The shift to hybrid work arrangements has revolutionized the cybersecurity perimeter. Currently, roughly half of all employees who are remotely accessible are working from both their offices and homes, using different devices. In this fluid environment, experts are unanimous that identity, and not the network, is the new perimeter. In fact, as one Identity Defined Security Alliance (IDSA) webinar presentation stated, with the risks associated with working remotely, “identity is no longer the new perimeter, but is now the only perimeter that matters.” 

This is because the reality is that more than 80% of all breaches are the result of stolen or hijacked credentials, which means that one single identity can compromise the entire network. In other words, identity-based security is no longer optional. It is the foundation on which the entire network needs to be built. Workforce identity security needs to be the keystone of the entire network. This article aims to discuss the many ways in which identity-based security can be implemented. 

The Hybrid Reality: New Perimeter, New Threats 

Hybrid work has effectively broken the traditional network moat. Users and workers can log in from the kitchen table, the corner of the coffee shop and their personal devices. They can carry sensitive company data with them wherever they go. This has opened the door wide for attackers. IBM states that attackers “are using identities to walk through the front door” since the use of credentials has become the primary entry point for attackers. Studies continue to prove that 80% of all cyberattacks in the modern era involve the exploitation of account credentials. A study states that in 2023, “84% of data breaches involved compromised credentials, costing organizations an average of $4.24 million each.” 

Playing old security tricks, such as VPNs and firewalls, will do nothing if an attacker has legitimate credentials. This is where the concept of ‘zero-trust’ came about. According to Microsoft, ‘zero-trust’ means that you don’t trust anyone or anything. “We verify who the user is, and at the same time, we are keeping a constant eye on the security of our network, our data and our applications, no matter if they are in the office, working from home, or on the go.” 

Every single attempt to get access is verified. It is not verified based on the location of the user. It is verified based on who the user is. It is verified based on the state of the device. It is verified based on the risk present. In a hybrid environment, workforce identity security assumes that any login attempt could be an attack. 

Core Principles of Identity-Centric Security 

An identity-centric approach flips this old model on its head; we don’t just protect a network and trust that only the right people get in. We make identity our central point of control. So the first thing we want to do is implement a strong identity and access management (IAM) solution. It involves implementing single sign-on (SSO) with modern federation (SAML, OAuth2/OIDC) and directory sync (SCIM) to verify user identities. This means that even if a password is compromised, MFA or passwordless FIDO ensures that attackers cannot get in. 

Least privilege and governance are just as important. Every person should have only the access they need to perform their jobs. This requires automating the joiner-mover-leaver process, where access rights are granted and revoked in real-time, as well as periodic checks on access rights. The IDSA identifies one of the weak links in the chain: Breaches often result from identities being fragmented across many isolated accounts and permissions. An attacker needs only one weak point to get into the whole resource. 

A strict identity security policy can bring all the fragmented identities together by using IAM and SSO systems. Therefore, it can eliminate orphaned identities as well as the problem of privilege creep. Another critical aspect that needs to be considered is the security of non-human identities. Cyberattackers usually target non-human identities to carry out lateral movements. Therefore, as one expert points out, a single compromised non-human identity can provide the attackers with the key to the entire environment. 

A firm should extend its workforce identity security across all identities under its management. This includes rotating service credentials, certificate management (PKI) and automated processes and devices with the same level of vigilance as users — monitoring and least privilege applied universally. The bottom line is that a robust identity security model is all about continuous verification of all users and devices, MFA and authentication, least privilege and sealing identity gaps throughout the hybrid environment. This is all about a zero-trust approach — no one inside the corporate network is trusted; you have to verify who they are and what they are authorized to do.

Practical Strategies and Best Practices 

Security professionals can help ensure workforce identity security with the following best practices, which flow a bit more smoothly: 

• Centralize and Simplify Logins: Implement IAM with SSO and federation for both cloud and on prem apps. This can greatly reduce password fatigue, simplify policy enforcement and allow you to enforce policies such as MFA more easily. One single login with Okta or Azure AD with MFA can replace dozens of individual user logins. Centralization can also make it easier to manage deprovisioning and policy standardization. Just remember, the central SSO service is now a high-value target and must itself be highly secure.
   

• Enforce Multi-Factor and Adaptive Authentication: Ensure at least two factors for all users, with special consideration for administrators. Implement adaptive MFA, which can request an additional authentication factor based on the riskiness of the login attempt. Phishing-resistant MFA, such as FIDO2 with hardware keys or biometrics, is especially strong. Studies have shown that moving toward passwordless or phishing-resistant MFA can significantly reduce account-takeover attacks. Another type of continuous authentication can quietly reauthenticate users based on behavioral factors such as suspicious behavior.
   

• Implement Identity Governance: Implement the tools and processes required to manage the identity and access life cycle. Automate provisioning and deprovisioning (via SCIM or HR workflows), ensuring users’ access is always in sync with their roles. Inactive accounts should be periodically disabled. The IDSA states, “account sprawl, or the lack of identity and access management, is a significant and growing risk to an organization.” Account sprawl can result in unknown risks, and the longer it is left unaddressed, the more serious the risks become. To address account sprawl, you can retire unused accounts and consolidate duplicate identities. Implementing a privileged access management (PAM) solution can vault and manage administrator credentials and limit the time for which an administrator is privileged.
   

• Monitor and Respond to Identity Threats: Use identity threat detection and response (ITDR) products or processes to monitor identities for suspicious behavior. This can include monitoring for unusual login activity, brute-force attacks, phishing attempts and lateral movement between accounts. Attack path analysis can be used to understand how a low-privilege account breach can be escalated. IBM suggests a mix of monitoring with AI and automation to score identities for risk and contain attacks — for example — if credentials have been found on the dark web or a login has been attempted. 

Technology Enablers 

Technology tools are the foundation of a good identity security strategy. Here are some of the commonly used technology tools: 

• Cloud Identity Providers: Microsoft Entra (Azure AD), Okta, Ping Identity and Google Identity are some of the commonly used cloud-based IAM solutions with features such as SSO, MFA and Conditional Access. Identity-as-a-service (IDaaS) solutions such as these support SAML, OAuth2 and OIDC for integration with thousands of SaaS applications. For instance, administrators can enforce device compliance for access to email and CRM applications. 

• Zero Trust Network Access (ZTNA): ZTNA solutions, such as SASE, connect users to applications rather than providing access to the entire network, and access to applications and resources is determined by identity and device rather than the network location. 

• Privileged Access Management and Identity Governance & Administration (IGA): CyberArk, BeyondTrust, SailPoint and Saviynt are some of the PAM and IGA solutions commonly used for identity security. These solutions help organizations discover all identities and enforce policies such as JML workflows. They also enable organizations to lock down superuser accounts with just-in-time provisioning and session monitoring. 

• Multi-Factor and Passwordless Technologies: MFA for the entire workforce is necessary. New passwordless technologies, such as FIDO2 tokens and platform biometrics, are less vulnerable to credential theft. Companies are increasingly using passkeys and identity wallets to improve security and user experience. 

• Identity Analytics and Deception: Advanced identity analytics platforms incorporate ML to model normal user behavior. Some companies are using deception technologies, which include fake identity credentials or ‘honey accounts’, which are designed to alert the company if the wrong person finds the fake identity. 

• Cross-Domain Identity Solutions: Identity verification is not just about passwords. Some companies are using global eID and credential-issuing solutions such as Entrust or Thales that allow employees to present digital identity cards or mobile credentials in all situations, linking real-world identity to digital identity. 

A solid foundation of identity technologies enables the security team to adopt the identity-centric model. However, it is also important to note that no single technology is the answer. It is also necessary to develop policies to support the identity-centric model, such as access reviews and incident response and to ensure that all stakeholders are trained on the identity-centric model. 

Identity as the New Security Perimeter in the Hybrid Era 

Identity is the lifeblood of security in the modern world. With hybrid work and cloud-based collaboration, an identity-centric approach is no longer a choice; it’s a requirement. When security is prioritized within an organization’s workforce identity, security and agility are maximized. According to an expert, “The future of cybersecurity is identity-centric.” 

If you are holding on too tightly to outdated notions of security perimeters, you are doing yourself a great disservice. According to Security Boulevard, “The age of identity-centric security has arrived. Those who cling to perimeter-based security models will find themselves increasingly vulnerable in a world where identity is everything.” 

The benefits of an identity-centric approach are clear. Businesses that focus on identity verification and security are seeing a clear ROI in reduced fraud and breach attempts. When working in a hybrid environment, an identity security approach is no longer a technical nicety; it’s a business requirement. Security professionals who are identity-centric will not only keep their businesses safe from current threats but will also ensure that they are ready for future threats in this ever-changing world of cyber threats and security.