Identities are the new perimeter From network fencing to zero trust

Management Summary

The era of network perimeters is over. Attacks start via email, browsers, remote access, identities, and services that never see your LAN. Those who still romanticize packet filters lose in speed and visibility. The way forward is unglamorous: Zero Trust as an operating principle („verify instead of trust“), strong MFA, consistent Least Privilege, short-lived permissions ( JIT-Access ) and telemetry that ties anomalies to identity. Result: faster detection, less lateral movement, lower downtime costs.

Why the classic perimeter fails

Hybrid reality: SaaS, remote work, partner access – the “inside” effectively no longer exists.
Session theft instead of password guessing: modern phishing chains target tokens and cookies, not just passwords.
Machine accounts are exploding: service IDs, CI/CD tokens, IoT – often with permanent rights, rarely monitored.
Change velocity: new apps and integrations appear faster than firewall rules can keep up.

Conclusion: control must move to the identity – human and machine.

Zero Trust in five pillars

Identity – Who wants what? Humans, services, devices. Strong MFA, robust recovery processes, strict session policies (re-challenge, device binding).
Device – From what is access happening? Compliance status, patch level, risk signals. Non-compliant devices: restricted mode.
Network – Only transport layer and micro-segmentation; no implicit trust zones.
Workload/Application – Gate in front of every sensitive flow (AuthN/Z, rate limits, secrets hygiene).
Data – Classification, minimal permissions, context-dependent approvals, logging.

Principles: explicit verification, Least Privilege, assume compromise, telemetry-first.

90-day plan: from intention to lived control

Day 0–15 – Situation overview and tough decisions
Role mapping: admin, finance, developer, third-party accounts. What is business-critical?
Auth inventory: where is phishing-resistant MFA missing? Which legacy flows are still active (for example IMAP/POP, Basic/NTLM)?
Policy outline: access decisions will be based on identity plus device state plus context.

Day 16–45 – Hardening and shutdowns
MFA for all critical roles; disable legacy protocols; session re-challenge on risk.
Pilot JIT-Access: temporary admin rights with ticket or four-eyes approval; maximum duration in minutes or hours.
Secrets rotation: move service accounts to short-lived tokens; eliminate hard-coded passwords.

Day 46–75 – Automate and gain visibility
Encode access decisions into policies (policy engine): identity × device × location × sensitivity.
Identity-based anomaly detection: unusual travel, impossible logins, deviation from role profile leading to auto-containment (session kill, step-up authentication).
Test break-glass process: emergency accounts, logged usage, immediate rotation.

Day 76–90 – Anchor and measure
Role cleanup (RBAC/ABAC): close orphaned accounts, reduce over-privileged groups.
Developer path: forbid secrets in code, enforce signatures, short-lived CI/CD tokens.
Quarterly steering: lock in targets (for example 100 % MFA for critical roles, 90 % JIT-Access for admin actions).

KPIs that truly drive decisions

MFA coverage (phishing-resistant): share of critical roles with strong factors.
JIT rate: percentage of privileged actions approved on a time basis.
Excess privilege rate: accounts with rights beyond their role profile.
Mean Time to Revoke: time from offboarding or role change to rights removal.
Session anomalies: detected, automatically contained, manually confirmed – depending on criticality.
Machine identities: share of short-lived tokens, rotation intervals, secrets findings per month.

Anti-patterns

„We have MFA“ – but allowing push spamming and legacy fallbacks. Result: false security.
„Once admin, always admin“ – permanent rights invite lateral movement. Least Privilege is not a poster, it is removal.
„Forgetting service accounts“ – static passwords, never rotated, all-powerful. That is a silent backdoor.
„The network is secure enough“ – until a browser tab with a stolen cookie becomes proof-of-admin.
„Backups = reassurance“ – without identity hardening, attackers simply return after restore.

Practical checklist (immediately actionable)

Phishing-resistant MFA (passkeys/FIDO2) for admin, finance, HR, and developer roles.
Least Privilege: role reviews, removal of unnecessary rights, peer approvals.
JIT-Access: time limits, ticket binding, full logging, auto-revoke.
Machine accounts: mTLS, short-lived tokens, secrets scanning in CI, rotation within 30 days or less.
Session security: token binding to device or browser, re-challenge on risk, forced logout after anomalies.
Offboarding in hours, not days; automatic rights cascade down to sub-systems.

Conclusion: identity first – everything else after

Those who take IT security seriously build control around identities and their contexts. Zero Trust is not a project but an operating standard: strong MFA, strict Least Privilege, enforced JIT-Access, solid telemetry. This is less flashy than new tools – but it noticeably reduces risk, MTTR, and costs. Those who start today and consistently execute the 90-day steps achieve more impact within a few quarters than with any additional „best-of-breed“ purchase.