Why identity is the new perimeter – and how to defend it

The end of the traditional perimeter

The traditional perimeter, the demarcation point between an enterprise and the rest of the world, was well-defined.

CISOs and networking professionals could set up a firewall inside the enterprise's four walls. That firewall would serve as the logical wall between what is inside the organization and what is outside, effectively standing as the perimeter for defense. The networking team understood who was inside the perimeter, as those were local users.

Users outside the firewall were outside the perimeter and often identified with an IP address and, in some cases, a MAC address. Corporate users could get access from outside the firewall with a virtual private network (VPN) that provided tunneled access to the inside of the enterprise.

That traditional perimeter no longer exists and certainly hasn't for some time. All the resources that an organization requires are not within the company's four walls, and increasingly, neither are its users.

The modern organization uses a wide array of cloud software-as-a-service (SaaS)- based platforms to operate. Employees aren't always in the office, and they have multiple devices, including traditional laptops and smartphones. Workers now access corporate resources alongside cloud SaaS from diverse locations and user devices, often outside traditional network controls such as a firewall.

The old perimeter is gone. In its place, identity has emerged to enable users to gain access to resources. That could be a user identity, such as a username and password, or a device identity with an access token that provides authentication to a given service.

Why identity is now the core attack surface

With identity being in many cases the 'key' to enabling access, rather than location or an IP address, identity in the modern era has become the new security perimeter.

As the perimeter, identity is now the core attack surface for cyber attackers who are looking to exploit organizations and their data. It is the literal key to unlocking access. Several factors have contributed to creating this situation, including the following:

• Remote and hybrid work. In the post-COVID era, in particular, more employees are regularly working remotely.
• SaaS and cloud adoption. Many businesses rely on cloud SaaS, which depends on identity-based access. This introduces vulnerabilities, as attackers often target credentials to gain entry.
• Digital transformation. The overall process of digital transformation has led to a dramatic increase in the number of devices and different types of endpoints that are used by organizations and employees. That has led to a reliance on identity as the cornerstone for access.
• Complexity of federated identity. While identity is now the key to gaining access, there isn't just one key. Modern organizations often use multiple identity providers and federated access mechanisms, which makes it increasingly complex to manage. That complexity can be abused by attackers to gain access.

Data from multiple industry reports statistically details the growing trend of identity-related cyberattacks. According to the IBM X-Force 2025 Threat Intelligence Index, abusing valid accounts remained the preferred entry point into victim environments for cybercriminals in 2024, representing 30% of all incidents X-Force responded to. The 2025 Verizon Data Breach Investigations Report highlights stolen credentials as the primary initial access vector in 22% of breaches, underscoring their role in facilitating unauthorized access.

Why should enterprise boards care about identity security?

There are many good reasons why enterprise boards should care about identity security. Simply put, identity security is not merely a technical concern; it is a strategic business issue that can have a non-trivial impact on an organization and its operations across multiple dimensions.

• Regulatory compliance. Boards have a fiduciary responsibility to ensure regulatory compliance. Numerous industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), have cybersecurity requirements. Non-compliance can lead to financial penalties.
• Financial risks from a breach. IBM's 2024 Cost of a Data Breach Report states that the average cost was $4.88 million globally, with identity and access management (IAM) reducing costs by an average of $180,000, emphasizing the financial stakes.
• Impacts on mergers and acquisitions and audits. Poor identity security posture can impact an organization's valuation during M&A, as buyers increasingly scrutinize cybersecurity capabilities as part of due diligence processes. Similarly, audit findings related to identity management can affect stakeholder confidence.
• Erosion of brand trust. Identity security is critical for overall security, and gaps that lead to a security incident could result in an erosion of brand trust and loyalty from end-users and customers.
• Third-party risk. Organizations are typically reliant on third parties as contractors and as part of the supply chain. If the identity of those users is compromised, it can introduce risk to the organization.
• Shadow IT. The risk from shadow IT is that it is an unknown that can potentially expose an organization. Identity can limit that risk, providing visibility.
• Non-human entities. Real human users aren't the only ones who need an identity. Many machines and increasingly AI agents access corporate resources, which is why nonhuman identity is getting board-level attention now.
• Executive risk. If a major breach occurs due to inadequate identity security, board members and executives can potentially face personal liability and/or reputational damage.

Executive priorities for defending the identity perimeter

Defending the identity perimeter is not about implementing a single product or service. It's about having an overall strategy that accounts for the real threats and provides actionable capabilities to reduce risk, while ensuring secure access to organizational resources.

To effectively defend the identity perimeter, it's critical to focus on the following key action items, which address the most critical vulnerabilities and attack vectors.

Invest in robust IAM and IGA

IAM and identity governance and administration (IGA) are foundational elements for defending and securing the identity perimeter. It is imperative that organizations evaluate, select and then implement both IAM and IGA.

Proper IAM deployment centralizes identity management, which enables organizations to set up and enforce unified polices across all modalities and workflows. IGA provides an overall view of identities and the actual access rights that each identity has been granted, enabling real time monitoring of access patterns and potential security violations

Implement privileged access management

Beyond standard IAM, organizations must implement privileged access management (PAM) to secure high-risk accounts with elevated permissions. PAM solutions provide additional controls for administrative accounts and sensitive system access.

Develop a comprehensive identity governance framework

Establish policies and procedures for managing identities with the IAM and IGA systems. This includes deprovisioning older, unused identities and regular auditing. Conduct automated access reviews to identify and rectify cases where users may have accumulated unnecessary or excessive permissions over time.

Understand the intersection of enterprise identity and cloud identity

A key area of weakness for many organizations is the fact that they have separate identities inside the organization that are different from the cloud. Some form of control that manages and unifies that identity, which can come from IAM and IGA, needs to be part of the overall strategy. Technologies such as single sign-on and federated identity management can help.

Embrace MFA

Multi-factor authentication (MFA) is critical to securing identities. Simply having a username and a single password isn't enough. Cyber attackers easily steal user credentials and passwords through various attacks, including data breaches and phishing. MFA provides another layer of authentication beyond a single password, making it more resilient.

Focus on employee awareness and training

It's important to train employees on best practices for managing their own identities. This can include awareness about phishing risks and education about why MFA is important.

Pay attention to non-human entities

IoT, agentic AI, servers and APIs are all part of the technology landscape, and none of them are human. Those technologies all must also have some form of identity that is actively managed and monitored through automated threat detection and response capabilities that can identify anomalous behavior patterns.

A C-suite roadmap to identity security

Just as a company's financial controls require coordinated oversight between the CFO, auditors, and board to prevent fraud and ensure compliance, identity security demands similar executive alignment to protect the organization's most valuable digital assets.

The following framework outlines the critical areas where CISOs, CIOs and board members must collaborate to ensure organizational protection and business continuity.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.