>_AYSOLI SECURITY HUB
THREAT AREA

Customer Identity (CIAM)

Access for end customers is the heart of your digital relationship. Here, you must master the balancing act between extremely high security and a smooth user experience (UX).

The Challenge

Unlike internal employees, you cannot force customers to use specific devices. An overly complicated login process leads to abandoned transactions, while one that is too weak leads to massive loss of trust.

Your Strategy

  • Intelligent Defense: Use adaptive MFA, bot detection, and CAPTCHAs to block attackers at the edge.
  • Progressive Profiling: Collect data only when it is really needed (Privacy-First).
  • Prevention: Check passwords against lists of known leaks to proactively prevent account takeover.

STRIDE-LM Design Risks

SpoofingS-CIAM-01

CIAM Account Takeover

Massive takeover of customer accounts via credential stuffing.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-API-01

Excessive Data Exposure

API returns more data than necessary for the client.

Denial of ServiceD-CIAM-01

CIAM Registration Flooding

Blocking the service through massive fake registrations.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Reconnaissance
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
Consent & Privacy ManagementBaseline ProtectionMedium
NIST: PR.PT-3
Progressive ProfilingExtended ProtectionMedium
NIST: PR.PT-3
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Breached Password DetectionBaseline ProtectionLow
NIST: PR.AC-1OWASP: A07:2021
Progressive ProfilingExtended ProtectionMedium
NIST: PR.PT-3
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Credential Access
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Bot Management & Anti-ScrapingExtended ProtectionMedium
CIS: 12.1OWASP: A04:2021
CAPTCHA / Proof-of-WorkBaseline ProtectionLow
CIS: 12.1OWASP: A04:2021
Breached Password DetectionBaseline ProtectionLow
NIST: PR.AC-1OWASP: A07:2021
Progressive ProfilingExtended ProtectionMedium
NIST: PR.PT-3
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Secure Cookie AttributesBaseline ProtectionLow
NIST: PR.DS-1OWASP: A07:2021
T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Breached Password DetectionBaseline ProtectionLow
NIST: PR.AC-1OWASP: A07:2021
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
T1528

Steal Application Access Token

ATT&CK

Theft of tokens to bypass authentication.

Mitigated by
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Exfiltration
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Impact
T1499

Endpoint Denial of Service

ATT&CK

Targeted overloading of API endpoints.

Mitigated by
Bot Management & Anti-ScrapingExtended ProtectionMedium
CIS: 12.1OWASP: A04:2021
CAPTCHA / Proof-of-WorkBaseline ProtectionLow
CIS: 12.1OWASP: A04:2021
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
Customer Identity (CIAM) | IT Security Checklist for SMEs · AYSOLI Security Hub