Category Failure Pattern | December 10, 2025

Welcome reader, here's this week's Category Failure Pattern.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

About CybersecurityHQ

CybersecurityHQ provides executive-grade intelligence read weekly inside the Fortune 100. Each briefing is designed to support CISO-level decision-making across identity, infrastructure, third-party risk, and strategic security architecture.

Full access to CybersecurityHQ’s deep-dive intelligence, weekly executive cyber briefings, premium research, and analytic tools — $299/year.
Enterprise and team licenses available.

Persistent Vendor Access – The Unmonitored Backdoor

The PowerSchool investigation reports released in November 2025 by Canadian privacy commissioners expose the most dangerous access model in enterprise security: persistent vendor connectivity with no device assurance, no session boundaries, and no upstream ownership. They describe a structural failure in how thousands of institutions outsourced access to their student information systems. A single contractor credential opened a support portal that provided "always-on" remote access into customer environments — access that relied on single-factor authentication and generated no meaningful alerts when used.

This is not a credential theft problem. It's a vendor access architecture problem. Maintenance and support functions have been delegated to third parties, who are granted persistent connectivity that bypasses the controls applied to internal identities. The assumption is simple and dangerous: if access is defined in a contract, it is trusted. That assumption created a maintenance tunnel through which an attacker moved freely across school environments without triggering detection.

The deeper issue is that vendor access rarely sits inside a security-controlled domain. Procurement negotiates the contract. IT operations grants the access. Support teams normalize standing connectivity because it reduces friction. Security inherits the blast radius but owns none of the upstream decision rights. This governance gap — not the compromised credential — is what made the PowerSchool breach inevitable. The risk wasn't introduced by the attacker. The operating model baked it in.

The pattern persists because persistent access solves a real operational pain: vendors want instant access to fix issues without waiting for someone to "open the door." But efficiency was optimized without equivalent investment in session control, device assurance, or just-in-time access. Vendor identities inherit the privileges of the systems they support while escaping the scrutiny, lifecycle management, and monitoring applied to employees. Once those identities are compromised, the blast radius is bounded only by the scope of the vendor's footprint.

Question for your team this week:

• For every vendor with remote access to production systems, do we require phishing-resistant MFA and, where feasible, device-bound or attested sessions?

• Do we log, retain, and routinely review all vendor sessions into sensitive systems?

• Do we enforce just-in-time, time-bound access windows instead of "always-on" connectivity?

Or are we still operating on the assumption that a contract equals trust?

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.