From Perimeter Security To Identity As Security

You can’t glance anywhere at a security event these days without seeing the phrase ‘zero trust’. It’s a buzzword alright, but it’s a useful one. At its heart is a fundamental shift in security focus away from perimeter security.

Zero trust is already an old term, cropping up in industry parlance around 2010, but its principles extend further back than that to the Jericho Forum, a collection of senior cybersecurity executives.

Jericho members first coined the term ‘deperimeterisation’ around 2004. This acknowledged that a ‘ring of iron’ protective perimeter around the enterprise network was no longer enough. As contractors and other business partners got more access to the network, the idea of an ‘inside’ and ‘outside’ became increasingly arcane. Once a castle with a moat, the network had evolved into a city, with multiple gates and plenty of people flowing freely in and out.

Deperimeterisation and its successor zero trust shifted their focus to protecting individual assets inside the network. The best way to do that is to continually authenticate who was accessing those assets, and what they were allowed to do with them. That meant focusing on identity as the new security.

Those who don’t make that transition risk more breaches. The ISMS State of Information Security Report 2025 even puts a number on it: authentication breaches surged tenfold in the past year, from 2% to 20% of incidents. Verizon’s Data Breach confirms that credentials remain the top attack vector.

Why Credentials Have Become The Skeleton Key

Why did credentials become the skeleton key to enterprise systems? Part of it has to do with the evolution of the edge. It’s hard to even define the network edge today, with so much of it now spread around different regional data centres and cloud services. Hybrid work also played a part, accelerating the need for people to access the network remotely.

Another driver has been the infostealer economy, which has industrialised. This malware pilfered 2.1 billion credentials in 2024 alone, according to Google. Once an infostealer campaign grabs login credentials, they’re easy to sell on the dark web, and credential stuffing attackers can then use them to rattle digital doorknobs across the internet.

When they do score a hit and unlock yet another account, attackers can be sure that they’ll have plenty of time to exploit that hijacked account and get away. At 292 days on average, credential breaches also take the longest to detect, per IBM.

Non-Human Users Now Outnumber Human Ones

There’s another reason why identity has become increasingly important as a part of security: non-human identities. Back in the day, the main users of enterprise computing resources were people. Today, thanks to microservices, APIs, and a burgeoning generation of agentic AI services, non-human users outnumbered humans 144:1 in enterprises during 2025. That was up 56% from the previous year.

The growth of AI agents is especially relevant here because those services are becoming more autonomous. As they gain confidence in AI automation, organisations are more likely to give these agents more responsibility. The percentage of such services with privileged access will increase.

Identity Is Foundational

These trends are why compliance frameworks focus on identity. ISO 27001:2022 Annex A 5.15-5.18 codifies identity controls as part of a broader set of organisational measures covering access control, identity management, authentication information, and access rights.

Robust security control frameworks share a common thread: every identity must be unique, least privilege must be the norm, and auditable. MFA should be mandatory for privileged access.

These frameworks’ focus on identity is timely, as regulators are paying far more attention to this issue. ENISA describes MFA as a smart way to show that you’re complying with NIS 2. Companies should take heed, as this EU regulation carries penalties up to €10 million or 2% of global turnover for organisations that don’t comply.

Moving To An Identity-Focused Security Posture

So how can companies adopt an identity-based security posture that’s independent of amorphous perimeters?

There are concrete components underpinning zero trust. Strong identity and access management is one, which involves ensuring that every user, service, and machine is uniquely identified and continuously authenticated.

MFA is a clear way to get ahead of account hijacking, but it isn’t without its risks. MFA fatigue is real, while proxies can also be use to intercept MFA sessions, and infostealers can steal session tokens. Token theft can bypass some MFA entirely. In 2024, Microsoft detected 147,000 token replay attacks, up 111% from the prior year.

Passwordless authentication using passkeys is another way to stop people falling victim to phishing attacks. It can also stop some of the behaviours that end-users find difficult to give up when trying to get the job done, such as sharing passwords for convenient access.

These changes might seem daunting undertakings for many organisations, especially those that have composed their IT infrastructure from multiple systems over time, through acquisitions, fragmented teams, and strategic technology changes. But they can make things easier by beginning with some key principles.

Implement ISO 27001 Annex A 5.15-5.18 controls as a baseline. These will guide you in the best-practice implementation of access policies, identity lifecycle management, and authentication standards. A framework like this will give you a solid grounding in governance through measures such as regular access reviews.

Agree to inventory non-human identities with the same rigour applied to employees. Conduct a gap analysis and see what it would take to account comprehensively for all service accounts and their TLS certificates or API keys, for example.

Ultimately, the goal is to accept that identity security is now a foundational part of security management. After all, you cannot protect what you cannot authenticate.