Cyber Defense Matrix 2.0 · Asset Row · Users
Users
Identities, workforce, and access. The row that has quietly become the most important attack surface in modern environments.
Users is the original Cyber Defense Matrix row covering identities, the human workforce that uses them, and the non-human service identities that mediate access. In modern environments — with disappearing network perimeters and heavy SaaS adoption — Users has quietly become the most consequential row in the matrix. An attacker with valid credentials is already inside most modern defenses.
What the Users row covers
Users covers workforce identities (employees and contractors), customer identities if you operate consumer services, privileged identities (administrators, break-glass accounts), and non-human identities (service accounts, machine identities, API keys, workload identities in cloud environments). It also covers the awareness and training programs that shape how those identities behave.
The row does not cover the applications or data the identities access — those sit on their own rows. It does cover the authentication methods, authorization models, session lifecycles, and access logs that govern how identities interact with everything else.
The identity-provider-centric stack
Modern identity security is built around an IdP (Okta, Microsoft Entra ID, Ping, OneLogin, Duo) that handles authentication, federates SSO, enforces MFA, and acts as the system of record for workforce identities. Around the IdP sits a set of adjacent capabilities: PAM (CyberArk, Delinea, BeyondTrust, Teleport), identity governance (SailPoint, Saviynt), non-human identity management (Silverfort, Aembit, GitGuardian for secrets), and SaaS-identity governance (Obsidian, AppOmni, Veza).
Three specific shifts are reshaping the row: passwordless authentication (FIDO2, passkeys) is replacing password + MFA for human users; machine-identity growth now exceeds human-identity growth by an order of magnitude in cloud-native environments; and identity-threat-detection-and-response (ITDR) — Silverfort, BeyondTrust, Microsoft Defender for Identity — is emerging as a dedicated tool category for detecting identity-based attack patterns.
Coverage patterns and overlap on Users
The standard overlap pattern: an IdP that includes MFA and a legacy MFA product (Duo pre-acquisition, RSA SecurID, Symantec VIP) that was not retired when the IdP went live. Organizations often continue to operate both for 'backwards compatibility' that has no defined end date. The rationalization is almost always to consolidate on the IdP-native MFA and retire the legacy product.
The standard under-investment: non-human identities. Service accounts, API keys, workload identities, and CI/CD pipeline credentials accumulate faster than humans can track them and rotate them. Programs that have strong human-identity controls and weak machine-identity controls are common — and the breach data shows machine identities are used in a growing share of real incidents.
The 'You Already Own the Fix' pattern: Entra ID P1/P2 and Okta Workflows/Identity Governance are widely licensed and widely under-configured. Access reviews, lifecycle automation, and identity-based conditional-access policies are capabilities the program already owns but has not enabled.
Why Users detection is hard and necessary
Detecting identity-based attacks is structurally different from detecting endpoint or network attacks. An attacker using stolen valid credentials generates no malware signatures, no network anomalies at the packet level, and no endpoint behavioral oddities. The signal, if it exists, is in access patterns — impossible travel, unusual resource access, session anomalies, privilege escalation outside the normal pattern.
ITDR platforms and IdP-native analytics (Okta Workflow, Microsoft Defender for Identity, Abnormal Security for email-identity) are the tools built for this problem. The matrix cell DETECT × Users is where these live. For most programs it is the single highest-leverage detection investment available — the attack patterns are real, the tool category is mature, and most organizations have weak coverage today.
Frequently asked
Are customer (CIAM) identities on this row?
Yes, if you operate consumer-facing services. The tooling differs (CIAM platforms like Auth0/Okta Customer Identity, Microsoft Entra External ID, Curity, Transmit Security) but the matrix row is the same. Most B2B-only organizations don't have a meaningful CIAM column; most B2C organizations have it as a second, distinct identity surface.
Is privileged access the same as identity?
No. All privileged access is identity, but not all identity is privileged. Privileged access is a subset — administrative accounts, service accounts with production access, break-glass accounts — that needs stricter controls (session recording, just-in-time access, credential vaulting). PAM tools address that subset specifically.
Where does SCIM fit?
In PROTECT × Users, operationally. SCIM (System for Cross-domain Identity Management) is the protocol that automates user provisioning and deprovisioning across SaaS apps. It is infrastructure that makes identity lifecycle work at scale. An organization with a strong IdP and no SCIM integration to its SaaS estate has manual provisioning — a process that reliably fails on deprovisioning, leaving orphan accounts.
Is security awareness training on Users?
Yes. Awareness training (KnowBe4, Proofpoint, Hoxhunt, Living Security) sits in PROTECT × Users. The dual placement is GV.AT (governance awareness) in the GOVERN column — the program-level oversight — paired with PROTECT × Users for the actual training delivered to workforce identities.