The recent breach of Snowflake's cloud infrastructure, which compromised data from over 165 major organisations including Ticketmaster and Santander Bank, began with a single compromised credential. More concerning for national security professionals: the attack vector wasn't a sophisticated zero-day exploit, but credentials stolen from an employee's personal device through common malware. When personnel with security clearances control their own access credentials, they create systemic vulnerabilities that no amount of training or technology layering can fully mitigate.
The credential control paradox in defence organisations
Defence contractors, government agencies, and cleared facilities operate under a fundamental security contradiction. While physical access to sensitive areas requires strict organisational control—with badges issued, tracked, and revoked centrally—digital access credentials remain largely under individual user control. Personnel create their own passwords, manage their own authentication tokens, and store credentials on personal devices and browsers.
This approach violates basic security principles that govern every other aspect of classified environments. No cleared facility would allow personnel to manufacture their own security badges or choose their own access codes. Yet the digital equivalent happens thousands of times daily across the defence sector, creating attack surfaces that hostile actors actively exploit.
The problem extends beyond weak passwords. Even when organisations mandate complex password policies and multi-factor authentication, the fundamental vulnerability remains: users possess and control the very credentials that grant access to sensitive systems. This possession creates multiple exploitation vectors that sophisticated adversaries understand and target systematically.
The scale of the credential compromise problem
Current breach statistics reveal the magnitude of this vulnerability. According to Verizon's 2024 Data Breach Investigations Report, 68% of breaches involve a human element, with stolen credentials accounting for 31% of all data breaches—making it the second most common attack vector after social engineering. For government and defence contractors, these figures represent more than financial risk; they constitute potential national security compromises.
The Cybersecurity and Infrastructure Security Agency (CISA) reports that in 2023, credential-based attacks increased by 71% compared to the previous year. Their analysis of nation-state attacks shows that 89% began with compromised user credentials, often obtained through phishing campaigns specifically targeting cleared personnel.
More troubling is the persistence of these attacks. IBM's Cost of a Data Breach Report 2024 found that breaches involving stolen credentials took an average of 292 days to identify and contain—nearly ten months during which adversaries maintain unauthorised access to sensitive systems. For organisations handling classified information, this timeline represents an unacceptable window of potential intelligence compromise.
The human factor compounds these risks exponentially. Research from the SANS Institute indicates that 61% of security professionals reuse passwords across multiple systems, including personal accounts that lack enterprise-grade security controls. When these personal accounts are compromised—as occurred in the Snowflake breach—the exposure can cascade into organisational systems.
Why current security solutions fail to address the root cause
Modern security architectures typically layer multiple technologies: Identity and Access Management (IAM), Privileged Access Management (PAM), Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Zero Trust frameworks. While these tools provide valuable security enhancements, they fail to address the fundamental vulnerability because they still rely on user-controlled credentials.
IAM systems excel at managing user identities and permissions but typically allow users to create and manage their own passwords. PAM solutions secure privileged accounts but often through password vaults that users must access—creating another credential-dependent layer. SSO reduces the number of credentials users must remember but concentrates risk in master credentials that users still control.
MFA adds authentication factors but doesn't eliminate credential exposure. Sophisticated attacks increasingly target MFA systems through techniques like SIM swapping, social engineering, and malware that intercepts authentication tokens. The Lapsus$ group's attacks on Microsoft and other major organisations demonstrated how MFA can be bypassed when attackers gain access to user-controlled credentials and devices.
Zero Trust architectures represent a significant advancement in security thinking by assuming breach and continuously verifying trust. However, most implementations still rely on user-controlled credentials for initial authentication, creating a single point of failure that undermines the entire security model.
The structural solution: organisational credential control
The solution requires a fundamental architectural shift: organisations must control the entire credential lifecycle, from generation through distribution to revocation. Rather than allowing users to create or possess credentials, secure systems should generate credentials organisationally, distribute them through encrypted channels, and maintain complete control over their usage.
This approach treats digital credentials like physical security tokens in a classified facility. Users receive access through organisationally controlled mechanisms but never possess or control the underlying authentication materials. When access is required, the system authenticates users through credentials they cannot see, copy, or compromise.
MyCena's patented technology demonstrates how this principle works in practice. The platform generates unique, encrypted credentials for each user and system interaction, but users never possess or control these credentials directly. Access becomes truly unphishable because there are no user-controlled credentials to steal or compromise. The organisation maintains complete oversight of credential generation, distribution, and revocation, creating an audit trail that meets the most stringent compliance requirements.
This approach aligns with regulatory frameworks including NIST 800-53 controls for access management, DoD 8570 requirements for information assurance, and FedRAMP authorization standards. By removing user control over credentials, organisations can demonstrate compliance with principles-based security requirements rather than relying solely on checklist approaches.
Strategic implications for defence organisations
The shift from user-controlled to organisation-controlled credentials represents more than a technical change; it requires a fundamental reimagining of access management strategies. Defence organisations that implement credential control gain several strategic advantages: genuinely unphishable access, complete audit visibility, and simplified compliance demonstration.
For security professionals responsible for protecting classified information, the choice is increasingly clear. Continuing to allow cleared personnel to control their own credentials perpetuates a fundamental vulnerability that sophisticated adversaries understand and exploit. Organisational credential control provides a structural solution that addresses the root cause rather than merely adding additional layers of complexity.
The question facing defence leaders is not whether credential-based attacks will continue—they will intensify. The question is whether organisations will address the fundamental vulnerability or continue attempting to solve it through technological layering that leaves the core problem intact.