drj logo

"*" indicates required fields

Name*
Zip Code*
Please enter a number from 0 to 100.
Strength indicator
I agree to the Terms of Service and Privacy Policy*
Yes, of course I want to receive emails from DRJ!
This field is for validation purposes and should be left unchanged.

Already have an account? Log in

drj logo

Welcome to DRJ

Already registered user? Please login here

Login Form

Register
Forgot password? Click here to reset

Create new account
(it's completely free). Subscribe

x
DRJ Fall 2025 Dallas Show
Skip to content
Disaster Recovery Journal
  • EN ESPAÑOL
  • SIGN IN
  • SUBSCRIBE
  • THE JOURNAL
    • Why Subscribe to DRJ
    • Digital Edition
    • Article Submission
    • DRJ Annual Resource Directories
    • Article Archives
    • Career Spotlight
  • EVENTS
    • DRJ Fall 2025
    • DRJ Spring 2026 Call for Papers
    • DRJ Scholarship
    • Other Industry Events
    • Schedule & Archive
    • Send Your Feedback
  • WEBINARS
    • Upcoming Webinars
    • On Demand
  • MENTOR PROGRAM
  • DRJ ACADEMY
    • DRJ Academy
    • Beginner’s Guide to BC
  • RESOURCES
    • New to Business Continuity?
    • White Papers
    • DR Rules and Regs
    • Planning Groups
    • Business Resilience Decoded
    • DRJ Glossary of Business Continuity Terms
    • Careers
  • ABOUT
    • Advertise with DRJ
    • DEI
    • Board and Committees
      • Executive Council Members
      • Editorial Advisory Board
      • Career Development Committee
      • Glossary Committee
      • Rules and Regulations Committee
  • Podcast

New IAM Research by Stack Identity Finds Machine Identities Dominate Shadow Access in the Cloud, Revealing Easy Attack Vector for Hackers

by Jon Seals | August 8, 2023 | | 0 comments

  • Identity and Access trend report data highlights different types of Shadow Access; provides best practices on how to reduce cloud breaches and data exfiltration 
  • Cloud native, enterprise environments showed only 4% of identities as human, while the remaining are non-human identities  
  • 76% of policies used in enterprise cloud environments include write permissions and 28% of policies have some level of permission management 

MENLO PARK, Calif. – Stack Identity, a Silicon Valley startup automating identity and access management (IAM) governance to identify and eliminate cloud data threat vectors, today announced it has released the industry’s first Shadow Access Impact Report. 

The data from Stack Identity pertaining to cloud identities and entitlements highlights the gaps through which organizations can suffer cloud breaches, intellectual property and sensitive data loss. Shadow Access, the invisible and unmonitored identity and access, increases the risk of breaches, malware, ransomware and data theft that current IAM tools are not built to mitigate. 

The industry is increasingly beginning to recognize Shadow Access as a growing threat to cybersecurity. Recently, Jim Reavis of the Cloud Security Alliance wrote, “There are several studies available that indicate cloud microservices and containers tend to have too many unpatched vulnerabilities and unused privileges attached to them…I believe that Shadow Access is something that we want to address by applying Zero Trust principles towards it…Zero Trust encourages us to define a protect surface, minimize access to it and monitor the system continuously.”

As seen with the prolific LastPass data breach, the report shows how Shadow Access and the current, fragmented IAM systems increase permissions to external threat actors. 

“Our first Shadow Access Impact Report shows the high percentage of non-human identities that are driven by the cloud automation flywheel of more clouds, 3rd party data access and more identities,” says Venkat Raghavan, founder and CEO at Stack Identity. “The impact of Shadow Access goes beyond the risk of data exfiltration and cloud breaches. The fragmented and static IAM systems today enable Shadow Access to remain undetected, and make cloud compliance and governance static, time-consuming and expensive.” 

Stack Identity’s findings are based on the analysis of 60 live cloud instances scattered across Cloud IAM, Cloud IDP, Infrastructure as Code, data stores, HR systems, ticketing systems, emails, spreadsheets and screenshots. For a guide of scale, just one of the cloud environments had thousands of cloud identities, 320 data assets, 400 AWS customer-defined policies and 10GB per day of CloudTrail volume.

Key takeaways from the report include: 

  • Only 4% of identities are human while the remaining are non-human identities (automatically generated by APIs, cloud workloads, data stores, microservices and other multi-cloud services)
  • 5% of identities in the cloud have admin permissions
  • 28% of policies in the cloud have some level of permission management
  • 75% of policies used in cloud environments include write permissions 

The report explains the 10 different types of Shadow Access that DevOps and SecOps teams need to be aware of and provides best practices on how to follow an attacker’s traceable cloud IAM footprints to reduce the risk of cloud data breaches and data exfiltration. 

“DevOps teams cannot keep up with the vast numbers of policy actions combined with 

sensitive data assets that multiply the volume of risk combinations,” says Dr. Prakash Shetty, director of product strategy, cloud security and operations at Stack Identity. “By detecting the IAM footprints created by Shadow Access exploits, DevOps and security teams have the visibility and analytical context needed to prioritize remediation of security risks to cloud identities, data and resources.“ 

“We all know that identities are a source of risk; this research report helps practitioners get visibility to access and entitlement patterns that are inherent in DevOps and CloudOps processes that in turn can lead to Shadow Access Risks and Threats,” said Dr. Heather Hinton, CISO at Pager Duty.

“The status quo of overly permissioned cloud accounts with long standing privileges and static entitlements creates an environment where Shadow Access thrives. The Shadow Access research report brings a data driven baseline to identify gaps in IAM governance and how best to rethink the governance process to effectively work in automated cloud native environments,” said Ken Foster, VP of IT Governance, Risk and Compliance at FLEETCOR.

To access the full findings from the Stack Identity Shadow Access Impact Report, register here: https://stackidentity.com/the-shadow-access-impact-report/.

To run a 60 minute assessment of Shadow Access vulnerabilities to find the IAM blindspots in your cloud environment, register here:  www.stackidentity.com/Shadow-Access-Risk-Assessment.

About Stack Identity

Founded in the heart of Silicon Valley, Stack Identity transforms cloud IAM operations to continuously detect, eliminate and govern unauthorized, unmonitored and invisible Shadow Access. Through its patent-pending algorithm Breach Prediction Index (BPI), applied with deep data and application context, Stack Identity reveals the 2% of toxic access combinations that impacts 90% of data assets and enables cloud security teams to quickly prioritize and automate remediation. Visit us at www.stackidentity.com, and follow us on LinkedIn.

Related Content

  1. Disaster Recovery Journal
    Identity Security is Our Best Defense Against Adversaries – Advice in Honor of Identity Management Day
  2. Disaster Recovery Journal
    Stack Identity Expands Identity Access Risk Management Platform with Launch of Identity Threat Detection Response Capabilities
  3. Disaster Recovery Journal
    Rezonate Announces Mid-Market Solution That Eliminates Identity Blind Spots and Reduces the Cloud Identity Attack Surface in Record Time

Recent Posts

Mark43 Expands UK Presence with New Manchester Office

July 17, 2025

Lansweeper Acquires Redjack, Strengthening its Position as the Global Leader in Technology Asset Intelligence

July 17, 2025

Microsoft Highlights Long-Time Partner Visus After it Helps Santa Barbara County Surveyor’s Office Digitize Slow-Moving Paper Processes

July 17, 2025

Zimperium Warns of Surge in Mobile Cyber Threats as Summer Travel Heats Up

July 17, 2025

Strata Identity Introduces Maverics Identity Orchestration for AI Agents to Secure, Control, and Observe Agentic Behaviors

July 17, 2025

Flexential’s 2024 ESG Report Details Advancements Across Data Center Efficiency, Talent Support, and Operational Oversight

July 16, 2025

Archives

  • July 2025 (40)
  • June 2025 (54)
  • May 2025 (59)
  • April 2025 (91)
  • March 2025 (57)
  • February 2025 (47)
  • January 2025 (73)
  • December 2024 (82)
  • November 2024 (41)
  • October 2024 (87)
  • September 2024 (61)
  • August 2024 (65)
  • July 2024 (48)
  • June 2024 (55)
  • May 2024 (70)
  • April 2024 (79)
  • March 2024 (65)
  • February 2024 (73)
  • January 2024 (66)
  • December 2023 (49)
  • November 2023 (80)
  • October 2023 (67)
  • September 2023 (53)
  • August 2023 (72)
  • July 2023 (45)
  • June 2023 (61)
  • May 2023 (50)
  • April 2023 (60)
  • March 2023 (69)
  • February 2023 (54)
  • January 2023 (71)
  • December 2022 (54)
  • November 2022 (59)
  • October 2022 (66)
  • September 2022 (72)
  • August 2022 (65)
  • July 2022 (66)
  • June 2022 (53)
  • May 2022 (55)
  • April 2022 (60)
  • March 2022 (65)
  • February 2022 (50)
  • January 2022 (46)
  • December 2021 (39)
  • November 2021 (38)
  • October 2021 (39)
  • September 2021 (50)
  • August 2021 (77)
  • July 2021 (63)
  • June 2021 (42)
  • May 2021 (43)
  • April 2021 (50)
  • March 2021 (60)
  • February 2021 (16)
  • January 2021 (554)
  • December 2020 (30)
  • November 2020 (35)
  • October 2020 (48)
  • September 2020 (57)
  • August 2020 (52)
  • July 2020 (40)
  • June 2020 (72)
  • May 2020 (46)
  • April 2020 (59)
  • March 2020 (46)
  • February 2020 (28)
  • January 2020 (36)
  • December 2019 (22)
  • November 2019 (11)
  • October 2019 (36)
  • September 2019 (44)
  • August 2019 (77)
  • July 2019 (117)
  • June 2019 (106)
  • May 2019 (49)
  • April 2019 (47)
  • March 2019 (24)
  • February 2019 (37)
  • January 2019 (12)
  • ARTICLES & NEWS

    • Business Continuity
    • Disaster Recovery
    • Crisis Management & Communications
    • Risk Management
    • Article Archives
    • Industry News

    THE JOURNAL

    • Digital Edition
    • Advertising & Media Kit
    • Submit an Article
    • Career Spotlight

    RESOURCES

    • White Papers
    • Rules & Regulations
    • FAQs
    • Glossary of Terms
    • Industry Groups
    • Business & Resource Directory
    • Business Resilience Decoded
    • Careers

    EVENTS

    • Fall 2025
    • Spring 2025

    WEBINARS

    • Watch Now
    • Upcoming

    CONTACT

    • Article Submission
    • Media Kit
    • Contact Us

    ABOUT DRJ

    Disaster Recovery Journal is the industry’s largest resource for business continuity, disaster recovery, crisis management, and risk management, reaching a global network of more than 138,000 professionals. Offering weekly webinars, the latest industry news, rules and regulations, podcasts, the industry’s only official mentoring program, a quarterly magazine, and two annual live conferences, DRJ is leading the way to keep professionals up-to-date and connected in an ever-changing world.

    LEARN MORE

    LINKEDIN AND TWITTER

    Disaster Recovery Journal is the leading publication/event covering business continuity/disaster recovery.

    Follow us for daily updates

    LinkedIn

    @drjournal

    Newsletter

    The Journal, right in your inbox.

    Be informed and stay connected by getting the latest in news, events, webinars and whitepapers on Business Continuity and Disaster Recovery.

    Subscribe Now
    Copyright 2025 Disaster Recovery Journal
    • Terms of Use
    • Privacy Policy

    Register to win a Free Pass to DRJ Fall 2025 | Building Resiliency Through Innovation

    Leave your details below for a chance to win a free pass to DRJ Fall 2025 | Building Resiliency Through Innovation. The winner will be announced on August 11. Join us for DRJ’s 73rd Conference!

    Enter Now