Identity-First Security Strategy for Modern IT

In the old days (circa 2015), security was like a castle. We built a big wall (the Firewall), dug a moat (the DMZ), and trusted everyone inside.

Today, the castle is gone. Your users are at home, in coffee shops, or on trains. Your servers are in AWS, Azure, and Google Cloud. Your applications are SaaS.

The network perimeter has not just eroded - it has evaporated. In this world, Identity is the new perimeter.

This article provides a comprehensive guide to identity-first security strategy - from understanding the threat landscape to implementing a mature identity programme that protects your organisation against modern attacks.

---

Why Network-Centric Security Failed

The traditional security model assumed a clear boundary between "inside" (trusted) and "outside" (untrusted). Firewalls, intrusion detection systems, and network segmentation were designed to defend that boundary.

Three fundamental shifts have rendered this model obsolete:

1. The workforce went everywhere. Remote work, hybrid arrangements, and mobile devices mean users access corporate resources from networks you do not control. The "inside" no longer exists in any meaningful sense.

2. Applications moved to the cloud. SaaS adoption means your critical business applications - CRM, HR, finance, collaboration - live outside your network. The data you are trying to protect is not inside your perimeter.

3. Attackers learned to steal credentials. Why break through a firewall when you can phish a password and walk through the front door? Over 80% of breaches now involve compromised credentials, according to Verizon's Data Breach Investigations Report.

As I explore in the Cyber Resilience series, modern security strategy must assume the network is already compromised and focus on what attackers actually target: identities.

The Core Concept: Identity First Security

Identity First Security shifts the focus from "Where are you coming from?" (network) to "Who are you and what are you allowed to do?" (identity).

If an attacker steals a valid credential, firewalls are useless. The attacker is the user. This is why the vast majority of modern breaches involve compromised identities, not smashed firewalls.

The strategic implication is clear: investment should follow risk. If identity compromise is your primary threat vector, identity protection should be your primary investment.

Identity First Security is not just a technical change - it is a philosophical shift in how organisations think about trust, access, and risk.

---

The Five Pillars of Identity Security

Building a robust identity security programme requires maturity across five interconnected domains. Weakness in any pillar creates vulnerabilities that attackers will exploit.

Pillar 1: Authentication - Proving Identity

Authentication answers the question: "Are you who you claim to be?" The strength of your authentication directly determines your exposure to credential-based attacks.

The Authentication Spectrum

Not all authentication is created equal. Understanding the hierarchy is essential for risk-based decisions:

Multi-Factor Authentication: Getting It Right

MFA is non-negotiable for any internet-facing system in 2026. But implementation details matter enormously.

The MFA fatigue problem. Attackers discovered that if they spam authentication requests, exhausted or distracted users will eventually approve one. Microsoft reported a 100% increase in MFA fatigue attacks in 2024. Mitigations include:

• Number matching (user must enter a code shown on the login screen)
• Location and risk context display
• Rate limiting on authentication attempts
• Anomaly detection on approval patterns

The SMS vulnerability. SIM swapping attacks - where attackers convince mobile carriers to transfer a phone number - render SMS-based MFA nearly useless against determined adversaries. High-value targets (executives, IT administrators, finance personnel) should never rely on SMS for authentication.

The enrolment challenge. MFA that users cannot set up is MFA that does not get deployed. Invest in clear onboarding processes, help desk training, and self-service recovery options. The goal is 100% coverage, not just 100% mandate.

The Passwordless Future

Passwords are fundamentally broken. Users choose weak passwords, reuse them across services, and fall for phishing attacks that steal them. The password itself is the problem.

Passkeys - built on FIDO2/WebAuthn standards - eliminate passwords entirely. They use public key cryptography tied to biometrics or device PINs. The private key never leaves the device, cannot be phished, and cannot be reused across services.

Benefits of passwordless:

• Phishing immunity. No credential to steal.
• Better user experience. No passwords to remember or type.
• Reduced help desk costs. Password resets are a significant IT burden.
• Compliance simplification. Stronger authentication with simpler user experience.

Passwordless implementation considerations:

• Platform support (Windows Hello, Apple Touch/Face ID, Android biometrics)
• Recovery mechanisms when devices are lost
• Backup authentication for shared devices
• Legacy application compatibility

The transition to passwordless is a multi-year journey for most organisations, but every new application should be passwordless by default.

Pillar 2: Authorisation - Controlling Access

Authentication proves identity. Authorisation determines what that identity can do. Poor authorisation leads to over-privileged users - the primary enabler of lateral movement and privilege escalation attacks.

The Principle of Least Privilege

Users should have the minimum access necessary to perform their job function - nothing more. This principle is simple to state and difficult to implement.

Why least privilege fails in practice:

• Access accumulates over time as roles change
• Managers approve requests without understanding implications
• "Just in case" access persists indefinitely
• System complexity obscures actual permissions
• No regular review or recertification process

Implementing effective least privilege:

1. Role-based access control (RBAC). Define standard roles aligned to job functions. Users receive role membership, not individual permissions.

2. Access certification. Regular (quarterly or semi-annual) reviews where managers certify that their team members still need their current access.

3. Access analytics. Monitor for unused permissions and automatically flag or revoke access that has not been exercised.

4. Segregation of duties. Ensure conflicting permissions (e.g., creating vendors and approving payments) cannot exist in the same identity.

Just-In-Time Access: Eliminating Standing Privilege

Why does your administrator have Domain Admin rights 24/7? They need elevated access for perhaps 10 minutes per day.

Just-In-Time (JIT) access grants elevated privileges only when needed, for a specific duration, with specific approval. When the task is complete (or the time expires), access automatically revokes.

JIT implementation approaches:

• Privileged Access Management (PAM) tools. Solutions like CyberArk, BeyondTrust, or Delinea provide JIT access with session recording and approval workflows.

• Cloud-native JIT. Azure AD Privileged Identity Management (PIM), AWS IAM Access Analyzer, and Google Cloud IAM Recommender offer native just-in-time capabilities.

• Service account governance. Non-human identities (service accounts, API keys) also benefit from JIT principles - rotate credentials frequently and limit scope.

Pillar 3: Federation - Centralising Identity

Single Sign-On (SSO) is not merely a convenience feature - it is a security control. It creates a single point for access control and a single point for logging and auditing.

The Security Benefits of Federation

Centralised enforcement. Security policies (MFA requirements, conditional access, session timeouts) apply consistently across all federated applications.

Simplified offboarding. When someone leaves, you disable one account, and they lose access to everything. No hunting through individual applications. No forgotten SaaS accounts providing lingering access.

Comprehensive visibility. All authentication events flow through your identity provider, creating complete audit trails. Shadow access - users with accounts you do not know about - becomes visible.

Reduced credential sprawl. Fewer passwords means fewer opportunities for password reuse, phishing, and credential stuffing attacks.

SSO Implementation Strategy

Phase 1: Core applications. Start with the applications everyone uses - email, collaboration, file storage. These create the muscle memory for SSO usage.

Phase 2: Business-critical systems. Extend to CRM, ERP, HR systems, and finance applications. These contain sensitive data and require strong access governance.

Phase 3: Long tail applications. Address the dozens or hundreds of departmental SaaS tools. This is where shadow IT becomes visible.

Phase 4: Legacy applications. Use identity-aware proxies or SAML/OIDC gateways to bring legacy systems into your identity fabric.

SSO does not mean SSO-only. Federation centralises authentication but should not weaken it. Federated applications should still require MFA through your identity provider, and high-sensitivity applications may require step-up authentication.

Pillar 4: Governance - Managing the Lifecycle

Identity Governance and Administration (IGA) manages the full lifecycle of identities - from onboarding through role changes to offboarding.

The Identity Lifecycle

Access Certification Programmes

Regular access reviews are essential but often implemented poorly. Managers rubber-stamp certifications without reviewing, creating compliance theatre rather than actual security.

Effective certification design:

• Risk-based scope. Focus reviews on sensitive applications and elevated privileges. Not every application needs quarterly certification.

• Meaningful information. Provide managers with context: What does this access allow? When was it last used? Who else has this access?

• Reasonable volume. If managers face hundreds of certifications, they will rubber-stamp. Keep certification campaigns manageable.

• Consequence for non-response. Access that is not certified should be automatically revoked, not carried forward.

• Continuous certification. Supplement periodic campaigns with continuous monitoring and triggered reviews when anomalies occur.

Pillar 5: Visibility - Detecting and Responding

Identity systems generate rich telemetry about user behaviour. This data is essential for detecting compromised accounts and insider threats.

Identity-Based Detection

Traditional security monitoring focuses on network traffic and endpoint behaviour. Identity-based detection adds crucial context:

Impossible travel. Authentication from London followed by authentication from Tokyo an hour later indicates credential compromise.

Anomalous access patterns. A marketing user suddenly accessing source code repositories suggests compromised credentials or insider threat.

Authentication anomalies. Spike in failed authentications, successful authentication from a new device or location, authentication at unusual times.

Privilege escalation. Unexpected changes to group membership or role assignments.

Security Information Integration

Identity telemetry should flow to your security operations:

• Forward authentication logs to your SIEM
• Integrate with SOAR for automated response
• Include identity context in threat hunting
• Correlate identity events with endpoint and network data

The goal is a unified view where identity is one dimension of your security monitoring, not a siloed system.

---

The Identity Security Maturity Model

Not every organisation starts from the same place. Understanding your current maturity helps prioritise investments and set realistic expectations.

Most organisations fall between levels 2 and 3. Reaching level 4 should be the target for 2026 - level 5 represents the leading edge of identity security practice.

---

Identity Security Assessment Checklist

Use this checklist to evaluate your current identity security posture:

Authentication Assessment

• MFA is mandatory for all external access (no exceptions)
• Phishing-resistant MFA (FIDO2/passkeys) available for all users
• Phishing-resistant MFA mandatory for privileged accounts
• MFA fatigue protections in place (number matching, rate limiting)
• SMS-based MFA eliminated for high-value accounts
• Passwordless authentication available and promoted
• Password policies enforce length over complexity
• Breached password detection enabled
• Self-service MFA recovery does not create bypass vulnerability
• Guest and contractor authentication follows same standards

Authorisation Assessment

• Role-based access control implemented for major systems
• Standard roles defined and documented
• No shared accounts for production access
• Privileged access requires approval and is time-limited
• Just-in-time access implemented for administrative privileges
• Service accounts have documented owners
• Service account credentials rotate regularly
• API keys and secrets managed centrally
• Segregation of duties enforced for sensitive functions
• Emergency access (break-glass) procedures documented and monitored

Federation Assessment

• SSO implemented for all supported applications
• SSO applications catalogue maintained
• Non-federated applications tracked and justified
• Conditional access policies enforce security requirements
• Session timeouts appropriate for sensitivity
• Federation trust relationships reviewed periodically
• External identity federation (B2B) follows security standards
• Consumer identity (B2C) segregated from corporate

Governance Assessment

• Automated provisioning for major systems
• Automated deprovisioning within 24 hours of termination
• Access certification conducted at least annually
• Access certification includes usage information
• Orphaned accounts identified and removed
• Role explosion controlled (not too many roles)
• Access request workflows exist with approval
• Segregation of duties violations prevented or detected
• Identity governance reporting available to stakeholders
• Compliance reporting automated

Visibility Assessment

• Authentication events logged centrally
• Authorisation events logged centrally
• Administrative actions logged and monitored
• Impossible travel detection enabled
• Anomalous access behaviour alerting configured
• Failed authentication monitoring and response
• Privilege escalation alerting enabled
• Identity events integrated with SIEM
• Incident response playbooks include identity scenarios
• Identity forensics capability exists

---

The Identity Tool Landscape

The identity security market includes many overlapping categories. Understanding the landscape helps with vendor selection and architecture decisions.

Platform consolidation trend. Major vendors are expanding across categories. Microsoft Entra now includes governance, PAM, and workload identity. Okta has expanded into governance and ITDR. This consolidation can simplify architecture but may mean accepting "good enough" capabilities versus best-of-breed.

Build versus buy considerations. For most organisations, buying is the right answer. Identity is a solved problem - the value is in implementation, not invention. Custom identity systems create technical debt and security risk.

---

Implementation Roadmap: 90 Days to Identity First Security

Transforming your identity security posture is a journey. This roadmap provides a practical path from assessment to operational maturity.

Phase 1: Foundation (Days 1-30)

The first month establishes understanding and addresses critical gaps.

Week 1: Assessment and Quick Wins

Objectives:

• Understand current identity security posture
• Identify and address critical vulnerabilities
• Establish executive sponsorship

Activities:

• Complete the Identity Security Assessment Checklist
• Identify systems without MFA and create remediation plan
• Audit privileged accounts and eliminate unnecessary standing privilege
• Review recent offboarding - confirm access actually revoked
• Brief leadership on findings and roadmap

Quick wins to implement:

• Enable MFA for any remaining gaps
• Disable or reset inactive accounts
• Implement emergency MFA bypass procedures
• Enable breach password detection

Deliverables:

• Assessment scorecard
• Critical gaps prioritised
• Executive sponsor confirmed

Week 2: Architecture and Vendor Strategy

Objectives:

• Define target identity architecture
• Evaluate vendor landscape
• Plan integration approach

Activities:

• Map current identity tools and capabilities
• Identify architectural gaps
• Evaluate vendor options for gaps
• Plan phased implementation approach
• Assess cloud identity posture (Azure AD, AWS IAM, GCP IAM)

Deliverables:

• Current state architecture diagram
• Target state architecture diagram
• Vendor shortlist with evaluation criteria

Week 3: Policy and Process Foundation

Objectives:

• Establish identity security policies
• Define governance processes
• Create operational procedures

Policy development:

• Authentication policy (MFA requirements, password standards)
• Authorisation policy (least privilege, approval requirements)
• Access certification policy (frequency, scope, consequences)
• Privileged access policy (JIT requirements, monitoring)
• Incident response procedures for identity compromise

Process establishment:

• Access request workflow
• Certification process
• Privileged access request process
• Offboarding checklist

Deliverables:

• Policy documents drafted
• Process workflows documented
• RACI matrix for identity operations

Week 4: Critical Controls Implementation

Objectives:

• Implement highest-priority controls
• Establish monitoring baseline
• Prepare for Phase 2

Implementation activities:

• Deploy phishing-resistant MFA for all privileged accounts
• Enable conditional access for high-risk scenarios
• Configure authentication logging and alerting
• Implement privileged session monitoring
• Establish access review process for privileged accounts

Deliverables:

• Privileged account MFA at 100%
• Monitoring baseline established
• Phase 2 plan approved

Phase 1 Checkpoint

Before proceeding, confirm:

• Assessment complete with prioritised gaps
• Executive sponsorship confirmed
• Target architecture defined
• Policies drafted and reviewed
• MFA gaps closed
• Privileged access controls enhanced
• Monitoring and alerting operational
• Phase 2 resourced and approved

Phase 2: Capability Building (Days 31-60)

The second month builds core identity capabilities.

Week 5: SSO Expansion

Objectives:

• Extend SSO coverage
• Eliminate password sprawl
• Improve visibility

Activities:

• Inventory all applications and current SSO status
• Prioritise applications for SSO integration
• Configure SSO for priority applications
• Establish process for new application SSO requirements
• Track and justify non-federated applications

Deliverables:

• Application inventory with SSO status
• SSO coverage increased by target percentage
• Non-federated application exceptions documented

Week 6: Access Governance Implementation

Objectives:

• Implement access certification
• Establish lifecycle automation
• Address access accumulation

Activities:

• Configure IGA platform (or manual process if no platform)
• Define certification campaigns and scope
• Launch initial certification for high-risk applications
• Implement automated provisioning for core systems
• Implement automated deprovisioning on termination

Deliverables:

• First certification campaign launched
• Automated provisioning operational
• Automated deprovisioning verified

Week 7: Privileged Access Programme

Objectives:

• Implement JIT access for privileged operations
• Establish privileged account governance
• Enable session monitoring

Activities:

• Identify all privileged access paths
• Configure JIT access for administrative accounts
• Implement session recording for privileged sessions
• Establish privileged access review process
• Deploy break-glass procedures with monitoring

Deliverables:

• JIT access operational for administrative accounts
• Session recording enabled
• Privileged access governance process active

Week 8: Identity Threat Detection

Objectives:

• Implement identity-based threat detection
• Integrate with security operations
• Establish response procedures

Activities:

• Configure identity threat detection (native or ITDR tool)
• Enable impossible travel detection
• Configure anomalous access alerting
• Integrate identity events with SIEM
• Develop identity incident response playbooks

Deliverables:

• Identity threat detection operational
• SIEM integration complete
• Playbooks documented and tested

Phase 2 Checkpoint

Before Phase 3, confirm:

• SSO coverage significantly expanded
• Access certification launched
• Automated provisioning and deprovisioning working
• JIT access implemented for privileged accounts
• Session monitoring active
• Identity threat detection operational
• SIEM integration complete
• Response playbooks documented

Phase 3: Maturity and Optimisation (Days 61-90)

The final month establishes sustainable operations and advances towards maturity.

Week 9: Passwordless Acceleration

Objectives:

• Expand passwordless adoption
• Reduce password dependency
• Improve user experience

Activities:

• Enable passkey registration for all users
• Launch passwordless pilot with willing departments
• Communicate benefits and provide user guidance
• Track adoption metrics
• Address enrollment friction

Deliverables:

• Passkey registration available organisation-wide
• Pilot departments using passwordless
• Adoption tracking in place

Week 10: Governance Optimisation

Objectives:

• Refine access governance based on experience
• Address certification feedback
• Expand automation

Activities:

• Review first certification cycle results
• Address manager feedback on process
• Implement access analytics for unused permissions
• Expand automated provisioning coverage
• Implement continuous certification triggers

Deliverables:

• Certification process refined
• Unused access identified and actioned
• Automation expanded

Week 11: Security Operations Integration

Objectives:

• Fully integrate identity into security operations
• Establish metrics and reporting
• Enable continuous improvement

Activities:

• Validate identity detection and response integration
• Establish identity security metrics dashboard
• Create executive reporting
• Conduct identity incident simulation
• Document lessons learned and improvement areas

Deliverables:

• Security operations fully integrated
• Metrics dashboard operational
• Executive reporting established

Week 12: Steady State and Future Planning

Objectives:

• Transition to operational mode
• Plan continued maturity improvement
• Establish ongoing governance

Activities:

• Complete operational handover
• Establish ongoing review cadence
• Plan Phase 4 initiatives (advanced capabilities)
• Document programme outcomes
• Brief leadership on progress and future roadmap

Deliverables:

• Operational handover complete
• Phase 4 roadmap drafted
• Programme outcomes documented

Phase 3 Checkpoint

At day 90, assess:

• Passwordless adoption growing
• Access governance operating smoothly
• Identity integrated into security operations
• Metrics demonstrating improvement
• Operational ownership clear
• Future roadmap defined
• Leadership briefed on outcomes

---

Integration with Zero Trust Architecture

Identity First Security is the foundation of Zero Trust Architecture. You cannot implement Zero Trust without robust identity capabilities.

The Zero Trust principle of "never trust, always verify" requires:

• Strong authentication. You must prove identity before any access decision.
• Continuous verification. Identity validation is not a one-time event but continuous throughout the session.
• Least privilege. Access is granted to specific resources, not network segments.
• Context awareness. Access decisions consider identity, device, location, and behaviour.

Organisations attempting Zero Trust without mature identity capabilities are building on sand. The identity programme described in this article creates the foundation that Zero Trust requires.

---

Common Pitfalls and How to Avoid Them

Pitfall 1: MFA Theatre

The problem: Deploying MFA for compliance checkboxes while allowing weak methods and bypass mechanisms that attackers easily defeat.

The solution: Treat MFA as a security control, not a compliance requirement. Measure actual security improvement (phishing-resistant methods, bypass elimination) rather than deployment percentage.

Pitfall 2: Governance Without Teeth

The problem: Access certification that managers rubber-stamp without reviewing. No consequences for unapproved access.

The solution: Make certification meaningful with context and consequences. Auto-revoke access that is not certified. Track manager engagement and address patterns of inattention.

Pitfall 3: Ignoring Non-Human Identities

The problem: Focus on user accounts while service accounts, API keys, and workload identities proliferate unmanaged.

The solution: Include non-human identities in your governance programme. Document owners, rotate credentials, apply least privilege. Non-human identities often have more access than any human.

Pitfall 4: Tool Sprawl

The problem: Deploying multiple overlapping identity tools that do not integrate, creating gaps and complexity.

The solution: Define a coherent identity architecture. Evaluate tools for integration capability. Consider platform consolidation where it makes sense.

Pitfall 5: Forgetting the User Experience

The problem: Security controls so burdensome that users find workarounds or productivity suffers.

The solution: Design for user experience from the start. Passwordless is more secure and easier. Contextual authentication adapts friction to risk. Security that users hate is security that fails.

---

Measuring Identity Security Effectiveness

Key Metrics

Executive Reporting

Different stakeholders need different views:

For the Board: Risk reduction metrics, compliance status, benchmark comparisons.

For the CISO: Operational effectiveness, threat detection performance, programme maturity.

For IT Leadership: Operational efficiency, user experience, integration status.

For Business Units: Access enablement, friction reduction, support responsiveness.

---

Final Thoughts

The network perimeter protected a world that no longer exists. Users everywhere, applications in the cloud, attackers targeting credentials - this is the reality of 2026.

Identity First Security is not a trend or a vendor pitch. It is the pragmatic response to how attacks actually work and how organisations actually operate.

The journey from perimeter-centric to identity-centric security takes time. But every step improves your security posture:

• Enable MFA everywhere - immediately
• Implement phishing-resistant authentication for privileged users - this quarter
• Establish access governance and certification - this half
• Deploy JIT access and identity threat detection - this year
• Move towards passwordless - progressively

The organisations that thrive in 2026 and beyond will be those that recognised early: Identity is not just part of security. Identity is security.

If you are still spending more on network security appliances than on Identity Governance and Administration, it might be time to rebalance. Securing the network is necessary but insufficient. Securing identity is existential.

---

Implementing Your Identity First Security Programme

Building a mature identity security programme requires strategic planning, technical expertise, and organisational change management. My IT management services help organisations assess their current posture, design target architectures, and implement identity programmes that reduce risk while improving user experience.

Get in touch to discuss how to strengthen your identity security posture.

---

Related reading: Zero Trust: It's Not a Product, It's a Strategy | Cyber Resilience 2026