The hybrid infrastructure blindspot

Pillar 1 of 5    ·    7 min read     ·     Grounded in l hybrid identity architecture research — HYPR & Ciptor

See how this applies to your environment

Book a 30-minute briefing with Ciptor. We'll walk through what live-fire validation typically uncovers in environments like yours.

Book a briefing

The assumption

Securing modern SaaS and cloud environments covers the vast majority of our identity exposure.

Cloud-first security programmes have driven significant investment into securing Microsoft 365, Okta, Azure AD, and the SaaS applications that sit behind them. Conditional access policies, phishing-resistant MFA for cloud services, and SSO federation are deployed and working. The security team's attention and budget has followed the organisation's data — into the cloud. On-premises infrastructure — legacy ERP systems, manufacturing execution platforms, local Windows domain authentication, smart card readers on factory floors — is considered a secondary concern, scheduled for eventual modernisation.

Running cloud MFA alongside legacy on-premises systems?


Book a briefing. We'll map the specific cross-boundary attack paths in your hybrid environment and show you what a unified FIDO2/PIV deployment looks like operationally.

Book a briefing

The reality

Threat actors deliberately target the authentication seam between modern cloud SSO and legacy on-premises infrastructure — precisely because it is where enforcement is inconsistent and monitoring is sparse.


Hybrid infrastructure creates a category of attack that purely cloud or purely on-premises environments do not face: the cross-boundary credential path. A user authenticated via cloud SSO in the morning may also have an active on-premises Active Directory session, a Kerberos ticket cache on their workstation, and legacy application credentials stored in Windows Credential Manager. These are separate authentication contexts, governed by different policies, monitored by different tools — and frequently connected in ways that allow lateral movement from one to the other.

92%

Of enterprise employees still rely on usernames and passwords as their primary authentication method — the majority accessing legacy on-premises systems that are explicitly excluded from cloud MFA policies.Source: HYPR / S&P Global — State of Passwordless Identity Assurance 2026

 

The Golden Ticket and Silver Ticket attack techniques — both targeting the Kerberos authentication protocol that underpins Active Directory — remain among the most effective post-compromise lateral movement tools available precisely because on-premises Kerberos infrastructure is rarely included in cloud-era security hardening programmes. An attacker who compromises a single domain controller can forge authentication tickets for any user in the domain, granting access to every Kerberos-protected resource regardless of what cloud MFA policies are in place for those users' cloud accounts.

76%

Of organisations still use username and password as the dominant authentication method — with the majority of those password-authenticated sessions occurring against on-premises or legacy systems outside cloud MFA scope.Source: HYPR / S&P Global — State of Passwordless Identity Assurance 2026

"In every hybrid environment we test, we find at least one path from a cloud-authenticated user context to domain-level privilege via the on-premises boundary. Organisations have hardened the front door and left the connecting corridor unmonitored." — Syndis red team operations, 2025 assessment synthesis
The smart card and PIV layer compounds the complexity. Many organisations in regulated sectors — defence contractors, government agencies, financial institutions — use smart card authentication for physical access and certain privileged logical access workflows, while simultaneously running FIDO2 or SSO for cloud services. The coexistence of these two credential systems without a unified policy layer creates monitoring blind spots where neither system has complete visibility into the other's authentication events.

Pillar 1 — Adversary tactics


Vol. 1 The endpoint illusion

Vol. 2 The fallacy of network-delivered codes

Vol. 3 The helpdesk open door

Vol. 4 Sovereign hardware risk
Vol. 5 The hybrid infrastructure blindspot

The blueprint

Implement a unified authentication standard across cloud web apps, legacy operating systems, and physical access layers — using an integrated FIDO2 and PIV smart card ecosystem on a single hardware credential.

The solution is not to accelerate cloud migration until legacy systems disappear — that timeline is measured in years for most enterprises. The solution is to bring the legacy authentication layer under the same hardware-bound credential framework that governs cloud access, closing the seam by unifying the credential, not the infrastructure.

The hybrid hardware token: one credential, three access layers

Modern hardware security keys — specifically those supporting both FIDO2 and PIV (Personal Identity Verification) on a single device — are the practical tool for closing the hybrid blindspot. A single token carried by an employee can simultaneously serve as:

  • FIDO2 authenticator for cloud SSO, SaaS applications, and Microsoft 365 — providing phishing-resistant MFA that satisfies NIS2 Article 21 for cloud access.
  • PIV smart card for on-premises Windows domain authentication, legacy ERP login, and VPN access — replacing the password-based Kerberos authentication that Golden Ticket attacks target.
  • Physical access credential for door readers, secure areas, and facility access — closing the logical/physical access gap explored in Vol. 10 of this series.

 

When the same hardware token governs all three access layers, the authentication event becomes unified. Every access — cloud application, on-premises workstation, secure door — generates a verifiable, hardware-bound record in a single audit trail. The monitoring blindspot closes because there is no longer a separate system to monitor separately.

Addressing the legacy compatibility concern

The most common objection to hardware token deployment in hybrid environments is legacy system compatibility — the assumption that older applications cannot support FIDO2 or smart card authentication. This is partially true and frequently overstated.

Windows domain authentication via PIV smart card has been supported natively since Windows 7. The majority of enterprise on-premises applications that authenticate via Active Directory can be configured to accept PIV smart card credentials without application modification — because PIV authentication integrates at the domain level, not the application level. Applications that authenticate against Active Directory inherit smart card support from the domain configuration.

Genuinely legacy applications — those with hardcoded username/password fields that cannot be redirected through Active Directory — can be addressed through identity broker middleware that presents a smart card authentication interface to the application while handling credential translation internally. See Vol. 15 for the specific architecture for OT and highly constrained legacy environments.

The monitoring unification benefit
Beyond the security improvement, unified hardware credentials provide an operational benefit that security teams consistently undervalue in pre-deployment analysis: a single, complete authentication audit trail. When cloud and on-premises authentication events are generated by the same hardware credential and routed to the same SIEM, impossible-travel detection, anomalous access pattern alerts, and privilege escalation detection all become significantly more effective — because the system can correlate events that previously lived in separate logs with no shared identifier.

An employee who authenticates to cloud services from Stockholm at 09:00 and to an on-premises system from a different location at 09:15 generates an impossible-travel alert that no system could previously detect — because the cloud authentication was in Azure logs and the on-premises authentication was in Active Directory event logs, with no shared session identifier to correlate them. Unified hardware credentials solve this by design.

Sequencing the hybrid deployment


Step 1: Map all authentication systems in the environment — cloud, on-premises, physical — and identify the seam points where different authentication contexts intersect. This is the inventory that most organisations lack and most attackers already have.
Step 2: Deploy dual FIDO2/PIV hardware tokens to highest-privilege users first — domain administrators, system administrators, and users with access to both cloud and on-premises sensitive resources.
Step 3: Configure Active Directory to require smart card authentication for privileged accounts, removing password-based Kerberos as an option for those accounts. This directly addresses Golden Ticket attack viability.
Step 4: Extend unified credential deployment to the broader workforce, working from highest-risk user populations toward general users.

Up next — Pillar 2

Vol. 6 Risk assessment integration
Vol. 7 Continuous authentication vs. static sessions
Vol. 8 Boardroom accountability shift
Vol. 9 Real-time signal orchestration
Vol. 10 Convergence of physical and logical access

Sources & methodology

Hybrid identity data: HYPR / S&P Global 2026. Golden / Silver Ticket: MITRE ATT&CK T1558. Kerberos attack methodology: Microsoft DART incident response data 2024. PIV standard: NIST SP 800-73-4.

First in Pillar 2

Vol. 6 — Risk assessment integration

Annual compliance checklists tell you what your posture was. Continuous identity risk tracking tells you what it is right now.