Securing Identities in 2025

By December 9, 2025Uncategorized

Why Identity and Access Management Is the New Perimeter for Ottawa Businesses

In 2025 identity has replaced the network as the primary attack surface. IBM’s 2025 Cost of a Data Breach report states that credential-based attacks now account for 19 % of all breaches and carry the highest average cost at $4.92 million globally and $6.24 million in Canada. For Ottawa organizations operating under PIPEDA, ITSG-33, GC CSE directives, or Protected-B handling requirements, weak identity controls trigger audit findings, contract disqualifications, and potential loss of authority to operate.

The perimeter dissolved years ago. Users authenticate from unmanaged devices over consumer ISPs, applications run in Microsoft Azure Government Community Cloud, AWS GovCloud equivalents, or Canadian-hosted private clouds, and service principals execute headless workloads in Kubernetes clusters. Traditional network firewalls and VPN concentrators can no longer enforce policy at the granularity required. Modern Identity and Access Management (IAM) has therefore become the new control plane.

The Modern Identity Fabric – Technical Architecture Overview

Contemporary IAM deployments are built as an identity fabric composed of multiple synchronized directories and policy engines

  • Microsoft Entra ID (formerly Azure AD) as the cloud identity provider
  • On-premises Active Directory synchronized via Entra Connect with pass-through authentication or federation via ADFS/ADFS 2019
  • Third-party SaaS applications integrated via SCIM 2.0 provisioning and OIDC/SAML 2.0 federation
  • Non-human identities managed through HashiCorp Vault, CyberArk Conjur, or native cloud workload identity services (AWS IAM Roles for Service Accounts, GCP Workload Identity Federation, Azure Managed Identities)

The policy decision point is typically Entra ID Conditional Access combined with a Cloud Access Security Broker (Microsoft Defender for Cloud Apps or Zscaler Private Access) and a Privileged Access Management overlay (CyberArk, BeyondTrust, or Delinea Secret Server).

A list of real-time questions answered on every authentication request.

  • Identity assurance – Is the token issued by a trusted IdP with phishing-resistant MFA (FIDO2 WebAuthn or CBA)?
  • Device assurance – Does the device present a valid Intune or JAMF compliance attestation and TPM-bound key?
  • Risk signal – Does Microsoft Entra ID Protection or CrowdStrike Identity Protection flag impossible travel, anonymous IP, or credential stuffing indicators?
  • Contextual policy – Is the requested resource tagged Protected-B and the user lacking an active Government of Canada PKI certificate?

Explore Microsoft Entra ID Protection technical deep-dive

Phishing-Resistant Authentication Protocols and Implementations

Passwordless is now table stakes. Organizations achieving NIST AAL3 and IAL2 require one of the following items.

  1. FIDO2 WebAuthn with hardware-bound keys (YubiKey 5 Series, Google Titan, Feitian ePass) using ECDH-ES256 or RS256
  2. Platform passkeys synced via iCloud Keychain or Windows Hello for Business with device-bound private keys stored in the TPM 2.0
  3. Certificate-Based Authentication using S/MIME or client certificates issued from an enterprise PKI (Entrust Datacard, GlobalSign, or the Government of Canada Entrust PKI)

Configuration example for Entra ID Conditional Access requiring phishing-resistant MFA

Require authentication strength ? Phishing-resistant MFA

Exclude legacy protocols (POP3, IMAP, SMTP, ActiveSync)

Block all authentication attempts using NTLM or Kerberos with RC4 encryption.

Non-Human Identity Sprawl – The Hidden Attack Surface

Machine identities outnumber human identities 10:1 to 50:1 in mature environments. Common classes

  • Workload identities – Kubernetes service accounts, GCP service accounts, Azure Managed Identities
  • Application-to-application – OAuth 2.0 client credentials flow, mTLS client certificates
  • DevOps secrets – CI/CD pipeline tokens, Terraform state access keys
  • Database service accounts – SQL logins with sysadmin fixed role

Best-of-breed controls in 2025

  • Automatic discovery via Venafi, HashiCorp Vault, or CyberArk Discovery
  • Rotation every 7–30 days using just-in-time credential issuance
  • Binding to short-lived X.509 certificates (1–4 hour TTL) instead of long-lived secrets

Read Ping Identity Machine Identity Security Report 2025

Zero Standing Privilege Technical Implementation

Permanent Domain Admins, Enterprise Admins, or Azure Global Administrator roles are extinct in mature environments. Modern patterns

Microsoft Tier Model + Entra ID PIM

  • Tier 0 – Privileged workstations only (PAW/SAW), no internet access, AppLocker + WDAC whitelisting
  • Just-in-time elevation via Privileged Identity Management with approval workflow and time-bound roles (max 8 hours)
  • Mandatory session recording via Microsoft Defender for Cloud Apps or BeyondTrust PRA

BeyondTrust Endpoint Privilege Management + Active Directory bridging

  • Local Administrator password solution (LAPS) replaced by on-demand local admin rights via policy
  • Application control to elevate only approved installers (MSIs signed by corporate certificate)

Browse BeyondTrust Privileged Access Management technical documentation

Ottawa and Government of Canada Compliance Mapping

Ottawa organizations must map IAM controls to multiple frameworks simultaneously

ITSG-33 / GC CSE Baseline Controls

  • AC-2(7) – Account Management | Automated System Account Management
  • AC-6(8) – Least Privilege | Privileged Access by Non-Privileged Users (JIT)
  • IA-2(12) – Identity Proofing | Phishing-Resistant MFA for Privileged Users
  • IA-5(13) – Authenticator Management | FIDO2 or PKI for all privileged accounts

PIPEDA and PHIPA (for Ontario health-adjacent orgs) require demonstrable access controls and audit logging for personal information.

View Canadian Centre for Cyber Security ITSG-31 User Authentication Guidance

Identity Governance and Administration at Scale

Manual access reviews no longer scale. AI-augmented IGA platforms now perform

  • Continuous micro-certifications (daily instead of quarterly)
  • Peer and manager-based access recommendations using behavioural analytics
  • Automatic revocation of entitlements when a user’s risk score exceeds threshold

SailPoint IdentityNow and Saviynt IGA both integrate natively with ServiceNow HR Service Delivery for birthright access and Okta Lifecycle Management workflows.

Discover SailPoint Identity Governance technical overview

Integrating IAM with XDR and SIEM

Identity is the first signal in the kill chain. Modern integrations

  • Entra ID sign-in logs ? Microsoft Sentinel with KQL fusion rules for impossible travel and AADConnect account compromise
  • CrowdStrike Identity Protection ? Falcon XDR behavioural blocking of lateral movement
  • Okta System Log ? Splunk or Elastic with pre-built threat hunting dashboards

Learn about CrowdStrike Identity Protection integration guide

Vendor Selection Criteria for 2025

Technical evaluation matrix used by most Ottawa RFPs

RequirementMust-Have Scoring
Native FIDO2 + CBA support25
SCIM 2.0 provisioning for 150+ SaaS apps20
Just-in-Time + Just-Enough PAM20
Canadian or GC-approved data residency15
Integration with GC PKI and Entrust CA10
Session recording and keystroke logging10

Download Gartner Magic Quadrant for Access Management 2025

180-Day Technical Roadmap (Detailed)

Phase 1 (0–60 days)

  • Deploy Entra ID P2 + Identity Protection
  • Enable phishing-resistant MFA for all Tier 0 and Tier 1 accounts
  • Block legacy authentication tenant-wide

Phase 2 (61–120 days)

  • Roll out Privileged Identity Management with approval workflow
  • Implement Conditional Access device compliance (Intune)
  • Deploy CrowdStrike or BeyondTrust endpoint privilege management

Phase 3 (121–180 days)

  • Connect ServiceNow HR to SailPoint or Okta Workflows for automated lifecycle
  • Implement machine identity rotation via HashiCorp Vault or CyberArk
  • Integrate identity logs into Microsoft Sentinel with automated response playbooks

The Bottom Line

Identity is now the definitive control plane. Organizations that continue to treat IAM as a simple directory service will suffer credential-based breaches at an accelerating rate. Those that implement a complete identity fabric with phishing-resistant authentication, zero standing privilege, automated governance, and real-time risk signals will achieve measurable reductions in both breach probability and blast radius.

Bedrock IT delivers full-stack IAM modernization for Ottawa and federal contractors, including Microsoft Entra ID P2 deployments, Privileged Identity Management, CrowdStrike Identity Protection, and Canadian-hosted identity governance solutions.

Secure your identities before attackers do.

Contact us at 613-702-5505 or [email protected] for a detailed identity posture assessment and 30-day proof-of-concept.

Next Post