Why Authorization Sprawl Is the Next Big Security Blind Spot and How to Fix It

4 min read

Authorization Sprawl, What is Authorization SprawlDespite major investments in cybersecurity, organizations continue to face breaches. Most security mechanisms implemented guard against threats such as password theft. However, there is a growing concern with the unchecked expansion of user access, permissions, and tokens across apps, clouds, and systems.

This growing challenge is known as authorization sprawl, and it is becoming one of the most dangerous and least visible threats in modern enterprise security.

According to insights from the SANS keynote at the RSAC 2025 Conference, attackers are increasingly exploiting this sprawl to gain legitimate, persistent access that bypasses multifactor authentication (MFA), security information and event management (SIEM) alerts, and endpoint detection and response (EDR) visibility altogether.

What is Authorization Sprawl?

Authorization sprawl occurs when access permissions multiply uncontrollably across systems, users, and applications. Every time a team or department adds a new SaaS integration, service account, or API key, another layer of permission is introduced.

In an attempt to make access to multiple applications easy, users also have single sign-on (SSO), designed to help log in once and access multiple applications securely. Here, users are granted access to several connected systems through SSO, adding to the authorization sprawl problem.

Over time, all these factors create a complex ecosystem that even security teams have a hard time tracing who can access what.

Unlike authentication, which verifies who someone is, authorization determines what one can do. When permissions expand without review, attackers take advantage of forgotten tokens, dormant accounts, or outdated roles to move freely inside systems.

Why Traditional Defenses Miss It

Most defenses focus on identity verification, such as MFA, conditional access, and endpoint protection. But once a user is authenticated, there is no monitoring. This is the blind spot that attackers exploit. Instead of breaking in, they log in using legitimate session tokens, application programming interface (API) keys, or open authorization (OAuth) grants.

The misuse of valid credentials or access tokens enables cloud-related breaches. These attacks bypass traditional detection tools because they appear to be normal activity by authorized users.

A recent incident involving Salesloft’s Drift application highlights how damaging authorization sprawl can be. Drift, an AI chatbot often integrated with Salesforce, was exploited after attackers gained access to Salesloft’s GitHub account and later its AWS environment. From there, they stole OAuth tokens and authentication credentials, exposing Salesforce data from potentially hundreds of organizations. This incident is an example of how interconnected SaaS systems and unchecked authorization links can create a cascading breach effect, where one weak point leads to multiple breaches across services.

The Business Impact of Authorization Sprawl

Aside from increasing technical risk, authorization sprawl erodes compliance, governance, and trust.

  1. Regulatory Exposure – Frameworks like GDPR, SOC 2, and HIPAA require strict access control and auditability. Untracked permissions make demonstrating compliance nearly impossible.
  2. Operational Risk – An overprivileged account can unintentionally leak data, delete configurations, or expose APIs.
  3. False Sense of Security – Zero Trust frameworks often stop at identity verification. Failing to continuously validate authorization is equivalent to protecting the front door while leaving internal doors wide open.

How to Fix Authorization Sprawl

Luckily, solving this problem does not require removing existing security controls but rather extending visibility and discipline into authorization.

  1. Conduct Regular Access Audits – Map users, roles, and permissions across your environment. Be sure to look for redundant privileges, dormant accounts, and orphaned API keys. Use tools that help visualize hidden paths and privilege escalation routes.
  2. Implement Structured Access Control – Use frameworks like role-based access control (RBAC) or attribute-based access control (ABAC). Standardizing roles ensures fewer exceptions and easier auditing.
  3. Automate Reviews and Revocations – Integrate identity and access management (IAM) with HR systems so access automatically changes when employees leave or change roles. This helps eliminate the temporary access that never gets removed.
  4. Shorten Token Lifetimes and Rotate Credentials – Session tokens and personal access tokens (PATs) should have an expiration period, such as 30 to 90 days. Using automated key rotation policies will help prevent long-lived access tokens from becoming backdoors.
  5. Enforce the Principle of Least Privilege – Grant users and systems only the minimum access needed.
  6. Extend Zero Trust to Authorization – Verification shouldn’t end with login. Apply continuous authorization checks.

Conclusion

As cloud ecosystems, APIs, and integrations continue to multiply, authorization complexity will grow exponentially. Businesses that invest in mapping and controlling authorization sprawl will stay ahead of both attackers and regulators. In cybersecurity, visibility equals control, and this begins with knowing exactly who can do what.

Controversial Defense Funding Bill, Shoring Up ESOP Plans, and Leave Benefits for Public Health Personnel

3 min read

Shoring Up ESOP PlansNational Defense Authorization Act for Fiscal Year 2026 (S 2296) – Introduced by Sen. Roger Wicker (R-MS) on July 15, the Senate passed this legislation on Oct. 9. The bill is a carve-out of the 2026 budget bill intended to fund military appropriations for the 2025-2026 fiscal year. The bill was largely supported by Republicans but less so by Democrats, who are in favor of keeping the government closed until all of their budget concerns are addressed. In addition to establishing funding and policies for military and defense-related activities, the bill includes a roadmap for bomber modernization, a real-time database for contractor compliance oversight, and authorizing programs for nuclear weapons facilities. The legislation would authorize $32.1 billion over the President’s budget request, and the White House opposes provisions in the bill that thwart the President’s ability to control immigration and conduct foreign affairs, including submitting plans to Congress ahead of actions, dictating the terms of intelligence support to Ukraine, and enabling the Defense Department to bypass the Administration’s tariffs. The bill currently rests with the House, which asserts it will not return to regular session until the Senate passes the current controversial CR budget bill.

Employee Ownership Representation Act of 2025 (S 1728) – This bipartisan bill seeks to expand the membership of the Advisory Council on Employee Welfare and Pension Benefit Plans to include two representatives of employee ownership organizations. While the council presently includes 15 members from business, labor, and the public, the council has no expertise specific to Employee Stock Ownership Plans (ESOPs). The legislation was introduced by Sen. Bill Cassidy (R-LA) on May 13 and passed in the Senate on Oct. 9. It currently awaits consideration by the House.

Retire Through Ownership Act (S 2403) – The main purpose of this bill is to provide a clear definition for certain closely held stock that aligns valuations with IRS standards in an effort to mitigate valuation risk for ESOPs. It would also provide “safe harbor” for trustees relying on these guidelines. The Act was introduced by Sen. Roger Marshall (R-KS) on July 23. It passed in the Senate on Oct. 9 and currently lies with the House.

Uniformed Services Leave Parity Act (S 1440) – Introduced by Sen. Tammy Duckworth (D-IL) on April 10, this legislation would authorize leave benefits (parental leave, emergency leave) to Public Health Service (PHS) officers. The bill sponsors assert that the current lack of these important benefits is a challenge to recruiting and retaining PHS personnel, who should be on par with the same benefits offered to uniformed service members. The bill passed in the Senate on Oct. 9 and is up for review in the House.

Internal Revenue Service Math and Taxpayer Help Act (HR 998) – This bill was introduced on Feb. 5 by Rep. Randy Feenstra (R-IA). Among other provisions, it instructs the IRS to provide taxpayers with details of notices that relate to a math or clerical error. The bill passed in the House on March 31 and in the Senate on Oct. 20. It currently awaits the President’s signature to become law.

New Rules for Inherited Traditional IRA Distributions

3 min read

Inherited Traditional IRA DistributionsThe rules for IRAs inherited after 2020 changed when Congress passed the Secure Act in 2019. The new rules eliminated the opportunity for non-spousal beneficiaries to “stretch” inherited IRA earnings over their own lifetime. Up until this year, required minimum distributions (RMDs) and associated penalties were waived while the IRS clarified the new rules; but in 2025, they are in full force for most inherited IRA beneficiaries.

For clarity: Non-spouses who inherited IRA assets after 2020 MUST take RMDs starting this year.

RMD Rules For Non-Spouses

For Traditional IRAs inherited after 2020, the first thing a non-spousal beneficiary must do is transfer the inherited assets into an inherited IRA under his own name. Note that RMDs are then required only if the original owner had reached their RMD age before dying. Under this scenario, the beneficiary must take required minimum distributions going forward, including any RMD not taken in the year the original IRA owner died. Over the next nine years, the new inherited IRA owner must take annual RMDs based on his own life expectancy and deplete the account within 10 years of the decedent’s death.

However, if the original account owner was NOT required to take minimum distributions as of the time he passed, the inherited IRA beneficiary is NOT required to take them – unless he reaches RMD age during the 10-year holding period(starting at age 73, or age 75 effective 2033). Either way, he still must empty the account and pay the requisite tax bill within 10 years of the original account owner’s death.

In addition to paying taxes owed on RMDs, inherited account owners are subject to a 25 percent penalty on any amount shy of that year’s required distribution. Should you miss an RMD, you may be able to reduce the penalty to 10 percent if the correct distribution is taken within two years.

RMD Rules For Spouse Beneficiaries

A spousal beneficiary of the original IRA owner has more options than a non-spouse. For starters, she can retain the original account under her own name. Similar to the non-spouse beneficiary, if the decedent spouse HAD reached his RMD age, the surviving spouse must take required minimum distributions as well, including any RMD not taken in the year the original owner died. However, RMDs thereafter will be calculated based on the surviving spouse’s life expectancy, and there is no requirement to deplete the account within 10 years.

If the original IRA owner had?NOT?started taking RMDs, then the spouse does not have to take RMDs until she reaches the age required to do so. At that point, the RMDs will be based on her own life expectancy.

A spousal beneficiary also has the option to transfer the inherited assets into her own IRA. Under this scenario, her RMD schedule is based on her own age. This option allows her to delay taking RMDs until she reaches RMD age, regardless of the RMD status of the deceased spouse. This strategy provides the opportunity for the inherited assets to grow longer, tax-deferred.

For clarity: the 10-year rule for full distribution does not apply to spouses.

Note that the rules discussed herein do not apply to Traditional IRAs inherited by Trusts or “Eligible Designated Beneficiaries” (EDBs), which refer to chronically ill or disabled beneficiaries, beneficiaries who are younger than the deceased account owner by 10 years or less, or minor children of the account owner.

It’s best to work with a financial advisor or IRA account custodian to choose the option best suited to your circumstances – and ensure you adhere to the appropriate rules.

Initial Look at the New Tax Form Schedule 1-A: Four Key Deductions for 2025

3 min read

Tax Form Schedule 1-AThe IRS has released draft Schedule 1-A, introducing four new temporary deductions within the One Big Beautiful Bill Act. If you are wondering what the new form looks like and how the calculations work, read on as we explore each below.

Modified Adjusted Gross Income (MAGI)

It is important to note that all four deductions require calculating your MAGI first, which determines eligibility and phaseout amounts for each deduction.

The Four New Deductions and How the Calculations Work

These deductions are all referred to on the schedule by their colloquial names, for example: “No Tax on Tips,” “No Tax on Overtime” and “No Tax on Car Loan Interest.” The sole exception, however, is popularly referred to as the “No Tax on Social Security” provision, which is called the “Enhanced Deduction for Seniors” on the form.

1. Tips Deduction

  • Maximum: $25,000 annually
  • Eligibility: Must receive qualified tips in customarily tipped occupations
  • Phaseout: Begins at $150,000 MAGI ($300,000 joint filers)
  • Rate: $100 reduction per $1,000 over threshold
  • Requirements: Valid Social Security number; married couples must file jointly

2. Overtime Deduction

  • Maximum: $12,500 single ($25,000 joint filers)
  • Eligibility: Only the premium portion of overtime pay (the “half” of time-and-a-half)
  • Phaseout: Same as tips deduction – begins at $150,000 MAGI
  • Rate: $100 reduction per $1,000 over threshold

3. Car Interest Deduction

  • Maximum: $10,000 annually
  • Eligibility: Interest on loans for new vehicles under 14,000 pounds and assembled in the United States
  • Phaseout: Begins at $100,000 MAGI ($200,000 joint filers)
  • Rate: $200 reduction per $1,000 over threshold
  • Requirements: Must provide VIN; loan must originate after Dec. 31, 2024

4. Enhanced Deduction for Seniors

  • Amount: $6,000 fixed deduction
  • Eligibility: All taxpayers (replaces “No Tax on Social Security” promise)
  • Phaseout: Begins at $75,000 MAGI ($150,000 joint filers)
  • Rate: 6 percent reduction of excess income over threshold

Key Points to Remember

  • All deductions are available whether you itemize or take the standard deduction
  • All require valid Social Security numbers
  • Married couples must file jointly to claim these benefits
  • Income limits mean higher earners receive reduced or no benefits
  • These are deductions, not exclusions – income is still reportable for state/local taxes

Final Steps

After you have calculated everything applicable for the four possible deductions, you will enter the total on the new line 13b on Form 1040. The total amount of the deductions entered here is removed from your income prior to calculating your tax. Remember, these are deductions and not credits, so they only reduce your taxable income and are not a direct reduction in your tax due.

You can see an example of the new draft Form 1040 illustrating this below.

Screenshot of new Form 1040

Conclusion and Draft from Status – and IRS Warning

The above provides guidance to taxpayers and professionals on how both the deductions calculations work and flow through Form 1040. The IRS warns, however, that the forms and instructions currently released are in draft form at this point. Before any forms or instructions can be released in their final state, they need to be approved by the OMB. It is not unusual for draft releases of instructions and publications to have some changes before their final release, even if only minor.

 

How to Save Money with the Half Rule

3 min read

What is the Half Rule?What if you could lower your grocery bill without giving up the things you love, fight inflation, and have some money left at the end of the month? Sounds too good to be true? It’s not. It’s the Half Rule. This means cutting the amount of product you use in half and seeing what happens.

Truth is, most of us probably use too much of the things we love. Here are several reasons why:

  • Manufacturers often ask you to use more of the product than you need.
  • You’ve probably gotten used to using a certain amount of a product;
  • And finally, product inflation. Specifically, you might think that if you get pleasure out of something, you might need to use more of it. For instance, why get a tall vanilla latte when you can get a grande, right? But ask yourself: Is it really that much better?

To this end, here are some things you can easily use half of and never miss the other half:

  • Shampoo. Try using half the amount and adding more water, especially if it’s concentrated.
  • Laundry detergent. Try a half cup. A little goes a long way, especially if it’s a small load.
  • Dryer sheets. These are so easy to tear in half.
  • Cooking oil. Use an oil mister instead of pouring it into your pan or skillet.  
  • Restaurant meals. Eat half or a third and save the rest for another meal. Or better yet, split a meal with your partner, friend or work colleague. Bonus: you’ll also save calories.
  • Bagels. Just eat half! Save the other half for your next snack or breakfast.
  • Starbucks order. Try a tall. Or if you get a vente, try a grande. Give it a whirl. See what happens.
  • Glass stovetop cleaner. If you use less, you might have fewer streaks.
  • Tape. When you’re wrapping gifts, give string a try.

When you change a few things here and there, over time, you’ll really see the difference in your bank account. Also, imagine how nice it’ll feel not to have to buy these items so often. That’s a big change in spending.

The Half Rule is not for everything. While it works on so many things, there are some things you cannot to apply it to – like filling up your gas tank or cutting a prescription in half. Never do that.

Overall, it’s a good rule. And when you’re persistent over time, you’ll start to develop a habit – one that will help you see a difference quickly and save you money in the long run. It’s a ripple effect that might expand into other areas of your life. In sum, the Half Rule is so effective, you just might go all in – and stay there.

Sources

“The Half Rule” – A Frugal Hack I Live By