Failure Pattern
Cloud identity stores control authorization for thousands of workloads. If compromised, attackers gain immediate and broad access.
What We See in the Field
A compromised service principal or IAM role allows attackers to operate across multiple systems. Logs show authorized actions. The breach escalates quickly because identity stores are a central point of trust.
Underlying Causes
Centralized but unverified trust
Overprivileged identities
Blind token acceptance
Cloud metadata services vulnerable to misuse
No binding of tokens to workload identity
Trust-Native Network Resolution
DTL adds a second trust barrier. Even valid cloud identity tokens cannot establish sessions unless paired with trusted workload identity, eliminating identity store amplification.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.