Like, if you just buy the right firewall, add antivirus, maybe sprinkle in an email filter, you are basically covered. And then you watch another breach unfold and it is the same story again. The attacker did not brute force some impossible encryption. They logged in.
Not always with a password either. Sometimes with a stolen session token. Sometimes with a fake MFA prompt that someone approved because it looked normal. Sometimes with a compromised vendor account. But the common thread is boring and kind of annoying.
Identity is the new perimeter. And honestly, it has been for a while.
So this is the shift. Moving from password obsession to identity first security. Not as a buzzword. As a practical way to reduce risk in a world where everything is SaaS, everyone is remote at least some of the time, and your data is scattered across tools you did not even know marketing bought.
Let’s talk about why this approach works, what it actually means, and how to start without turning your company into an IT hostage situation.
The uncomfortable truth about passwords
Passwords are not “bad” in the abstract. They are just doing a job they were never designed to do at modern scale.
They are:
- Reused across personal and work accounts because people are human
- Phished constantly because it is cheap and effective
- Leaked in credential stuffing lists forever
- Stored in places they should not be stored
- Shared in a rush when someone needs access “for five minutes”
And even if your password policy is strict, the attacker does not care. They will go around it. They will steal a cookie. They will use OAuth abuse. They will social engineer a helpdesk reset. They will compromise a device and pull tokens. They will get in through an account that never got offboarded properly.
Passwords are one weak link in a chain. The bigger issue is the chain itself.
If someone gets a valid identity inside your environment, a lot of your controls suddenly become “optional”. Because the system assumes the logged in user is legitimate. That assumption is where modern breaches live.
What “identity first” actually means (in plain English)
Identity first security means you stop treating login as a single event and start treating identity as the core security control that everything else hangs off.
It is a mindset shift:
- Who is this user, really?
- What are they allowed to do, right now, on this device, from this location?
- Should they still have access?
- What would “normal” behavior look like for them?
- If this account is compromised, how fast can we contain it?
You are basically moving from “protect the network” to “protect access”. Because access is what attackers want. Access to email. Access to cloud drives. Access to admin consoles. Access to payroll systems. Access to source code. Access to your customers.
And the ugly part is, once they have access, they can look a lot like you.
Identity is the only thing that touches everything
Think about your modern stack for a second.
- Email and calendar
- Chat
- CRM
- Accounting
- HR systems
- Cloud infrastructure
- Data warehouses
- Customer support platforms
- Dev tools
- Marketing automation
These tools might not share a network. They might not even share a vendor. But they all share one thing.
A login.
That is why identity first works so well as a strategy. It is the one control plane that naturally spans all the places your data lives.
When identity is weak, your security posture is basically a bunch of locked doors in a house where the keys are copied and floating around the internet.
The three big reasons identity first security wins
1. Attacks are increasingly “legitimate” logins
A lot of security programs still assume the attacker is outside the system trying to break in.
In reality, many attackers are already inside, or they get inside quickly, by:
- Phishing credentials and MFA codes
- Using MFA push fatigue, where users approve prompts until it stops
- Stealing refresh tokens or session cookies
- Compromising an email inbox and pivoting through password resets
- Abusing OAuth app permissions, which is a quiet nightmare when nobody reviews it
Once they are in, they do not need to scan ports like it is 2006. They click around. They search. They export. They create forwarding rules. They add themselves as an admin. They set persistence.
Identity first security is built for this reality. It assumes compromise is possible, and it focuses on limiting blast radius and catching weird behavior fast.
2. Remote work and SaaS killed the old perimeter
If your “perimeter” is the office network, then what happens when:
- The CFO logs in from a hotel WiFi
- The engineering team deploys from home
- Contractors need access for two weeks
- Your main systems are cloud based anyway
The perimeter becomes a concept. Not a control.
Identity first security fits the SaaS world because it follows the user, not the building.
3. It scales better than adding one more security tool
A lot of companies respond to risk by stacking tools. Another dashboard. Another agent. Another alert stream that nobody has time to tune.
Identity first security is different because the improvements compound.
When you tighten identity, you improve security across:
- Cloud apps
- Admin consoles
- Developer platforms
- Data access
- Third party access
One set of decisions. Many downstream effects.
The building blocks of identity first security
This is the part where people expect a huge overhaul. It does not have to be that. But you do need a few foundational pieces.
Strong authentication, but not just “add MFA and pray”
Yes, MFA helps. It is table stakes. But not all MFA is equal.
A few practical notes:
- Push based MFA is convenient, and also one of the most abused forms if users are not trained and if prompts are endless
- SMS MFA is better than nothing, but it is vulnerable to SIM swap and interception
- Phishing resistant MFA (like FIDO2 security keys or passkeys) is where you want to end up for high risk users and admins
If you do only one thing this quarter, protect privileged accounts with phishing resistant MFA. Your admin identities are the skeleton key.
Least privilege, because “everyone is an admin” is a real disease
Most environments grow messy over time. People get temporary access, then it stays. Teams change. Contractors come and go. The permissions never shrink.
Least privilege is simple in theory and painful in practice, but it is necessary.
You want to aim for:
- Role based access where possible
- No standing admin access for daily work
- Separate admin accounts if you must
- Just in time elevation for privileged tasks
The goal is not perfect. The goal is reducing the number of accounts that can cause catastrophe.
Conditional access, the quiet superpower
Conditional access is where identity first becomes genuinely powerful.
It means access is not only based on who you are, but also the context:
- Device compliance: is this a managed device with disk encryption and a screen lock?
- Location: is this login coming from a country your company does not operate in?
- Risk signals: impossible travel, weird IP reputation, atypical behavior
- App sensitivity: stricter rules for payroll than for a public wiki
The important thing is that conditional access lets you say yes, but with guardrails. Or no, automatically, without waiting for someone to notice.
Device trust matters more than people admit
If an attacker controls the device, they can often bypass “good” authentication with stolen tokens or by acting as the user after login.
Identity first security usually pairs with a device posture approach:
- Managed devices for employees where possible
- BYOD with limited access and extra controls
- Blocking access to sensitive apps from unknown devices
- Requiring updated OS versions and basic hardening
This is not about spying on employees. It is about reducing the chance that an unmanaged, infected laptop is the doorway to your company.
Continuous monitoring for identity behavior, not just network traffic
Traditional monitoring focuses on network events. Identity first monitoring cares about account behavior:
- Multiple failed logins followed by a success from a new location
- New OAuth app consent with broad permissions
- Creation of inbox forwarding rules
- Privilege escalation events
- Unusual data downloads, exports, or mailbox access patterns
This is where good alerting pays off. Not 300 alerts. The 10 that actually matter.
Lifecycle management: onboarding and offboarding that actually works
A weird number of breaches come down to accounts that should not exist anymore.
Identity first security takes user lifecycle seriously:
- Joiner: new employee gets the right access, not “everything in case they need it”
- Mover: role changes update access cleanly
- Leaver: access is removed immediately, across all systems, including third party tools
Automate it if you can. Even partial automation reduces human error, and human error is basically the default setting.
“But we already have MFA.” Why that is not enough
This is worth calling out because it is a common trap.
MFA reduces risk, but identity first security is bigger than MFA. It includes:
- Limiting what an authenticated user can do
- Making access conditional on device and context
- Detecting suspicious identity events quickly
- Hardening privileged access so one account does not end the game
- Reviewing and removing stale permissions
MFA is a lock. Identity first is the lock, the key management, the alarm system, and the rules about who is allowed in which room.
A simple way to start (without boiling the ocean)
If you are trying to roll this out and you want a path that does not destroy your week, here is a practical order that works for a lot of teams.
Step 1: Identify your crown jewels and your crown jewel identities
List the systems that would be catastrophic if compromised.
Then list the accounts that can administer them.
Start there. Not everywhere.
Step 2: Lock down privileged access
- Require phishing resistant MFA for admins
- Remove standing admin where possible
- Add just in time elevation or approval workflows
- Monitor admin actions
This single move often cuts your worst case breach scenario in half.
Step 3: Turn on conditional access for high risk patterns
- Block legacy authentication
- Require compliant devices for sensitive apps
- Challenge logins from risky locations
- Add step up auth when behavior is weird
Start with report only modes if you need to understand impact first. But do not stay there forever.
Step 4: Fix offboarding and access sprawl
This is unglamorous and it matters.
- Remove old accounts
- Review third party access
- Audit shared mailboxes, service accounts, API tokens
- Set an access review cadence
If nobody owns access reviews, access never gets reviewed.
Step 5: Make identity monitoring actionable
Tune alerts around a small set of identity events that reliably indicate real risk. You want signal, not noise.
What success looks like
Identity first security is working when:
- A stolen password alone does not get an attacker very far
- A suspicious login gets blocked or challenged automatically
- Compromised accounts have limited permissions and limited blast radius
- Offboarded users lose access everywhere quickly
- Admin actions are rare, intentional, and visible
- You can answer “who has access to this” without an archaeology project
It feels boring when it is done right. Boring is good.
Final thought
Passwords are not going away tomorrow. But treating passwords as the main line of defence is like putting your best lock on a door that nobody uses, while the windows are open.
Identity first security is about closing the windows. Then watching the windows. Then making sure only the right people can open them, at the right time, from the right device, for the right reasons.
Not perfect security. Just a much better default.
FAQs (Frequently Asked Questions)
Why is relying solely on passwords insufficient for modern security?
Passwords were never designed to handle security at today’s scale. They are often reused, phished, leaked, stored insecurely, and shared casually. Attackers bypass strict password policies through stolen cookies, OAuth abuse, social engineering, and compromised devices. Passwords represent just one weak link in a larger chain; once a valid identity is compromised, many security controls become ineffective because systems assume the user is legitimate.
What does ‘identity first’ security mean in practical terms?
‘Identity first’ security treats identity as the core security control rather than a single login event. It involves continuously verifying who the user really is, what they are allowed to do right now from their device and location, whether they should still have access, recognizing normal behavior patterns, and rapidly containing compromises. This approach shifts focus from protecting networks to protecting access across all systems.
How does identity first security address modern attack methods involving legitimate logins?
Modern attackers often gain access using legitimate credentials through phishing MFA codes, exploiting MFA push fatigue, stealing session tokens or refresh tokens, compromising email inboxes to reset passwords, or abusing OAuth app permissions. Identity first security assumes compromise is possible and emphasizes limiting damage by detecting unusual behavior quickly and minimizing the attacker’s ability to move laterally within systems.
Why has the traditional network perimeter become obsolete in today’s work environment?
With remote work becoming common and most systems hosted in SaaS platforms, the office network no longer defines a secure perimeter. Employees log in from various locations like hotel WiFi or home networks; contractors require temporary access; and cloud-based tools span multiple vendors. Identity first security follows the user instead of the building, making it suitable for this perimeter-less reality.
What makes identity first security more scalable than adding more security tools?
Instead of stacking additional tools that create more alerts and complexity without integration, identity first security improves overall protection by securing the central point of access—identity itself. Enhancing identity controls strengthens security across email, cloud apps, admin consoles, developer platforms, data access points, and third-party integrations with one set of policies that have widespread downstream benefits.
What foundational elements are necessary to implement identity first security effectively?
Strong authentication is essential but goes beyond just adding MFA indiscriminately. While MFA is table stakes, not all types offer equal protection: push-based MFA can be abused if users aren’t trained; SMS MFA is vulnerable to SIM swaps; phishing-resistant methods like FIDO2 security keys or passkeys provide higher assurance for high-risk users and admins. Implementing these carefully forms a solid foundation for identity first security.
