Security Engineering Report

6 Permanent Global Administrator Assignments Without PIM

Six independent paths to tenant-level control; each represents a persistent elevated attack surface.

SAML Role With AdministratorAccess and No Condition Keys

Any Entra SAML assertion bearer can assume full administrative access; no compensating control at role level.

Super Admin Accounts Accessible from Named Network Zone Without FIDO2

Super admin takeover via MFA fatigue or push interception attack from corporate network; high-value target for APT actors.

6 Service Account Keys Unrotated (>90 days); 3 Exposed in CI/CD

Long-lived SA keys in version control are a confirmed credential-theft risk; exfiltration window open for >30 days.

4 cluster-admin ClusterRoleBindings to Workload Service Accounts

Four independent service-account paths to full cluster control; any container compromise in these namespaces yields cluster-admin.

svc-entra-sync Has Domain Admins Membership; Password Age 289 Days

Entra Connect sync account with Domain Admin rights; any Entra tenant compromise propagates to on-prem AD with full admin privileges.

3 Accounts With adminCount=1 Outside Protected Groups (AdminSDHolder)

Accounts retain privileged AD object ACLs despite removal from admin groups; can modify account attributes and access protected resources.

4 Slack Workspace Admins Using Email/Password Auth Without Okta SSO Enforcement

Slack workspace admins with standalone credentials cannot be centrally deprovisioned via Okta; data export and workspace management exposed to credential theft.

Salesforce System Admin Profile: 9 Users, 3 Without Step-Up MFA

System Administrator compromise grants full Salesforce access including customer PII, pipeline data, and all integration credentials.

IT Annual Access Review: 89 Open Items Past SLA; 34 Auto-Approved

34 entitlements approved without genuine review; 89 items past SLA and likely to be auto-approved; campaign governance value critically undermined.

SailPoint Connector Accounts Over-Privileged on Target Systems

SailPoint connector compromise propagates Domain Admin and cluster-admin rights to all connected systems; IGA platform is a high-value lateral movement pivot.

23 Privileged Accounts With No Dual-Control Enforcement on Password Retrieval

Privileged credentials retrievable by a single operator without secondary approval; any compromised CyberArk user account yields uncontrolled privileged access to 23 production accounts.

Shared "VaultAdmin" Account — No Individual Accountability for CyberArk Admin Operations

CyberArk administrative actions cannot be attributed to an individual operator; shared admin credential is a single point of compromise for the entire PAM platform.

BeyondTrust Admin Credential Unchanged 380 Days; Used by 3 Named Administrators

BeyondTrust platform admin credential shared and not rotated for over a year; compromise of any of the 3 admin users yields unrestricted PAM platform access affecting all managed accounts.

OIDC Not Configured; 47 Deployment Workflows Use Long-Lived Cloud Credentials

Long-lived cloud credentials embedded in 47 workflows are accessible to all repository contributors; OIDC short-lived tokens would eliminate static credentials from CI/CD.

4 GitHub Organisation Owners Use Personal Accounts — Bypass Enterprise SSO

4 org owners operate outside enterprise SSO, SCIM, and Okta deprovisioning; any of these accounts becoming compromised yields GitHub org-owner access outside the identity lifecycle.

CA-FederatedSessions: No Step-Up for Okta Token

Okta session compromise propagates to Entra without additional authentication challenge.

156 Users Without Phishing-Resistant MFA Registration

Large cohort vulnerable to SIM-swap and MFA-fatigue attacks.

Service Principal Secret Expiry: 23 Secrets > 180 Days Old

Long-lived service principal secrets extend the window of undetected credential theft.

23 IAM Access Keys Not Rotated (>90 days)

Large population of static credentials increases probability of undetected exfiltration.

Cross-Account Trust From Shared-Services Account Lacks Condition Keys

Compromise of shared-services account propagates to all trusted accounts without per-account constraints.

S3 Bucket acme.bucket.customer-data Has Overly Permissive Bucket Policy

Root-level S3 access to customer PII bucket bypasses least-privilege controls; root account should not have direct bucket policy grants.

Inactive SAML Applications — 6 Apps With No Sign-In in >90 Days

Active SAML integrations with no recent usage represent unmaintained trust relationships that may be exploited if credentials are reused.

12 API Tokens Older Than 90 Days

Orphaned API tokens attached to deprovisioned user accounts create persistent API access vectors.

Okta Inline Hook Not Validated — Authentication Policy Bypass

Authentication policy hook not validating risk signals; hook returns allow regardless of risk context, defeating the risk-based authentication policy.

Project-Level IAM Bindings for 4 Service Accounts Exceed Intended Scope

IaC drift: 4 service accounts have accumulated project-level access beyond their provisioned least-privilege baseline.

BigQuery Finance Dataset Lacks Row-Level Security

All 47 data engineers can read all rows in the finance dataset; no row-level partitioning by data sensitivity or business unit.

Org Policy Constraint iam.disableServiceAccountKeyCreation Not Enforced

Users with SA Admin role can create arbitrary static keys; org-level constraint not enforced despite being in security baseline.

Pod Security Standards Not Enforced in 5 Namespaces

Privileged pod creation permitted in 5 namespaces; attacker can create hostPID or hostNetwork pods to escape to node level.

IRSA Role acme.role.k8s-data-access Has Broad S3 and DynamoDB Permissions

Three Kubernetes service accounts can read and write all S3 buckets and DynamoDB tables in the AWS account via IRSA.

Secrets Not Encrypted at Rest (etcd); Using Kubernetes Secrets Without KMS

All Kubernetes secrets (API keys, database passwords, TLS certs) accessible in plaintext to anyone with etcd or cluster-admin access.

47 Stale Computer Accounts With Active SPNs and Delegation Attributes

High volume of stale accounts with SPNs and delegation creates a persistent Kerberoasting and constrained delegation lateral movement surface.

Fine-Grained Password Policy Not Applied to 86 Service Accounts

Service accounts requiring 30-day rotation and complex passwords operate under the same lenient policy as standard user accounts.

23 Slack Guest Users With Sensitive Channel Access Inactive >90 Days

Inactive vendor guests retain access to sensitive channels including incident response; no offboarding triggered by inactivity.

Workday ISU Integration Credential Not Rotated in 18 Months

Long-lived credential with access to all Workday employee records; compromise enables enumeration of full HR dataset including personal data.

Emergency Access Provisioning Bypasses Approval for 23 High-Risk Entitlements

Emergency bypass used for routine high-risk provisioning; privileged access granted without manager or security approval.

67 SailPoint Role Assignments Not Reviewed in 12 Months; 12 Over-Privileged

Uncertified roles accumulate entitlements beyond design intent; 12 roles confirmed over-privileged by automated role mining analysis.

34 Accounts With Automatic Password Rotation Disabled; 12 Passwords Older Than 180 Days

Service accounts without rotation rely on manual management; static long-lived credentials increase the theft-to-detection window.

Privileged Session Manager Not Mandatory for 4 High-Privilege Safe Groups

Direct privileged sessions bypass CyberArk recording and isolation; credential abuse outside PSM is forensically undetectable.

Jump Clients Not Segregated by Network Zone; Production and Dev in Same Jump Group

An operator with dev-zone jump client access can reach production infrastructure jump clients within the same group without additional access controls or approval gates.

12 BeyondTrust Team Passwords Not Certified in 12 Months; 4 Reference Decommissioned Systems

Shared team passwords accumulate without access review; entries for decommissioned systems may still grant access if accounts on target systems remain active.

GitHub Actions Permissions Allow All Actions From Any Publisher

Any action from any publisher — including unverified or malicious ones — can execute in workflows; supply-chain attack vector via unvetted action publishers.

34 Repository Deploy Keys Older Than 180 Days; 8 With Write Access

Stale write-access deploy keys remain valid indefinitely; no lifecycle management removes them when underlying integrations are retired.

34 Inactive Guest Accounts (>90 days)

Stale external access increasing identity surface; low exploitability but fails audit requirements.

CloudTrail Not Enabled in 2 Subsidiary Accounts

API activity in subsidiary accounts is unlogged; detection and forensic capability blind spot.

Admin Role Assignments Lack Access Certification Review

Admin role assignments have not been attested; accumulation risk for stale privilege over time.

GCP Audit Logs Not Exported to SIEM for 3 Projects

Development and staging environment activity unforwarded to SIEM; lateral movement from non-prod to prod environment would not trigger SIEM alerts.

Container Images Not Scanned Before Deployment in 3 Pipelines

Vulnerable base images may be deployed without detection; unpinned images allow supply-chain substitution.

6 Inactive SAML Apps With No Sign-Ins in 90 Days Still Active in Okta

Unused SAML trusts extend federation surface unnecessarily; should be reviewed for decommissioning.

SailPoint Audit Log Retention: 30 Days (Compliance Requirement: 12 Months)

Provisioning audit trail unavailable beyond 30 days; forensic investigation outside retention window is impossible.