The network perimeter is dead. Identity is the new perimeter. This comprehensive guide covers why identity-first security matters, the five pillars of identity security, and a 90-day implementation roadmap.
Originally published on danieljamesglover.com
Why Network-Centric Security Failed
The traditional security model assumed a clear boundary between "inside" (trusted) and "outside" (untrusted). Three fundamental shifts have rendered this model obsolete:
1. The workforce went everywhere. Remote work and mobile devices mean users access corporate resources from networks you do not control.
2. Applications moved to the cloud. SaaS adoption means your critical business applications live outside your network.
3. Attackers learned to steal credentials. Over 80% of breaches now involve compromised credentials, according to Verizon's DBIR. Why break through a firewall when you can phish a password?
The Core Concept: Identity First Security
Identity First Security shifts the focus from "Where are you coming from?" (network) to "Who are you and what are you allowed to do?" (identity).
If an attacker steals a valid credential, firewalls are useless. The attacker is the user. The strategic implication is clear: investment should follow risk.
| Security Model | Trust Basis | Primary Control | Primary Weakness |
|---|---|---|---|
| Perimeter (Castle-and-Moat) | Network location | Firewall, VPN | Once inside, full access |
| Defence in Depth | Layered controls | Multiple barriers | Complexity, gaps between layers |
| Identity First | Verified identity | IAM, MFA, access governance | Credential theft, social engineering |
| Zero Trust (Evolved) | Nothing - continuous verification | Identity + device + context | Implementation complexity |
The Five Pillars of Identity Security
Pillar 1: Authentication - Proving Identity
Not all authentication is equal. The hierarchy matters:
- Password only - Very low security, no phishing resistance. Never for external access.
- Password + SMS OTP - Low security. SIM swapping makes this unreliable for high-value targets.
- Password + TOTP - Medium security. Still vulnerable to real-time phishing.
- Password + FIDO2 security key - High security, phishing resistant. Use for privileged accounts.
- Passkey (passwordless) - Very high security, excellent UX. Target for all new implementations.
The MFA Fatigue Problem
Attackers discovered that spamming authentication requests causes exhausted users to eventually approve one. Microsoft reported a 100% increase in MFA fatigue attacks in 2024. Mitigations include number matching, rate limiting, and anomaly detection.
The Passwordless Future
Passkeys built on FIDO2/WebAuthn eliminate passwords entirely. The private key never leaves the device, cannot be phished, and cannot be reused. Benefits: phishing immunity, better UX, reduced help desk costs, and compliance simplification.
Pillar 2: Authorisation - Controlling Access
The Principle of Least Privilege is simple to state and difficult to implement. Access accumulates over time, managers approve without understanding implications, and "just in case" access persists indefinitely.
Just-In-Time (JIT) access is the answer: grant elevated privileges only when needed, for a specific duration, with specific approval. When the task completes, access automatically revokes.
Pillar 3: Federation - Centralising Identity
SSO is not merely a convenience feature - it is a security control. It creates a single point for access control, logging, and auditing. When someone leaves, you disable one account, and they lose access to everything.
Pillar 4: Governance - Managing the Lifecycle
Identity Governance manages the full lifecycle: Joiner (right access from day one), Mover (access matches current role), Leaver (zero access within hours), and Non-human (clear ownership, regular rotation).
Pillar 5: Visibility - Detecting and Responding
Identity-based detection adds crucial context: impossible travel, anomalous access patterns, authentication anomalies, and privilege escalation detection.
The Identity Security Maturity Model
| Level | Authentication | Authorisation | Governance | Visibility |
|---|---|---|---|---|
| 1 - Initial | Passwords only | No RBAC | Manual processes | No logging |
| 2 - Developing | MFA for some (SMS/TOTP) | Basic RBAC, some SSO | Onboarding automation | Basic IdP logging |
| 3 - Defined | MFA everywhere | Comprehensive RBAC, broad SSO | IGA platform, periodic certification | SIEM integration |
| 4 - Managed | Passwordless available | JIT access, least privilege | Continuous certification | Identity threat detection |
| 5 - Optimised | Passwordless default | Zero standing privilege | AI-driven governance | Full identity analytics |
Most organisations fall between levels 2 and 3. Reaching level 4 should be the target for 2026.
90-Day Implementation Roadmap
Phase 1 (Days 1-30): Foundation - Assessment, quick wins (MFA gaps, inactive accounts), architecture design, policy development, and critical controls for privileged accounts.
Phase 2 (Days 31-60): Capability Building - SSO expansion, access governance implementation, JIT access for privileged operations, and identity threat detection.
Phase 3 (Days 61-90): Maturity - Passwordless acceleration, governance optimisation, security operations integration, and transition to operational mode.
Common Pitfalls
- MFA Theatre - Deploying MFA for compliance while allowing weak methods and bypasses
- Governance Without Teeth - Certifications that managers rubber-stamp with no consequences
- Ignoring Non-Human Identities - Service accounts and API keys proliferating unmanaged
- Tool Sprawl - Overlapping identity tools that don't integrate
- Forgetting User Experience - Security so burdensome that users find workarounds
Final Thoughts
The network perimeter protected a world that no longer exists. Identity First Security is the pragmatic response to how attacks actually work.
Start here:
- Enable MFA everywhere - immediately
- Phishing-resistant auth for privileged users - this quarter
- Access governance and certification - this half
- JIT access and identity threat detection - this year
- Move towards passwordless - progressively
Identity is not just part of security. Identity is security.
Read the full article with implementation checklists and detailed vendor landscape at danieljamesglover.com
Top comments (0)