Rubrik
By WaiSau Sit, Identity Products, GtM Leader
We’ve reached an inflection point: identity, once a basic IT function, has become the single point of failure most likely to determine whether a business survives a cyber incident.
Across Europe and Asia, this shift is clear. Organizations have poured resources into SIEM, UBA, SOAR, analytics, and threat intelligence to detect and prevent threats at scale. Yet attackers still succeed through the one layer that must remain universally accessible — identity.
The pattern is familiar. Credentials are stolen, privileges escalate, lateral movement begins, persistence is established, and the target — data — is reached. For years, we’ve focused on detection while under-investing in hardening and recovering the identity systems attackers exploit.
The problem intensified as enterprises embraced cloud adoption, SaaS, remote work, and automation. Every employee, contractor, API key, and workload became another gateway to critical systems. Identity sprawled across Active Directory, Entra ID, Okta, homegrown IdPs, sovereign clouds, and industry-specific platforms.
Meanwhile, attackers evolved. The era of noisy ransomware has given way to stealthy, identity-centric campaigns designed for persistence. Increasingly, severe breaches involve no malware at all. Attackers weaponize existing tools — altering directory objects, changing policies, and blending into normal activity. Identity becomes both their entry point and their anchor.
When identity breaks, trust breaks. Once an attacker compromises identity, nothing downstream can be trusted — not logs, access controls, privileged workflows, or even backups. Using stolen credentials, adversaries disable endpoint protection, modify backup settings, and access data undetected. In federated environments, detection and recovery become even more complex.
This has exposed a critical gap: most business continuity and disaster recovery plans don’t consider identity compromise. When Active Directory or Entra ID is tampered with, recovery becomes uncertain. Which objects changed? Were modifications benign or malicious? Can systems be restored without reintroducing the attacker?
We’ve hit a tipping point. Identity is now the primary attack surface, the fastest pivot point, and the hardest blast radius to contain — where the “kill switch” can cause more harm than good. Yet few organizations have a defined strategy for identity resilience: continuous visibility, historical context, and orchestrated recovery.
Boards and CISOs are starting to ask the right questions:
The path forward is clear: identity resilience and recovery must form the foundation of cyber resilience. Identity underpins every digital process — from clinical operations to financial transactions and supply chain orchestration. Business continuity doesn’t begin when systems power on; it begins when trust in identity is restored.
Organizations are now realizing that identity resilience belongs alongside data protection, incident response, and cyber recovery as a core pillar of security. The adversaries have already made identity their priority. It’s time we do the same.