As identity attacks rise, the channel has a new managed services play
Rising identity attacks drive demand for IAM-focused managed security services
Identity Access Management (IAM) is a key building block to successful risk management at a time when ID theft is a key route for threat actors into company networks.
Since 2020, successful cyber breaches leveraging identity theft have become widespread, with recent examples such as the Visa, Marks & Spencer, Jaguar, and Harrods cases illustrating how even well-resourced companies are not immune to these types of attacks.
These breaches were linked to the Scattered Spider group, which has undergone a merger with another prolific cybercriminal group known as ShinyHunters. In just four months, the new group has successfully targeted and infiltrated multiple targets across the US and Europe, including the March 2026 breach of the European Commission, resulting in a 350GB data leak.
The anatomy of an identity attack
In these Identity attacks, Social Engineering is the primary initial vector, with cyber criminals leveraging Vishing and Phishing attack vectors to bypass SSO and multi-factor authentication (MFA) identity access controls. Attackers will often masquerade as internal IT, calling users on their work or personal phones to re-enroll or reset their IAM credentials, then send a modified account reset link to bypass non-phish-resistant MFA.
With credentials successfully hijacked, the attacker can then replay the MFA token to access SaaS resources and exfiltrate corporate data for the extortion phase.
The Social Engineering vector is popular as it offers an easy way to understand a company’s internal structure by leveraging social media. Employee names are usually linked to job titles, which reveal potential access privileges. Personal posts, interests, and commentary give insight into effective tactics for acquiring personal data through phishing, and, as corporate email addresses follow well-known conventions, they are easy to determine.
With identity being a pillar of cybersecurity but also a key attack vector, there are some key capabilities that IAM should deliver.
Rethinking IAM for a more complex threat landscape
Identity access management is not a one-size-fits-all solution. Customer environments and business objectives determine which identity controls will be the most effective.
Nevertheless, there are key capabilities an IAM solution should provide:
- Coverage based on thorough integration within the corporate environment ensures a ‘single source of truth’, allowing visibility over the whole network – including legacy systems.
- Correlation of login data used to identify potential anomalies. The more complex the environment, the more important this capability. Automated analysis can flag potential issues to be investigated manually as a second step, to uncover more details.
- Reporting that enables pertinent and concise alerts to be raised by the IAM solution and follow a clear escalation path to ensure key stakeholders have actionable intelligence for decision-making.
Out of these capabilities, it’s the correlation element that is most important for the early detection of potential breaches in IAM integrity.
To improve the chance of early detection, it’s more effective to focus on looking for anomalies within the environment. These could be related to the user identity behavior, such as “Impossible Travel”, the user identity “location” represented by changes in IP address, or the service identities in the environment spiking in activity during off-hours.
There are several strategies that organizations can adopt to identify anomalous sign-ins without disrupting user experience; these fall under the concept of Risk-Based Authentication (RBA). Organizations can implement User and Entity Behavior Analytics (UEBA), which creates a profile of user behavior and can trigger a biometric or MFA check if a user activity falls outside of the baseline of the usual profile.
Conditional Access is another option, triggering authentication when a user activity exceeds a defined risk score threshold. Integrating FIDO2 passkeys, either software-based or hardware tokens, with one of the above RBA methods will greatly improve the efficacy of RBA by eliminating 90% of the common “anomalous sign-in” flags generated by password guessing or phishing.
IAM as a managed service opportunity
With threats on the rise and limited in-house cybersecurity expertise, companies of all sizes increasingly rely on managed cybersecurity services to strengthen and maintain their security posture. The IT channel is in a privileged position to deliver tailored and effective solutions incorporating IAM as an essential element of corporate cyber-resilience. But what should a robust IAM managed service include?
A true managed identity service should include an MFA or Passkey (FIDO2) capability, allow for customized policy management, and be able to deliver identity services to both users and non-human systems. It should also be capable of risk analysis powered by machine learning and AI, and deliver workflow orchestration. The service should be continuously reviewed and updated to keep up with the fast-evolving threat landscape.
For partners building IAM-managed services, it is recommended that they first conduct housekeeping in their own environment. Supply chain compromise is one of the top concerns in 2026, and partners must be able to show that their own environments are secure.
Secondly, if you have access to multiple vendors, you should standardize your solution stack. Ideally, you would have two core identity platforms, with one likely to be Microsoft Entra ID.
Thirdly, you should develop a comprehensive onboarding blueprint. The success of the service will depend on a positive customer onboarding experience, minimizing any outages in the process to ensure business continuity.
Ultimately, identity is no longer just an administrative layer. It is central to how organizations defend their environments.
As attackers increasingly target credentials, access pathways, and identity stores, businesses need IAM strategies that combine visibility, detection, and strong authentication. For partners, the opportunity lies not simply in selling another security tool, but in helping customers build a more resilient and adaptive approach to identity-led risk.
-
Sam Altman pours cold water on AI 'jobs apocalypse' concernsNews OpenAI CEO Sam Altman “thought there would have been more impact” on white collar and entry-level jobs at this point
-
Everything you need to know about Euro-OfficeNews Euro-Office offers a sovereign European rival to Microsoft Office and Google Docs
-
MSPs and resellers positioned to drive shift to remediation-first exposure managementIndustry Insights MSPs drive shift to remediation-first exposure management beyond vulnerability tracking
-
Preparing for identity attacks: what steps do you need to take?Industry Insights User identities are at risk - can you help your customers keep up with security in their fragmented environments?
-
The sovereignty gap: why MSPs must rethink recovery in the SaaS eraIndustry Insights SaaS growth exposes sovereignty gap, forcing MSPs to rethink recovery
-
Monetizing the quantum shift: 11 PQC channel opportunitiesIndustry Insights Channel partners must lead clients through the post-quantum cryptography transition now.
-
AI and Data are reshaping the MSP landscape, but hackers are getting in on the hot AI actionNews AI is no longer just a buzzword; it's a hacker's dream and the channel's biggest opportunity
-
Why incident response has become a core responsibility for MSPsIndustry Insights MSPs must prioritise incident response as core capability amid rising cyber threats
-
SMB cybersecurity in 2026: From reactive defense to strategic partnershipIndustry Insights Strategic partners help UK SMBs navigate cyber regulations and bridge leadership gaps
-
How resellers can win with smarter Multi-Factor Authentication (MFA)Industry Insights Enhanced and phishing-resistant MFA prevents MFA bombing and fatigue
