Category: Blog

Why Authorization Sprawl Is the Next Big Security Blind Spot and How to Fix It

4 min read

Authorization Sprawl, What is Authorization SprawlDespite major investments in cybersecurity, organizations continue to face breaches. Most security mechanisms implemented guard against threats such as password theft. However, there is a growing concern with the unchecked expansion of user access, permissions, and tokens across apps, clouds, and systems.

This growing challenge is known as authorization sprawl, and it is becoming one of the most dangerous and least visible threats in modern enterprise security.

According to insights from the SANS keynote at the RSAC 2025 Conference, attackers are increasingly exploiting this sprawl to gain legitimate, persistent access that bypasses multifactor authentication (MFA), security information and event management (SIEM) alerts, and endpoint detection and response (EDR) visibility altogether.

What is Authorization Sprawl?

Authorization sprawl occurs when access permissions multiply uncontrollably across systems, users, and applications. Every time a team or department adds a new SaaS integration, service account, or API key, another layer of permission is introduced.

In an attempt to make access to multiple applications easy, users also have single sign-on (SSO), designed to help log in once and access multiple applications securely. Here, users are granted access to several connected systems through SSO, adding to the authorization sprawl problem.

Over time, all these factors create a complex ecosystem that even security teams have a hard time tracing who can access what.

Unlike authentication, which verifies who someone is, authorization determines what one can do. When permissions expand without review, attackers take advantage of forgotten tokens, dormant accounts, or outdated roles to move freely inside systems.

Why Traditional Defenses Miss It

Most defenses focus on identity verification, such as MFA, conditional access, and endpoint protection. But once a user is authenticated, there is no monitoring. This is the blind spot that attackers exploit. Instead of breaking in, they log in using legitimate session tokens, application programming interface (API) keys, or open authorization (OAuth) grants.

The misuse of valid credentials or access tokens enables cloud-related breaches. These attacks bypass traditional detection tools because they appear to be normal activity by authorized users.

A recent incident involving Salesloft’s Drift application highlights how damaging authorization sprawl can be. Drift, an AI chatbot often integrated with Salesforce, was exploited after attackers gained access to Salesloft’s GitHub account and later its AWS environment. From there, they stole OAuth tokens and authentication credentials, exposing Salesforce data from potentially hundreds of organizations. This incident is an example of how interconnected SaaS systems and unchecked authorization links can create a cascading breach effect, where one weak point leads to multiple breaches across services.

The Business Impact of Authorization Sprawl

Aside from increasing technical risk, authorization sprawl erodes compliance, governance, and trust.

  1. Regulatory Exposure – Frameworks like GDPR, SOC 2, and HIPAA require strict access control and auditability. Untracked permissions make demonstrating compliance nearly impossible.
  2. Operational Risk – An overprivileged account can unintentionally leak data, delete configurations, or expose APIs.
  3. False Sense of Security – Zero Trust frameworks often stop at identity verification. Failing to continuously validate authorization is equivalent to protecting the front door while leaving internal doors wide open.

How to Fix Authorization Sprawl

Luckily, solving this problem does not require removing existing security controls but rather extending visibility and discipline into authorization.

  1. Conduct Regular Access Audits – Map users, roles, and permissions across your environment. Be sure to look for redundant privileges, dormant accounts, and orphaned API keys. Use tools that help visualize hidden paths and privilege escalation routes.
  2. Implement Structured Access Control – Use frameworks like role-based access control (RBAC) or attribute-based access control (ABAC). Standardizing roles ensures fewer exceptions and easier auditing.
  3. Automate Reviews and Revocations – Integrate identity and access management (IAM) with HR systems so access automatically changes when employees leave or change roles. This helps eliminate the temporary access that never gets removed.
  4. Shorten Token Lifetimes and Rotate Credentials – Session tokens and personal access tokens (PATs) should have an expiration period, such as 30 to 90 days. Using automated key rotation policies will help prevent long-lived access tokens from becoming backdoors.
  5. Enforce the Principle of Least Privilege – Grant users and systems only the minimum access needed.
  6. Extend Zero Trust to Authorization – Verification shouldn’t end with login. Apply continuous authorization checks.

Conclusion

As cloud ecosystems, APIs, and integrations continue to multiply, authorization complexity will grow exponentially. Businesses that invest in mapping and controlling authorization sprawl will stay ahead of both attackers and regulators. In cybersecurity, visibility equals control, and this begins with knowing exactly who can do what.

Get a Jump on Holiday Shopping: Key November Dates

3 min read

Holiday ShoppingFor some of us, last-minute holiday shopping is just what we do. That said, it’s probably never fun, and two things invariably seem to happen: The gifts you want aren’t available, and you end up paying too much. That’s why shopping in November to get the best savings on what you want just might be the right thing to do this year. Here are a few sales dates to put on your calendar.

Singles Day, November 11. Originally started in China as a humorous “anti-Valentine’s Day” event, it’s become one of the biggest shopping days of the year, surpassing Black Friday and Cyber Monday. To top it off, the date, 11/11, was chosen because it symbolizes, you guessed it, four ones – aka singles. On this day, you can find huge discounts at a lot of high-end clothing stores like Athleta, Nordstrom, Lululemon, Abercrombie & Fitch, Madewell, Neiman-Marcus, and J. Crew, to name a few.

Pre-Black Friday, November 20-27. Yes, there is such a thing, as if Black Friday isn’t enough in and of itself. Nevertheless, lots of retailers get in on this. This year, you’ll want to check out early access on holiday deals at Costco, Lowe’s, Best Buy, as well as Kohl’s, GameStop, and PetSmart. You can find other merchants who offer deep discounts here.

Black Friday, November 28. It’s probably the most famous shopping day of the year, where you’ll find huge price cuts across all categories. If you’re into tech stuff, head to Apple, AT&T Wireless, Dell, Google, HP, Lenovo, or Micro Center to start. The big box places to hit are Walmart, Target, and Sam’s Club. For home goods, you’ll find savings at Bed, Bath & Beyond, Ashley Furniture, and Crate & Barrel. If you want a comprehensive list, go to blackfriday.com. (See? There’s even a website dedicated to this day!) But get ready to scroll because there’s a lot there.

Small Business Saturday, November 29. Originally launched in 2010 by American Express, this day is all about shopping at your local stores. So hit your neighborhood shops, markets, coffee shops, and boutiques to support your friends and neighbors. If you don’t know where to start and don’t have a lot of time, just Google “small business Saturday sales near me” and you’ll be good to go.

Cyber Monday, December 1. To cap off all the November savings, you can’t forget this day. And yes, it’s not technically in November, but that’s OK. This date is great because you can let your fingers do the shopping. Online-only offers are king, so hunker down and start searching. Some places with the biggest deals are, again, (and not surprisingly) Amazon, Target, and Walmart – the big three. For more price-cutting goodness, go here.

Life gets busy around this time of year, but if you take a moment, get your list and hit a few of the aforementioned stores, you’ll be way ahead come the holidays. And that just might be the best gift of all.

 

Sources

Holiday Shopping Calendar: Key Discount Dates 2025 | GiftList Blog | GiftList

https://giftlist.com/blog/holiday-shopping-calendar-key-discount-dates-2025

Ideas for Small Business Succession Planning

4 min read

Small Business Succession PlanningIt can be hard to build up your own business, but it can be harder to sell it for what it’s worth. In fact, only around three in 10 family-owned businesses survive for the next generation. Whether family-owned or in a partnership of non-family owners, business succession is no easy feat.

Succession Planning

It is very important to have a succession plan, even if the business is fairly new. That’s because it gives heirs a roadmap for what to do if the owner dies unexpectedly. The first step is to figure out who you want to run the business after you. If you want to pass it on to one or more family members, be sure to ask if they’d like to own it. Note that the family route may need to be considered a year or more before the transfer to ensure the successive owner has time to learn the ropes.

If you decide to sell the business to a third party, consider if you want to sell it outright or retain partial ownership and continue to get a share of the profits. Also, think about whether or not you want to participate in running the business once ownership changes hands.

Business Owner Partners

In the case of a shared business, a succession plan can help clarify the intent of both owners and provide a legal path of succession if one owner dies. In a worst-case scenario, instead of the surviving partner taking the reins to run the business on his own, he may end up having to run it alongside the deceased owner’s spouse, who might not possess the skills, experience, or proclivity for the business. Or maybe the surviving spouse decides not to sell the business but receive a share of the profits without doing any work.

Key Man Insurance

If the surviving owner would simply like to buy out the deceased owner’s interest in the business, there are certain financial strategies available in the event he doesn’t have the assets to do so. One vehicle is called key man insurance, which refers to policies paid for by the business to cover the death of the business owner. Death proceeds are specifically earmarked to keep the business operating upon the death of the owner.

Buy-Sell Agreement with Life Insurance

A succession plan that includes a Buy-Sell Agreement contract specifies what will happen to the business shares of the owner upon his death. In most cases, the surviving business partner will use the life insurance proceeds to buy the shares at a predetermined value, which ensures that the deceased’s family is adequately paid for his share of the business upon his death.

Family-Owned Business

In the case of a family-owned business, a family member who is active in the business may take out an insurance policy on the owner and use the proceeds to buy out the interests of the non-active family members after the owner dies.

Private Annuity

Another option is a private annuity, in which the owner sells his business to his children in exchange for a fixed annuity income, based on IRS interest rates, for the rest of the owner’s life and, if elected, that of his spouse. If the owner outlives his life expectancy, the children may end up paying him more than the business is worth. However, if the owner dies sooner, they may pay less than the business is worth.

Family Limited Partnership

With a family limited partnership, the business owner transfers some or all of his business to individual family members while he is alive. When the owner dies, the portion of the business that has been transferred is no longer considered a part of the owner’s estate and is therefore not subject to estate taxes.

Seller Financing

If the owner has trouble selling the business to a third party, including perhaps a valuable employee who would like to take over, consider a seller financing agreement. Instead of paying the owner a lump sum, the buyer pays him a fixed, regular payment over a set number of years. Future business revenue secures the note, and the current owner would be qualified to know how well business revenues might hold up under the new ownership. Some sellers set up a finance agreement for just five years or so, after which time the buyer is expected to qualify to refinance with a conventional loan. It’s also possible for the financier to sell the new owner’s note if he decides down the road to get out of the financing role. The good news is that, should the buyer default on the loan, the seller would still own the company.

Enhancing Homebuyer Protections, Wildfire Risks, 911 Response and Domestic Manufacturing

3 min read

HR 2808, HR 2483, HR 3400, S 306, S 725, S 433Homebuyers Privacy Protection Act (HR 2808) – Introduced by Rep. John Rose (R-TN) on April 10, the House passed this bill on June 23, and the Senate passed it on Aug. 2. Signed into law on Sept. 5, this bipartisan bill prohibits a consumer reporting agency from selling a mortgage applicant’s personal information to other lenders without their explicit consent. The legislation is designed to safeguard homebuyers’ personal financial information and eliminate the frequent bombardment of other lender marketing offers during the financing process underway with the applicant’s existing lender.

SUPPORT for Patients and Communities Reauthorization Act of 2025 (HR 2483) – This bill renews billions of dollars in federal funding for programs responsible for preventing overdoses and further strengthening treatment and recovery services. The renewal of funds to nationwide county programs is timely, given the current behavioral health and substance abuse disorder crises. The bill was introduced by Rep. Brett Guthrie (R-KY) on March 31, passed in the House on June 4 and in the Senate on Sept. 18; it currently awaits signature by the president.

TRAVEL Act of 2025 (HR 3400) – Also known as the Territorial Response and Access to Veterans’ Essential Lifecare Act, the purpose of this bill is to enable VA physicians and specialists to travel to hard-to-reach areas in U.S. territories for up to one year. The Act is designed to help fill critical gaps in VA medical services across the Pacific territories by compensating providers with travel bonuses. The legislation was introduced by Representative Kimberlyn King-Hinds (R-Northern Mariana Islands) on May 14. It passed in the House on Sept. 15 and currently lies with the Senate.

Fire Ready Nation Act of 2025 (S 306) – Introduced by Sen. Maria Cantwell (D-WA) on Jan. 29, this legislation would establish a fire weather program at the National Oceanic and Atmospheric Administration (NOAA). The new program would enable scientists to better predict wildfires, fire weather, and fire risk via forecasting, detection, and modeling, as well as respond quickly to prevent devastation to families, homes, and businesses due to wildfires. The legislation was passed in the Senate on Sept. 10 and is now under review in the House.

Enhancing First Response Act (S 725) – This bill was introduced on Feb. 25 by Sen. Amy Klobuchar (D-MN) and passed in the Senate on Sept. 10. The law would reclassify 911 dispatchers as public safety workers from their current role as office and administrative support in the federal Standard Occupational Classification system. In addition, the bill contains provisions to improve access to the 911 call system during major disasters and make the system more resilient against outages and disruptions. The fate of this bipartisan bill now rests in the House.

National Manufacturing Advisory Council Act (S 433) – This Act was introduced by Sen. Gary Peters (D-MI) on Feb. 5. It seeks to establish a working group of representatives from industry, labor, and academia to advise Congress on policies and programs to enhance domestic manufacturing despite the challenges of global competition, U.S. supply chain issues, and the current tariff solution. The bipartisan legislationwas  passed unanimously in the Senate on July 14 and is currently under review in the House.

A Look at the Nonaccrual Experience Method

3 min read

Nonaccrual Experience MethodWhen it comes to running a business, having outstanding invoices that turn into uncollectible receivables or simply bad debt is a fact of life. The Internal Revenue Service (IRS) has a safe harbor that permits businesses to reduce consideration of such bad debt from taxation if it qualifies. However, understanding how to determine if a business is eligible is essential to making the most of it when a business files its taxes.

Defining the Nonaccrual Experience Method (NAE)

When businesses perform a service, they expect to be paid. However, they sometimes have unpaid invoices that are uncollectible. One provision within the IRS’s Internal Revenue Code (IRC) is that of the nonaccrual experience method (NAE) and how it intersects with bad debts.

How It Works      

Once a company sees bad debt in its system after customers fail to pay their invoices, it calculates the amounts it projects it won’t be able to collect. Projecting bad debt is accomplished by the company looking at previous experiences with its payees. It’s important to note that this accounting is used by businesses for only a portion of their projected uncollectable customer bad debt; businesses similarly project the remaining percentage they expect to collect from outstanding invoices in the future.   

One important step for businesses to determine their eligibility for relief from the accrual segment of uncollectible revenue, per the U.S. Securities & Exchange Commission (SEC), is by determining their industry classification. Sample industries include legal professionals, engineers, performance art professionals, architects, and actuaries.

It’s important to note that if businesses don’t use this method, they may charge off such debts. Charge-offs are when a company writes the debt off its balance sheet and expenses the uncollectible funds on the income statement. Companies must also adhere to the following criteria to take advantage of the safe harbor:

  • The company must currently use the accrual method of accounting when recording revenues, and not the cash method to account for revenue.
  • The company, in a single year, within the past 36 months, has earned up to, but no more than $5 million in gross receipts.

IRS Guidance

Beginning in September 2011, the Internal Revenue Service permitted taxpayers to use the NAE method to determine applicability by applying a factor of 95 percent to their allowance for bad debts via their past 60 months of financial documents. This permits businesses to exclude qualifying uncollectible revenues from their taxable income, which is beneficial for lowering the amount of taxes owed. It is often easier for NAE-specific designated industries to qualify; however, only companies with the appropriate amount of historical information to substantiate are eligible.

Further Considerations and Conclusion

One example of this safe harbor includes having financial information that’s expertly tracked for the past 60 months via financial statements. If the company can’t substantiate it, they won’t be able to qualify. Similarly, eligible services provided or the resulting receivables that have interest and/or financial penalties attached are ineligible.

When it comes to navigating the IRS code, the NAE can provide another way for eligible companies to maximize filings and tax obligations.