For a long time, cybersecurity was pretty straightforward: Guard the edges, and everything inside should be fine. Firewalls, DMZs, VPNs — these were the go-to tools. Back then, it worked. Apps lived in data centers, and everyone showed up at the office. But that world disappeared before most companies even noticed.
Remote work, cloud adoption and distributed applications slowly dissolved the network edge. And attackers took advantage of that gap long before defenders adapted. Verizon’s annual Data Breach Investigations Report repeatedly shows that a large portion — often over 80% — of modern breaches involve compromised credentials, not network flaws.
That number says a lot. It tells us the perimeter didn’t just shift — it collapsed around identity.
The old perimeter: Strong walls, weak assumptions
Traditional security assumed one thing: “If someone is inside the network, they can be trusted.”
That assumption worked when offices were closed environments and systems lived behind a single controlled gateway. But as Microsoft highlights in its Digital Defense Report, attackers have moved almost entirely toward identity-based attacks because stealing credentials offers far more access than exploiting firewalls.
In other words, attackers stopped trying to break in. They simply started logging in.
Cloud + remote work = No perimeter
Now, with remote work and the cloud, there’s no real perimeter left. People connect from home Wi-Fi, personal laptops, airports, coffee shops — you name it. At the same time, company data and workloads are scattered across AWS, Azure, Google Cloud and various SaaS platforms. The old rules just don’t fit anymore.
There is no single “inside” anymore. There is only identity — the user behind the request.
This is why modern security frameworks, including NIST’s Zero Trust Architecture guidelines (SP 800-207), emphasise identity as the primary control point rather than the network.
Identity is now the primary attack surface
Identity brings convenience, but it also brings complexity — and complexity attracts attackers.
- People reuse passwords.
- MFA fatigue attacks work far too often.
- Privileged accounts get over-granted. Contractors keep access long after their projects end.
- Service accounts multiply with no owner.
Okta’s recent State of Identity Security report points out that identity misuse has become one of the fastest-growing attack vectors in enterprises.
Identity is no longer just a log-in step. It’s now the attacker’s first target.
Zero trust made identity the first door to lock
Zero trust isn’t about paranoia. It’s about verification. Never trust, always verify only works if identity sits at the center of every access decision.
That’s why CISA’s zero trust maturity model outlines identity as the foundation on which all other zero trust pillars rest — including network segmentation, data security, device posture and automation.
A strong identity-based perimeter includes:
- MFA everywhere
- SSO to reduce password fatigue
- Role-based access controls
- Privileged Access Management
- Device trust tied to user identity
- Continuous monitoring of user behaviour
- Adaptive, risk-based access policies
This isn’t the future — this is what’s expected today.
Identity done right requires real discipline
When identity becomes the perimeter, it can’t be an afterthought. It needs to be treated like core infrastructure. That means:
- Identity has to be engineered, not patched together. Lifecycle processes must be streamlined — joiners, movers and leavers must be tightly controlled.
- Privilege needs to be what people earn, not what they start with. Excess-access is still one of the top contributors to breaches.
- Authentication methods need to evolve yearly. Static MFA policies won’t survive dynamic threats.
- Monitoring must follow behavior, not networks. Suspicious activity often hides in user patterns, not traffic flows.
- Identity ownership must be shared across security, IT and the business. Identity doesn’t succeed unless everyone is accountable.
Gartner has been emphasising this shift for years, calling identity “the new security perimeter” in multiple research publications aimed at CISOs and enterprise architects
Where we’re heading next
Identity is already at the centre of modern cybersecurity, but its role is only going to grow stronger. Over the next few years:
- Passwords will fade out in favour of passkeys and biometrics.
- Machine identities will become as critical as human identities.
- Access decisions will adapt in real time based on behaviour.
- Identity platforms will become the central nervous system of enterprise security.
- Zero Trust will mature from architecture diagrams into everyday practice.
Organizations that invest in strong identity foundations won’t just improve security — they’ll improve operations, compliance, resilience and trust. Because when identity is solid, everything else becomes clearer: who can access what, who is responsible for what and where risk actually lives.
The companies that struggle will be the ones trying to secure a world that no longer exists — a perimeter that disappeared years ago.
Identity isn’t just the new perimeter.
It’s the new beginning.
Everything starts here now.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
