Privileged Access Management (PAM) is the cornerstone of a cybersecurity strategy. PAM traditionally focused on IT users with elevated access, and while PAM remains core, the focus has shifted to securing all identities that have privilege, not just a small group of trusted administrators.
The identity attack surface is diverse and expanding—across on-prem, cloud, and SaaS environments. Understanding the various types of identities within your organization is crucial for mitigating risk, as identity-related data breaches are more costly than typical cyber incidents.
Identity provisioning is decentralized among multiple identity directories and resources, which obscures your visibility and limits oversight. It’s easy for identities to have excess permissions and become orphaned and unmanaged.
You need to understand the full picture of how identities move in and out of a porous perimeter. Only then can you adequately protect sensitive systems and data.
Your identity attack surface includes four types of identities
1. IT admin identities
Securing IT admin access is what most people think of when they think of Privileged Access Management, or PAM.
IT admin identities include:
- IT ops teams, responsible for networks and infrastructure, such as servers and databases, a mix of Windows and Linux, in on-prem, private and public cloud environments. They monitor systems, address technical issues, and update software.
- Help desk administrators, who manage support tickets from users and customers, and resolve support tickets.
- Cloud administrators, including the “Ops” side of “DevOps,” who control the creation of virtual machines and containers and optimize performance.
- Security teams who analyze threats, investigate root causes, and respond to incidents.
IT admin identities have a temporary or permanent high level of access to perform a job or task, which increases risk. An IT admin in a rush could skirt your central vault and established processes and instead create a backdoor account for easy access. A nefarious IT admin could cause a lot of damage and cover their tracks.
Traditionally, these users have shared privileged accounts used to unlock access, which makes it impossible to tell which individual on the team has accessed a system or what changes they made. Especially if your organization outsources IT or security operations to an MSSP or other service provider, it’s easy to lose oversight of IT admin behavior.
Instead, an identity-based system leverages the unique identity of the IT admin, as managed by your Active Directory, federated identity, or other identity management system. IT admins may have one identity they use for high-risk work such as infrastructure updates, and another they use for their day-to-day activities, such as email communication.
Delinea helps secure IT admin identities with:
- Session recording and behavior monitoring
- Role-based access tied to tasks, not static roles
- Built-in governance and compliance tools
Learn more about IT admin identities and how to secure them.
Related reading: Securing IT Admin identities: 7 ways to fortify your PAM and identity security strategy
2. Workforce identities
Workforce identities include business users, such as employees, contractors, vendors, and partners who access business applications. They do so from personal workstations and mobile devices, often remotely.
Human error remains a top breach vector for workforce identities. The rise in remote work increases exposure to identity-based attacks. These workforce identities are prime targets for ransomware and need security controls to ensure identity hygiene, limit access, and ensure ongoing oversight.
Users of critical business applications such as ERP, HR, and CRM solutions can easily become shadow IT as SaaS tools are increasingly licensed and managed by application owners rather than IT. Business applications have a wide variety of security roles and structures that are often quite broad and likely don’t easily align with your other identity management processes.
Workforce identities typically get access provisioned during onboarding and are managed via a Joiner, Mover, Leaver process, typically involving manual access reviews and access certification review campaigns.
81% of employers believe that their former employees have access to company files
Because workforce identities are widely distributed, they can get forgotten after a team member leaves. Beyond Identity estimates that 81% of employers believe that their former employees still have access to company files after leaving.
In addition to business application access, workforce identities carry risk if they retain local administrative rights on their personal workstations. These local admin rights are an attractive target for malicious hackers who gain access via malware targeted to business users.
Delinea helps secure workforce identities with:
- Just-in-time access to sensitive apps or systems
- Policy-based access and MFA enforcement
- Visibility into user activity and lateral movement potential
Learn more about workforce identities and how to secure them.
Related reading: Securing workforce identities: Strengthening the identity chain
3. Machine identities
Machine identities are increasing due to the rise of automation in DevOps and AI workflows. Attackers can move laterally via compromised machine identities.
Machine identities are digital identities of devices and workloads.
These include:
- Service Accounts
- Local Accounts
- IAM Roles
- Managed Identities
- App Registrations
- Service Principals
- Containers
- AI agents
- CI/CD runners
Machine identities are used to interact with systems, exchange data, and perform tasks autonomously, via:
- APIs
- Services
- Applications
- Automations
- DevOps
- Containers
Machine identities often have short lifespans and require frequent updates, renewals, or deactivations. Without proper human oversight, they can be provisioned incorrectly and easily become orphaned. Often, users don’t know what access machine identities need. As a result, they enable access to more data and business systems than they need to accomplish their goals.
To gain privileged access, machine identities leverage credentials such as SSH keys, API keys, certificates, and OAuth tokens. The credentials associated with machine identities must be managed centrally for ongoing oversight, just as passwords are.
AI identities are a high-risk type of machine identity.
AI models can execute tasks, interact with systems, and even create and manage credentials, making them a major risk if compromised. The rise of Agentic AI—AI systems capable of making independent decisions—is increasing the use of machine identities and expanding the attack surface at many organizations.
With the right access, these powerful tools can be weaponized. Attackers can leverage AI agents to mix harmful or deceptive data into datasets used to train a machine learning model. If poisoned, AI agents could be manipulated to bypass security controls, escalate privileges, or exfiltrate data.
Delinea helps secure machine identities by:
- Vaulting and rotating secrets
- Providing fine-grained access control and session auditing for service accounts
- Integrating tightly with orchestration tools and cloud-native environments
Learn more about machine and AI identities and how to secure them.
Related reading: Securing machine and AI identities: Risks, challenges, and solutions
4. Developer identities
Developers need access to specific systems and data to do their jobs. For example, they may have access to critical systems in the CI/CD process, and dev environments separate from production.
Often, developers include remote third parties or short-term hires to fill a skills gap or quickly launch a specific product. They need to move fast and don’t want to be dependent on anyone else or wait for tickets to be processed to receive the permissions they need.
While they dislike the burden of security tools, developers are more amenable to working with them if they feel more cloud native and meet their need for speed.
Delinea helps secure developer identities by:
- Injecting secrets securely into code and issuing SSH keys/certificates
- Providing integrations for the languages developers use, like Python, Go, Hava, .net, and Powershell.
- Proving a dynamic secrets solution for cloud and database use cases
Learn more about developer identities and how to secure them.
Related reading: Securing developer identities: A frictionless experience
Securing every identity everywhere
Organizations struggle to ensure all these identity types are managed securely. A survey from Dimensional Research found the average company uses more than 25 different systems for identity management.
Relying on disconnected solutions for identity security—or worse, manual processes—is a sure path to creating vulnerabilities in your attack surface.
You can secure all four identity types in a connected ecosystem.
The Delinea Identity Security Platform improves identity security by eliminating these silos. You can discover all identities, assign appropriate access levels, detect irregularities, and immediately respond to identity threats in real-time. You can secure each identity with seamless, intelligent, centralized authorization at every interaction, without sacrificing productivity.
Delinea built the Platform to address six key components of a successful identity security strategy.
You can apply these six across all identity types, addressing key use cases:
- Discovery and Inventory: This involves identifying and cataloging all identities within an organization, including human and machine. Discovery is crucial to manage the dynamic nature of access rights across on-prem, cloud, and hybrid environments. As the old adage goes, you don’t know what you don’t know…and you can’t secure what you can see.
- Protected Credentials: Protecting credentials is fundamental to identity security. This includes securing passwords, SSH keys, and other authentication methods via vaulting. Enforcing MFA ensures users are who they claim to be. This is at the heart of a Privileged Access Management (PAM) solution and is foundational for success in identity security.
- Identity Posture and Threat Analysis: With Delinea, you can assess the security posture of identities and analyze potential threats. In a continuation of the “DR” (detection and response) security acronyms, ITDR (Identity Threat Detection and Response) solutions help in monitoring for anomalous behavior and detecting identity-related threats, providing insights to mitigate risks.
- Privileged Secure Access: Ensuring access to sensitive systems and data is critical, no matter where those systems live or what platforms they’re running on. Features like session recording, real-time monitoring, and auditing are core to this component. And Privileged Remote Access (PRA) solutions help simplify access control, deliver Just-in-Time (JIT) access, and reduce the need cumbersome technologies like VPNs.
- Zero Standing Privilege: Delinea takes JIT a step further by looking to remove standing privileges where possible, granting access only when needed, and only for the amount of time needed. This helps reduce your attack surface by ensuring that privileged accounts are not left with permanent access, thus minimizing the risk of privilege abuse.
- Identity Lifecycle and Governance: Managing identities from onboarding to offboarding (often referred to as “Joiner, Mover, Leaver” (JML) is essential for maintaining security. Identity Governance Administration (IGA) solutions automate the management of identities, ensuring compliance and secure access as roles change.
See the Delinea Platform in action.
