hash this out.

Today we’re joined by Ethan Chen, who spends his days thinking about cloud security at Expel, where he helps build products for clients like Visa, Delta, and Uber. And Tim Chase, Field CISO and Principal Tech Evangelist at Orca Security, who has been working in InfoSec for over 20 years and focuses on DevSecOps and cloud security.

The rise of identity-based compromises

The statistics speak for themselves: identity-based attacks are now the primary method attackers use to breach organizations. As Ethan points out, attackers aren’t really hacking in anymore—they’re logging in. Once they have access to an identity, they inherit all the permissions that identity possesses.

Recent high-profile breaches demonstrate this pattern. While sensitive data on misconfigured S3 buckets still happens, the majority of modern breaches trace back to compromised identities—whether through phishing campaigns, password reuse, lack of multi-factor authentication, or other identity-related vulnerabilities.

Is identity the new perimeter?

Ben Baker: There’s this phrase that’s been thrown around everywhere: “Identity is the new perimeter.” Let’s level the playing field here. Tim, give us 30 seconds—what’s the core problem we’re facing with cloud identity security?

Tim Chase: The problem is just sprawl everywhere. The cloud moves so fast that we weren’t good at identity before we went to the cloud, and we’re definitely not good when we’re working at the speed of the cloud—and at the speed of what’s coming with AI.

When you look at everything out there and consider non-human identities, all of those identities have to have roles and entitlements. The problem is growing faster than most organizations can keep up with.

Ethan Chen: Exactly. All these different types of identities—millions upon millions of roles and permissions—trying to map out who had access to what is a surprisingly complicated problem. It’s even more complex when you factor in multi-cloud environments.

Identity is truly the only consistent perimeter we have. Attackers aren’t hacking in as much anymore—they’re logging in. Once they have access to that identity, they have access to everything that permission allows.

Common cloud identity security misconfigurations

Ben Baker: Tim, when you look across customer environments at Orca Security, what are the most common identity-related misconfigurations you see?

Tim Chase: MFA is still a thing. Believe it or not, not having MFA enabled is still a big problem. When I worked for an identity security company, one of the first things I would do when working with customers was build a query to show who doesn’t have MFA on—and that’s still a widespread issue.

Another major problem: most organizations cannot reliably tell you who has access to what. We’re still living in this age where our minds think “user groups.” If Ben is in these 10 groups, do we know what those 10 groups can do? That’s still the way many of us think.

But these days you can’t think that way because it’s exponentially more complicated. You probably have access to 30 or 40 different SaaS solutions. Each one has different permissions, and none of them do permissioning the same way. They don’t speak the same language. Combine that with cloud accounts on AWS, Azure, and other platforms—it’s just really complicated.

Ethan Chen: Visibility is still very much a challenge, and it’s not surprising. It’s different for all these different SaaS providers and cloud providers. The permutations of roles you have are just very hard to keep a handle on, especially because it’s not stale and static—it’s constantly changing over time.

It’s very hard to figure out what we have access to, who has access to what, what kinds of access they have, and then making sure that’s right-sized and rationalized on top of everything else happening.

Human vs. non-human identities: The coming explosion

Tim Chase: It was one thing when it was just us having accounts in the cloud. But the way these clouds are created means that resources can have permissions too. In AWS, EC2 instances can have roles assigned to them. That’s where non-human identities come into play.

We used to call them service accounts—those still exist, but now it’s even more complicated. The world we’re getting ready to live in involves AI agents that will have extensive sets of permissions as well, and those are going to be exponential.

I’ve heard somewhere that we’re at about 100-to-1 when it comes to non-human compared to human identities. Add AI onto that, and there’s no telling what the factor becomes. We’ve got to get really good at defining these permissions and understanding exactly who has access to what.

Getting cloud identity provisioning right from the start

Ben Baker: Is it even feasible for IT teams—who are taking in provisioning requests from all over the business—to adequately give out the appropriate number of permissions? Or is the important part really about ongoing monitoring?

Tim Chase: The way I’ve seen a lot of folks work doesn’t actually work. Historically, IT teams do the provisioning of accounts and permissions, but they don’t actually understand what they’re doing. They’re just clicking buttons.

If you’re running a proper identity program—and this is where I think identity needs to live in the security realm rather than IT—you build out profiles. So when someone like Ethan is onboarded at Expel, there are pre-built profiles from the appropriate teams: revenue operations has Salesforce permissions ready, the cloud team has permissions for technical product marketers, and so on.

Getting it right the first time is probably more important if I have to choose, because we don’t tend to go back and take away permissions very well. Building your program to get it right is important, followed closely by auditing. Most compliance frameworks require at least every six months you audit permissions to your most important systems.

Ethan Chen: Getting it right at the beginning is so important because if you don’t, you create so much work on the backend that’s very hard to untangle. Those secure baselines and defaults—having clearly defined baseline roles—create an easy golden path for most people.

If you layer on just-in-time permissions, that really helps right-size those permissions. And if you can bake in operational things like auto-revoking or manager attestation, it almost becomes automatic.

The “Golden Path” and just-in-time (JIT) permissions

Tim Chase: One prediction I’ll make: I think one of the things that will help us in the future is this combination of just-in-time with some sort of AI. Just-in-time will still have the problem of understanding the entitlements, but if you have a history of what needs to be done and you understand what action needs to be taken, then AI will be able to do that analysis and provide the information you need to get the role for a specific amount of time.

A year or two down the road, I think we’ll see closer convergence of AI agents related to identity combined with just-in-time to really help us scale.

Ethan Chen: The AI agent could read in a strong baseline and see that typically users use this baseline. On average they request certain permissions just-in-time, but if one user has many more permissions, that context helps either make the decision or flag something wrong.

Identity as a verb: Lifecycle management and permissions creep

Ben Baker: We’ve talked about identity being a verb, not a noun—it’s an ongoing process. Permissions creep and excessive privileges grow quietly over time. How can teams build in processes to prevent this?

Ethan Chen: We call it a verb because it takes constant action. You can’t set and forget it. That really comes down to building it into the operational rhythm.

Recurring access reviews are really important, especially for admin accounts and privileges—those should lean toward quarterly rather than annual reviews. Manager attestations where your manager confirms you still need permissions, plus auto-revoking if nobody replies, work well. If people don’t really need permissions, they won’t speak up. If it’s important, someone will.

The whole joiner-mover-leaver lifecycle management is critical. As people move between jobs, quit, or join, it’s important to get account setup and permissions in the right order. If you get it wrong, you’ll have orphaned accounts.

Making it easy to request elevated permissions instead of wholesale admin accounts that just sit there helps. And celebrating teams that reduce permissions—making it something to be proud of rather than annoying—really helps with adoption.

Tim Chase: Anytime you can bake something into the culture, that’s the change agent. Not making it hard on people, making it something they don’t mind doing.

You have to have a dedicated team for this at scale. It’s not something you can do and come back to in a month. You need at least one person dedicated to it because you’re modifying the joiner-mover-leaver process, doing auditing, and building access reviews.

People still do access reviews in spreadsheets more commonly than you’d think. You’ve got to move past that and build repeatable processes. Having dedicated resources is the best way.

Ethan Chen: The repeatable process is most important. It’s not just saying “here are initiatives to fix this problem.” It’s about defining systematic things with feedback loops that keep it sustainable and make it easy for people to do things right.

It’s not just about making things secure—it’s about making them secure without getting in the way of the business. As long as there’s a feedback loop that makes things easier, people are more incentivized and interested in doing these things.

Multi-cloud identity challenges: AWS vs. Azure vs. Google Cloud

Ben Baker: Tim, from your perspective at Orca, how should security teams think about entitlement risk across multiple clouds? Do those challenges differ meaningfully between AWS, Azure, Google Cloud, even Oracle Cloud Infrastructure?

Tim Chase: The challenges are not different per se, but the clouds behave differently. If you don’t have a solution like Orca to help, you’re going to be in trouble because they’re all handled differently.

The way AWS does identities is completely different from Azure, which is completely different from Google. Google still ties their identities to Workspace. Azure ties to Active Directory. I’m not saying any of that is wrong, but they’re just different.

If you’re having to maintain and understand identities across multiple cloud providers by yourself, you’re going to find it’s a lot of work—more work than it’s worth. That’s why you need something like Orca that understands how each cloud speaks and can almost translate for you.

We handle CIEM for Google Cloud, Azure, AWS—you don’t have to worry about translating how each cloud provider does resources or sorting through the appropriate CloudTrail or Azure logs. That’s where something like Orca really comes in when you’re getting to multi-cloud security.

Ethan Chen: Because of the way they model things differently—some based off existing infrastructure—it introduces quirks. If you aren’t an expert in Azure, Google Cloud, or Oracle, you may not be aware of them.

Even at Expel, our detection strategies have to be very specific for each cloud. If you’re going to apply an AWS playbook, you don’t want to use it for Oracle Cloud because there are small things that may catch you by surprise if you haven’t worked deeply in that cloud before.

Filtering noise: Using AI to prioritize identity alerts

Ben Baker: Ethan, cloud environments are so noisy, and identity detections often drown in that noise. What’s working right now in terms of filtering signal and spotting identity abuse earlier?

Ethan Chen: They’re very noisy, and we want to make sure our SOC isn’t drowning in that noise. We’re doing several things.

First, we use AI to provide an additional disposition or decision on alerts before handing them to analysts. They get a jumpstart understanding why our AI thinks something is benign or malicious and which signals correlate to that decision.

Second, our AI looks at alerts as they come in, makes decisions about what additional context is needed, and automatically grabs that context. Before our analyst even looks at the alert, all this context is there when they open it.

Third, we look beyond just the identity alert in isolation, which can be tough. If somebody’s logging in at a weird time, is that malicious or because they’re traveling? Hard to tell. But if we correlate with SaaS, endpoint, cloud, and other signals across the environment, it becomes much easier.

If we see that same login with unusual file downloads and then a new inbox rule, it’s probably malicious. We’ve done this at scale—for one customer with 1,450 users, we turned 15 billion raw events into just 35 investigations.

Correlating signals with context across the environment

Ben Baker: Tim, how does Orca surround those identity signals with context to help prioritize which ones are most critical?

Tim Chase: It’s all about data and having data to support it. A couple different ways:

First, understanding the historical aspect of what that identity is doing is key. Most of the time, workloads in the cloud tend to do the same or similar things. They’re not doing something completely random every day. When you start to see deviations from normal related to these identities, that’s key.

Being able to raise awareness when you’ve got a machine that’s normally an introvert but suddenly becomes an extrovert talking to 10 other machines—we might want to look at that.

The other thing is being able to prioritize based on what those identities can do. If you have identity risks—maybe over-permissioned, missing MFA, whatever it happens to be—being able to help you understand the riskiest identities is critical.

Obviously administrators are important, but what about ones with access to sensitive data? Customer data? PII data? Ones with tons of permissions to all your databases? Understanding the whole context of an identity—the permissions they have and the data they have access to—is where Orca can really help.

It’s similar to what Expel does—correlating across different platforms. We do it across the cloud and the data in those different factors.

Ethan Chen: It’s all about building out the whole story. There’s just too much going on for you not to be able to do that. You have to see where everything is going, what identities are capable of doing, and kind of go from there.

That’s why we’re both good at what we do—single point tools just don’t do it. If you’ve got 10 different tools getting all these alerts, it’s not going to help. Having everything come to one place where you can centralize and get the entire context around it—that’s the only way to come up to breathe.

We’ve heard from so many people: “I was drowning in alerts, but now that I can look and see what’s external, what’s exploitable, and what’s attached to sensitive data, that helps me take everything down by 90% to know what I’ve got to fix first.”

Future predictions: AI as both problem and solution

Ben Baker: Looking forward over the next 12 to 18 months, what trends in cloud identity security do you expect to accelerate?

Tim Chase: Two things. First, it’s going to explode. Identities exploded once we went to the cloud, and now we’re going to have this huge other explosion now that AI is here. Machine learning and machine identities have already helped everything take off, and AI’s going to take it to the next level. We’re just going to have an influx.

On the flip side, I think we’re going to see AI help us solve this problem more, because it’s going to be almost impossible to solve without it. We talked about JIT and AI working together. I think CIEM—cloud infrastructure entitlement management—and AI are going to work together to help you understand entitlements, where you’re over-permissioned, and how to fix those.

Security agents are going to help as well. We’ve seen a few out there today doing automated work, and I think some will be fixing identity-related issues. So AI is going to add to the problem, exacerbate the problem, and fix the problem—which is amazing.

And we haven’t even talked about attackers using AI.

Ethan Chen: One thing that keeps me up at night is better social engineering and phishing. Beyond making them more convincing, with all the data leaks of the past 10 to 20 years, attackers can feed all that information and make phishing very customized to an individual. That makes it so much more convincing.

I worry about that for initial access, and then who knows what they do once they get in there.

Frequently asked questions about cloud identity security

Q: Why is identity now considered the primary security perimeter?

Traditional network perimeters dissolved with cloud adoption and remote work. Identity has become the consistent control point—attackers compromise credentials to gain initial access rather than exploiting network vulnerabilities. With 74% of incidents involving identity-based compromises, securing identities is now the foundation of cloud security.

Q: What are non-human identities and why do they matter?

Non-human identities include service accounts, API keys, machine identities, and roles assigned to cloud resources like EC2 instances, containers, and serverless functions. They often outnumber human identities 100-to-1 and typically have broad permissions. Securing non-human identities is critical because compromising one can provide extensive access to cloud resources.

Q: How does multi-cloud complicate identity management?

Each cloud provider (AWS, Azure, Google Cloud, Oracle) handles identity differently. Azure ties to Active Directory, Google to Workspace, and AWS uses its own IAM system. None speak the same language for permissions and roles. Managing identities consistently across multiple clouds without a unified platform becomes exponentially complex.

Q: What is cloud infrastructure entitlement management (CIEM)?

CIEM solutions help organizations discover, analyze, and manage identities and their entitlements across multi-cloud environments. They identify over-permissioned accounts, unused permissions, violations of least privilege, and provide visibility into who can access what resources across your cloud infrastructure.

Q: Should identity management live with IT or security teams?

Identity security programs work best under security leadership rather than IT. Security teams better understand risk context, threat landscape, and compliance requirements. However, successful programs require collaboration between security (defining baselines and policies) and IT (operational provisioning and support).

Q: What are “golden path” and just-in-time (JIT) permissions?

Golden path refers to pre-defined, secure baseline permission sets that make it easy for users to get appropriate access quickly. Just-in-time permissions grant elevated access only when needed for specific time periods, reducing standing privileges. Together, they balance security with business needs.

Q: How can AI help with cloud identity security?

AI can analyze historical identity behavior to detect anomalies, automate context gathering for alerts, recommend appropriate permissions based on actual usage patterns, and accelerate just-in-time access decisions. However, AI also creates new challenges as AI agents will require their own identities and permissions at scale.

Q: What’s the biggest mistake organizations make with cloud identity security?

Not getting provisioning right from the start. Organizations often grant excessive permissions initially because it’s faster, then struggle to remove them later. Without proper baseline roles, automated reviews, and lifecycle management, permissions creep becomes unmanageable.

Key takeaways for cloud identity security

Organizations looking to strengthen their cloud identity security posture should focus on these critical areas:

Establish secure defaults: Build baseline permission profiles for common roles rather than ad-hoc provisioning. Make the secure path the easy path.

Implement lifecycle automation: Automate joiner-mover-leaver processes with proper sequencing to prevent orphaned accounts and permissions drift.

Enable just-in-time access: Reduce standing privileges through temporary elevated access that expires automatically.

Enforce MFA everywhere: Multi-factor authentication remains a fundamental control that’s still not universally deployed.

Gain visibility across clouds: Use platforms that translate between different cloud providers’ identity models to maintain consistent security.

Build recurring reviews into rhythm: Make access reviews, manager attestations, and permissions audits part of regular operational cadence, not annual projects.

Correlate identity signals: Don’t evaluate identity alerts in isolation—combine with endpoint, SaaS, and cloud activity for complete context.

Prioritize by risk and data: Focus on identities with access to sensitive data and critical systems, not just administrative accounts.

Use AI to manage scale: Leverage AI for anomaly detection, context gathering, and reducing alert noise—but maintain human oversight for decisions.

Make security cultural: Celebrate teams that reduce permissions and make secure practices easy to adopt rather than obstacles to productivity.

The future of cloud identity security

Cloud identity security challenges will intensify before they improve. The explosion of AI agents and non-human identities will dramatically increase the scale of the problem—potentially moving from 100-to-1 non-human-to-human ratios to something far higher.

However, the same AI technologies creating the problem may also provide solutions. Intelligent automation combined with just-in-time access, behavioral analysis, and unified visibility across clouds offers hope for managing complexity at scale.

The organizations that will succeed are those building systematic, automated, and culturally embedded identity security practices today—before the next wave of complexity arrives. As both Ethan and Tim emphasize, cloud identity security isn’t a project with an end date. It’s an ongoing discipline that requires constant attention, dedicated resources, and the right tools to manage exponential growth in identities and permissions.

For security teams feeling overwhelmed by identity sprawl, the message is clear: you don’t have to solve this alone. Platforms that provide unified visibility, automated workflows, and intelligent context across multi-cloud environments are essential for maintaining security at cloud speed.