The IT-Security-Pyramid: How to secure your company step by step

by Timm Lotter, Senior Persales Consultant, APIIDA AG

With digitization and the cloud age, companies are facing the challenge of protecting themselves against new attack surfaces. There is a lot to keep in mind to secure IT systems in the right way.

The basic steps can be explained with a pyramid where the layers build on each other. Thus, security holes can already be prevented during planning.

Why this makes sense is shown by the following example: A company has introduced a solution for Multi-Factor Authentication (MFA). This is a good way to secure the application logon. But what if the underlying identities are not managed correctly? What if an employee has been terminated, but his identity has not been deactivated? He can still sign in and MFA will not help! In the picture below, we see that MFA is at the top of the pyramid. To prevent this vulnerability, correct identity management at the lowest level is necessary.

1st Layer: Identity Management

A company is made up of several IT systems, that are shown below the first layer. As an example, these are AD, LDAP directories, SAP and cloud services like Office365 and Salesforce. For the login of an employee, their digital identity must be known and they need authorization. This task is handled by the identity management of the 1st layer. There are different technologies for the technical integration of applications. Widely used for on-premise applications is the LDAP protocol and for cloud services SCIM. But there are also systems that use proprietary protocols or have an internal user management, that requires special connectors of identity management solutions.

Why is proper identity management important? An application can be totally secure without any vulnerabilities, but if an attacker gets an identity with sufficient rights under his control, he can cause significant damage.

2nd Layer: Access Management (Web Access Management / Privileged Access Management)

After the identities are managed correctly, employees need to access the applications. To make this as easy as possible, the layer of access management has some advantages:

  • Single Sign-On (SSO): The employee must only login once and is automatically logged in to the other systems.
  • Securing web sessions: For more security, access management solutions provide mechanisms to prevent, for example, session stealing.
  • Integration: Applications sometimes offer only limited login options. With the introduction of access management, users can easily login centrally.
  • MFA: Is useful for the central introduction of MFA across all applications.

Companies are usually using two different solutions:

  • Web Access Management: To secure the access to web applications that are used with the browser. Standard protocols are SAML, OIDC and OAuth. For other applications, approaches with proxies or agents exist.
  • Privileged Access Management (PAM): To protect the access to sensitive, administrative or privileged systems. This usually only affects a small group of employees. Typical usage scenarios are RDP for accessing Windows servers, SSH for accessing LINUX systems. In addition to logging in, PAM solutions offer session recording and password rotation of shared accounts.

3rd Layer: Multi-Factor Authentication (MFA)

Once the identities are properly managed and an interface to access the applications exists, it makes sense to introduce multi-factor authentication. An MFA solution is either offered by the access management of the second layer or is integrated with it. A standard protocol for the integration of VPN is RADIUS. For the selection of MFA solutions is a large number of second factors recommended, to be prepared for all requirements. Adaptive authentication is advisable to improve the user experience, such that only an additional factor must be provided, when it makes sense.

For cloud services, however, it makes sense to implement an MFA solution as soon as possible. They can be used from anywhere and everyone, also by potential attackers!


In summary, the security pyramid is an easy and clear way to explain and plan the steps for the introduction of IT security solutions. The basis is the correct management of the identities on which access management and multi-factor authentication are based.

Request a Callback Request a Product Demo Sign up to our Newsletter

This website uses cookies to permanently improve the user experience. By visiting this website, you automatically agree to this fact. Further information can be found in our Privacy Policy.

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.