How the gap between on-premises Active Directory and the cloud became hybrid identity security's blind spot

Most organizations secure the cloud and on-premises AD, but not the gap between them. That's now hybrid identity security's biggest blind spot.

Published July 16, 2026
Hybrid Identity Security: The AD–Cloud Blind Spot

This is the third article in our Active Directory series. Read part one, the Future of Active Directory, and part two, Why Hybrid Identity Is the Long Game.

The gap between on-premises Active Directory (AD) and the cloud has turned into hybrid Active Directory security's most overlooked vulnerability. Organizations invest heavily in securing each environment, but the seam between them is hybrid identity. That's where attackers increasingly focus, and where most defenses fall short.

From perimeter to identity

One of the biggest shifts in cybersecurity over the last 20 years has been the evolution of cyberattacks, from targeting exposed resources to targeting weak and exposed identity systems as the first port of call. At some point, attackers realized that compromising identities through credential theft had become an easy shortcut to get behind network defenses undetected.

It didn't help that the shift coincided with a dramatic expansion in the number of identities available to target, an observation summed up by the maxim "identity is the new perimeter."

Why open a back door into a network through conventional hacking when you could simply log in with a stolen credential? Better still, because that account was legitimate, it bypassed layers of cybersecurity protection, from endpoints to firewalls.

And it wasn't simply the shift to identities, but where identities were being deployed. When networks were solely on-premises, a compromised user account might give attackers access to resources on that network. The arrival of cloud identities amplified the effect of identity compromise many times over.

A growing attack surface

Now the same compromise suddenly gives access to a whole menu of additional enterprise systems, including Microsoft 365, Salesforce, ServiceNow, AWS, and GitHub.

This shift happened incredibly quickly, although it has taken years for the implications to sink in. Enterprises have been struggling with this ever since. Suddenly, through exposed identities, the attack surface grew from a single network segment to, potentially, every system inside an organization, from Active Directory at one end to multiple cloud and SaaS platforms at the other.

But the biggest problem of all? It's that organizations today have partially migrated from a solely on-premises setup to one in which this network is tied to and synchronized with a cloud network.

The new hybrid topology has given attackers two bites at the cherry. Either environment can be targeted and compromised through the other.

Identity's growing complexity

CISOs don't have to look far for evidence that credentials lie at the heart of today's cybersecurity vulnerability. Verizon's 2026 Data Breach Investigations Report (DBIR), which analyzed 22,000 confirmed data breaches in 145 countries, found that 78% of incidents could be traced back to credential abuse in one way or another.

An important nuance is that the credential abuse recorded by the DBIR is not, as is sometimes assumed, simply about attackers stealing and abusing conventional user credentials. Non-human identities must also be considered. An illustration of this is "system intrusion," the largest DBIR category, which covers a wide range of compromise types traced to different entry paths.

But regardless of how attackers gain entry, once inside a network they invariably hunt for other types of credentials that make lateral movement possible:

  • Service accounts

  • Domain admin hashes

  • System tokens of various types

Every one of those is an identity that confers access and power over different systems.

This underlines how modern identity is unavoidably built on a complex fabric of interlocking credentials. This is the very expansion that made the growth of cloud technologies possible in the first place. You can never have fewer credentials, only more. The cloud is a fabric of different platforms and technologies, but identities are the glue that holds it all together.

The hybrid identity security battlefield

For enterprises, the vulnerability caused by credential explosion is unavoidable. The practical implication is that organizations must find a way to secure two environments rather than one: traditional on-premises datacenters built around Active Directory (AD) and the cloud platforms and applications connected to them.

Many organizations originally assumed that this hybrid state would be a temporary stage before they migrated fully to the cloud. Today, a more realistic assessment is that this will probably never happen in the way it was once envisioned. In practice, while risks exist on both sides, the on-premises network remains the biggest vulnerability — a product of the security era in which it was conceived. Despite this, the security tools needed to manage hybrid identity security risk remain frustratingly hard to find.

Organizations try to contain the threats by investing in layers of traditional endpoint control, firewalling, email filtering, and a plethora of cloud security systems and monitoring. They also increasingly deploy multi-factor authentication (MFA), single sign-on (SSO), data loss prevention (DLP), SIEM systems, API monitoring, and zero trust.

What this complex, often expensive, infrastructure doesn't always do is secure the weak seam where the on-premises and cloud environments meet.

Each is secured with strong controls, but without addressing the often difficult-to-spot gaps between them. Often these security gaps appear under complex conditions that are hard to predict, which can get in the way of security teams' ability to anticipate or monitor them.

Where the seam breaks

One of the biggest seam vulnerabilities is the Active Directory or Entra ID synchronization process, used to update identity data such as users, groups, and password hashes. This can run in either direction, on-premises to cloud or cloud to on-premises, depending on which side is used as the primary identity store, but the problem remains the same: attackers can hijack one environment through an identity weakness and leverage that to target the other.

Another example on the on-premises side is Active Directory Federation Services (AD FS), used to manage SSO. This can be targeted with "golden SAML" attacks, where attackers forge SAML tokens to gain access to cloud services such as Microsoft 365 by impersonating users or admins. And this is before considering the continuing vulnerability of legacy protocols such as NTLM and LDAP, built a generation before the cloud or MFA existed, and which still linger in some networks despite the known risks they pose.

Defending hybrid identity security

Securing a hybrid network is difficult, but it's not impossible. Logically, if identities are the weakness, the first job of defenders is to protect them. This is especially true for those managed through on-premises Active Directory.

The challenge with Active Directory is that its age means it lacks modern security controls. Overcoming this forces organizations to build additional security layers using third-party products. Unfortunately, there is a dearth of products that do this without adding complexity and expense, including from Microsoft itself.

Securing identity in real-world conditions

UserLock is designed to fill the many small but critical gaps that still make Active Directory security harder than it should be. It does this by adding missing access security layers at the point of logon: MFA, SSO, session and concurrent access controls, and contextual access. These are all features that Active Directory would include if it were being built today.

The underlying philosophy is that Active Directory itself isn't the problem. The missing security features needed to defend it are.

Most identity compromises start small before expanding into more threatening lateral movement:

  • a compromised workstation account

  • an insecure VPN or RDP connection

  • a privileged admin account

Secure them, and the organization shuts the vulnerable back door into the cloud.

Almost every organization still has a sizable on-premises network running Active Directory, either as the primary identity store, or synchronized to Entra ID or a third-party cloud platform. Defending it should never be the afterthought it too often has become. This is where vulnerability begins, and it is the first thing defenders should look to secure.

Over the last decade, organizations have stepped up their identity defenses, and yet criminal innovators show no signs of slowing down their development of new techniques.

They know what many defenders would rather not think about: no matter how much they spend on security, hybrid organizations are still only as secure as their weakest identity.

In the hybrid era, hybrid identity security is no longer just a matter of good practice. It has become the foundation on which every other security control depends.

XFacebookLinkedIn

Daniel Garcia Navarro

Engineering Director, IS Decisions

Daniel Garcia is Engineering Director at IS Decisions, where he leads the development of secure and scalable access management solutions. He holds a Master’s degree in Telecommunications Engineering and brings strong technical expertise to enterprise identity security.