As an MSP, you likely support clients who are split between cloud services and on-prem systems–and you need to make it all work securely. Many may have one foot in the cloud (using apps like Microsoft 365 or Salesforce) and one foot still tied to local servers. This type of hybrid setup means identity becomes the bridge between two very different environments.
This creates what’s known as hybrid identity, or making those two different systems agree on who you are. Hybrid identity connects your traditional, in-office login system (like Active Directory) with all your modern cloud apps. It’s supposed to give each user a single, secure identity to access everything.
The problem is that in practice, hybrid identity can introduce blind spots when cloud and on-prem systems don’t share consistent policies, logs, and security controls. Attackers love this confusion. They hunt for any crack or mismatch between your old and new login systems. They know that one stolen password for a simple cloud app could be the key they use to break into your company's most critical data.
It's no surprise that identity-based attacks are a huge problem. Year after year, Verizon's Data Breach Investigations Report (DBIR) continually shows that stolen credentials are a top way attackers get in. The good news is there are surefire ways to get a handle on a hybrid setup and protect your clients from a breach. Here are eight straightforward steps to help keep attackers out.
1. Develop and enforce clear security policies
A good security policy is your foundation. It's the "how-to" guide that outlines how your team manages and protects digital identities and data, both on-prem and in the cloud. Think of it as the rulebook for everyone to follow.
Your policies need to be written down and cover the essentials: who gets access, how accounts are managed, how data is protected, and what happens when something goes wrong. You also need to update these policies regularly to keep up with new threats and compliance rules.
|
Policy Domain |
Key Components |
Update Frequency |
|
Access Management |
Role‑based permissions, least privilege, account lifecycle |
Quarterly |
|
Authentication |
MFA requirements, password policies, session management |
Semi‑annually |
|
Data Handling |
Classification, encryption, retention, disposal |
Annually |
|
Incident Response |
Detection procedures, escalation paths, recovery steps |
Quarterly |
|
Employee Conduct |
Acceptable use, security awareness, reporting requirements |
Annually |
Policy enforcement requires automated monitoring tools that can detect violations and alert administrators to potential security gaps. Your policy reviews should include lessons learned from security incidents, changes in business operations, and updates to regulatory requirements.
Key takeaway: A clear, updated security policy is the cornerstone of your hybrid identity protection.
2. Implement multi-factor authentication with phishing-resistant methods
If you were to do only one thing, do this. Multi-factor authentication (MFA) is one of the most effective ways to protect accounts. Microsoft security research shows it can block over 99% of credential-based attacks.
Multi‑factor authentication is a security process that requires users to present at least two forms of verification—such as a password and a physical token—before gaining access, making unauthorized entry significantly more difficult even when passwords are compromised.
But not all MFA is created equal. Attackers can still get around weaker forms like SMS or voice calls using SIM swapping and social engineering. We’ve also seen attackers use adversary-in-the-middle tools like Evilginx to steal session cookies and temporarily take over accounts even after MFA is used. Shifting clients toward phishing-resistant MFA wherever possible is critical. Options like FIDO2 hardware keys (like a YubiKey) or Windows Hello for Business provide the strongest protection. They use public-key cryptography instead of shared secrets, which dramatically reduces phishing and adversary-in-the-middle success rates.
|
MFA Method |
Security Level |
User Experience |
Hybrid Compatibility |
|
FIDO2 Keys |
Highest |
Moderate |
Excellent |
|
Windows Hello |
High |
Excellent |
Good |
|
Authenticator Apps |
Moderate |
Good |
Excellent |
|
SMS/Voice |
Low |
Excellent |
Good |
Organizations should prioritize FIDO2 and certificate‑based authentication for privileged accounts while implementing app‑based authentication for standard users. The key is eliminating SMS and voice‑based MFA, which remain vulnerable to SIM swapping and social engineering attacks.
Key takeaway: Deploy phishing‑resistant MFA (e.g., FIDO2, Windows Hello) to block the vast majority of credential‑based attacks.
3. Centralize identity and access management across environments
Juggling identities across on-prem and cloud tools can be a recipe for disaster. You get "identity silos," which create security gaps and are a pain to manage. The fix is to centralize your Identity and Access Management (IAM). This means managing all user accounts and access rights from one place:
Centralized identity and access management is the practice of managing all user accounts and access rights from a single platform, spanning both cloud and on‑premises resources, to minimize security gaps and streamline operations. This helps eliminate identity silos.
For a hybrid identity setup, this usually means connecting your on-prem Active Directory to a cloud identity provider like Microsoft Entra ID. CISA guidance highlights that this unified approach shrinks your attack surface by getting rid of orphaned accounts and enforcing the same policies everywhere.
A centralized system is also the foundation for a Zero Trust security model. A Zero Trust approach means you "never trust, always verify" every access request, no matter where it's from.
Centralized IAM Architecture: On-Premises AD → Sync → Cloud Identity Provider → Applications ↓ Policy Engine → Access Decisions → Continuous Monitoring
To make centralized IAM work, you need automated provisioning and deprovisioning. That way, accounts are created, updated, and removed the same way in both cloud and on-prem systems. Consistency here closes gaps and stops orphaned accounts from slipping through.
Key takeaway: A unified IAM platform gets rid of identity silos and is your first step toward Zero Trust in a hybrid environment.
4. Continuously monitor hybrid identities and detect anomalies
You can't stop what you can't see. Continuous monitoring is critical for spotting threats early, cutting attacker dwell time, and stopping lateral movement across your hybrid setup. You need automated tools that watch for suspicious activity in real time.
This is where anomaly detection comes in. Anomaly detection is the automated identification of unusual patterns or behaviors—such as unexpected logins or location mismatches—that may indicate a security threat. It’s all about automatically spotting weird patterns—like logins from strange locations or at odd hours—that could signal a threat.
User and Entity Behavior Analytics (UEBA) systems are great for this. They learn what "normal" behavior looks like for each user and then flag activity that deviates from that baseline.
Common anomalies to watch for:
Failed logins from weird locations
Credential use after-hours
Sudden changes to a user's privileges
Logins from two different countries at the same time
Users trying to access files they've never touched before
A privileged account being used from a regular workstation
Alerts are just noise until a human analyst investigates them. A 24/7 people-powered Security Operations Center (SOC) can investigate these alerts to find the real threats and stop attackers before they can do serious damage.
Key takeaway: UEBA-driven monitoring helps you spot any bizarre identity behavior before an attacker can pivot.
5. Integrate threat intelligence for proactive defense
Threat intelligence is the continuous collection, analysis, and sharing of information about current and emerging cyber threats, enabling organizations to detect, prepare for, and respond more effectively to attacks.
Simply put, it gives you a heads-up on what attackers are doing right now. Instead of just reacting, you can anticipate their moves and automate your defenses. Automated feeds can give you real-time updates on malicious IPs, domains, and attacker techniques. Dark web monitoring is also key. It can alert you if one of your client's credentials shows up for sale, letting you reset the password before that account gets used in an attack.
Intelligence Type | Focus Area | Update Frequency | Integration Method |
Strategic | Long‑term threat trends | Monthly | Policy updates |
Tactical | Specific attack methods | Weekly | Detection rules |
Operational | Immediate threats | Real‑time | Automated blocking |
Key takeaway: Real-time threat intel gives you the foresight to block hybrid identity attacks before they even launch.
6. Conduct regular vulnerability assessments and remediation
You need to find the holes in your hybrid identity setup before attackers do. A vulnerability assessment is just a systematic way to find, rank, and fix security weaknesses in your IT environment. You should run these scans at least quarterly, covering both your on-prem and cloud assets.
When assessing a hybrid setup, look for common issues like misconfigured identity providers, bad privilege inheritance from old systems, or weak policy enforcement.
Your assessment and fixing workflow should look like this:
Discovery: Map out all your identity systems.
Scanning: Use automated tools to find known vulnerabilities.
Analysis: Prioritize what to fix based on risk.
Remediation: Patch the holes and fix the configs.
Validation: Double-check that your fix actually worked.
Documentation: Write down what you did.
Key takeaway: Regular vulnerability scans keep your hybrid identity stack hardened against known flaws.
7. Create and test your incident response (IR) plan
When a breach happens, the worst thing you can do is panic. A strong incident response (IR) plan ensures your team can act fast and effectively, which cuts down on recovery time and business impact. Your IR plan needs to be a documented, step-by-step guide for finding, containing, and recovering from a security incident.
For hybrid identity, your incident response plan must cover challenges like account sync across platforms and how to handle a response in both on-prem and cloud systems at the same time. We’ve seen firsthand how a good plan makes all the difference. Check out our blog on incident response planning for more info on building one.
At a high level, critical incident response considerations include:
Preserve affected accounts rather than immediate deletion to maintain forensic evidence
Coordinate response actions across hybrid environments to prevent further compromise
Maintain clear communication channels with stakeholders during incident resolution
Document all response actions for post‑incident analysis and improvement
Lastly, a plan is just a piece of paper until you test it. Run regular tabletop exercises to practice your procedures, find gaps, and build that muscle memory before a real incident hits.
Testing incident response plans through simulated identity compromise scenarios helps teams develop muscle memory for critical procedures while identifying areas requiring additional training or process refinement.
Key takeaway: A practiced, hybrid-aware IR plan dramatically cuts attacker dwell time and the effort needed to recover.
8. Educate and train employees on identity security best practices
Security awareness training teaches employees how to recognize potential threats, follow organizational policies, and maintain best practices for protecting digital identities and sensitive information. Research shows that good, ongoing training on phishing, credential security, and how to report threats can make a huge difference in your security posture.
At the end of the day, your end users are the front line. Your training needs to keep up with the latest attacker tricks. Ditch the boring yearly slideshow. Use interactive formats like simulated phishing campaigns (with immediate feedback), hands-on MFA setup guides, and role-specific training to make the lessons stick. You're trying to turn your users from the biggest risk into an active part of your defense.
Training format options:
Online modules: Self‑paced learning with progress tracking
Phishing simulations: Real‑world practice with immediate feedback
Interactive seminars: Group discussions and scenario planning
Micro‑learning: Brief, frequent updates on emerging threats
A successful training program needs regular reinforcement through multiple channels, measurement of behavioral change via metrics like phishing click rates, and continuous updates reflecting the current threat landscape and organizational technology changes.
FAQ
The most effective steps include enforcing comprehensive security policies, implementing phishing‑resistant multi‑factor authentication, centralizing identity management, continuously monitoring for anomalies, integrating threat intelligence, conducting regular vulnerability assessments, having robust incident response plans, and giving ongoing user training.
MSPs should separate privileged accounts across on‑premises and cloud environments, enforce multi‑factor authentication with phishing‑resistant methods, avoid synchronizing highly privileged accounts between directories, use dedicated hardened workstations for administrative tasks, and implement just‑in‑time access controls that limit privilege duration.
Phishing‑resistant MFA methods like FIDO2 security keys and Windows Hello for Business offer the strongest security with acceptable user experience. Password hash synchronization combined with conditional access policies provides seamless Single Sign‑On (SSO) while maintaining security across hybrid environments.
Continuous monitoring detects unusual activities such as unexpected privilege changes, abnormal resource access patterns, and suspicious authentication behaviors early in the attack lifecycle, enabling rapid response that limits attackers' ability to establish persistence and move laterally within hybrid environments.
Regular employee training raises awareness of identity‑related risks like phishing campaigns, credential harvesting, and social engineering attacks. Well‑trained employees become active participants in organizational security by recognizing threats, following secure practices, and reporting suspicious activities promptly.
Conclusion
By following these eight steps—clear policies, phishing-resistant MFA, centralized IAM, continuous monitoring, threat intel, regular assessments, a tested IR plan, and ongoing training—you can harden hybrid identity security and protect both cloud and on‑premises assets.
Protect What Matters
