Identity-First Security: Why Your Firewall Is No Longer the Perimeter

The firewall stopped being the perimeter somewhere between the first hybrid-work mandate and the last AWS data-exfiltration incident. The new perimeter is identity. This article is the introduction for the IT lead who has heard the phrase "identity is the new perimeter" too many times and wants to know what it actually means for the next 90 days of work.

No deep technical detail. No vendor pitch. The conceptual shift, the consequences, and the five concrete next steps for a 200-seat company that has not yet made the move.

What "perimeter" used to mean

The 2010 security model had a clear shape. Trusted things were inside the corporate network — the office LAN, the data centre, the VPN. Untrusted things were outside. The firewall was the boundary that enforced the trust line. Authenticate once at the VPN; everything inside trusted you.

The model was always simplified. It worked anyway, mostly, because most employees were in the office and most applications ran on company hardware. The trust boundary had a physical shape that the security model could pretend was real.

Why the perimeter dissolved

Three trends, compounding:

1. SaaS adoption. By 2022, the median SMB ran 80-120 SaaS applications. None of them sit inside your firewall. The firewall could not protect what was not behind it.
2. Remote and hybrid work. By 2024, the office network was a partial sample of where employees actually worked. Coffee shops, kitchen tables, client offices, conferences — all "outside the perimeter" in the old model, all daily reality in the new one.
3. Cloud-native infrastructure. Your production workloads run in AWS, Azure, GCP. Your data sits in S3 buckets and SharePoint sites. Your APIs are exposed to the internet by design. The "internal" of "internal network" no longer maps to "where the business runs".

The firewall did not become useless. It became insufficient. The implicit-trust model that assumed inside-the-firewall meant trusted-by-default produced too many security incidents to defend.

What identity-first actually means

Identity-first security treats every access request as a fresh decision based on who, what device, where, at what time, doing what, with what risk signal. The decision is made continuously, not once at network entry.

The model has three concrete components:

1. Identity as the foundation. Every request carries an authenticated identity. The identity has been verified through MFA. The strength of the verification matches the sensitivity of the request.
2. Context as the decision input. Device compliance, sign-in risk score, location, time-of-day, behaviour anomaly, requested resource — all inputs to a real-time access decision.
3. Continuous evaluation. A valid session does not stay valid forever. Material changes (password reset, compliance failure, anomalous behaviour) revoke the session within minutes.

This is not the same as "we have MFA". MFA at network entry is the old model with a stronger door. Identity-first means MFA at every meaningful access decision, with risk signals informing whether MFA is enough.

What "Zero Trust" has to do with it

Zero Trust is the formal architectural framework. NIST SP 800-207 is the canonical reference. The principles:

• Never trust, always verify
• Least-privilege access
• Assume breach
• Verify explicitly using all available signals

"Identity-first" is one operational expression of Zero Trust — the one that starts with identity as the strongest signal and builds outward. "Microsegmentation" is another expression. "ZTNA" (Zero Trust Network Access) is the implementation pattern that replaces traditional VPNs.

For most SMBs, "identity-first" is the entry door to Zero Trust. The other expressions follow naturally once the identity foundation is in place.

The five consequences for your operating model

Consequence 01: The VPN is a candidate for retirement

The corporate VPN was the most visible artefact of perimeter thinking. Once identity is the perimeter, the VPN's job (placing the user "inside" the trusted network) becomes redundant. Per-application access via Conditional Access + ZTNA produces equivalent or better security with less operational burden.

VPNs do not disappear overnight — legacy applications without SSO support keep VPN alive for years. But "every employee uses VPN every day" stops being the model.

Consequence 02: The firewall becomes one signal among many

Office firewalls and VPN concentrators do not become useless. They become one input into the access decision rather than the access decision itself. Coming from an unfamiliar IP is a higher-risk signal than coming from the office network. The decision is made by the identity platform; the firewall data informs it.

Consequence 03: Device matters as much as user

"Authenticated user on a compromised device" is a worse security position than "unknown user on a hardened device". The identity-first model treats device compliance as a first-class signal: Intune compliant + Defender for Endpoint healthy → high trust; jailbroken phone → low trust regardless of user.

This requires the device-management investment (MDM, EDR, compliance policies) to be in place. For most SMBs, device management is the second-biggest investment after identity itself.

Consequence 04: Audit moves from "who was on the network" to "who accessed what, when, why"

The old audit log was a network firewall log. The new audit log is the identity platform's sign-in log + the application's access log + the conditional-access evaluation log + the device compliance log. All four feed your SIEM.

This is more data but better data. Forensic analysis of "did Jane access the customer database last week" becomes a structured query, not a guess.

Consequence 05: Identity governance becomes a regular practice

If identity is the perimeter, the perimeter has to be governed. Periodic access reviews, role-based access control reviews, joiner-mover-leaver workflow validation, orphaned-account cleanup — all become recurring operational duties, not one-time projects.

The discipline is what makes the model survive. Without it, the identity foundation accumulates entropy and the security posture drifts.

The five next steps for the IT lead with 90 days

Concrete, prioritised, no abstraction:

Step 01: Inventory + retire weak authentication

The legacy auth protocols (POP3, IMAP4, SMTP basic, MAPI basic) are the largest hole in any M365 identity story. Disable legacy auth at the Conditional Access layer. Communicate the impact to users. Replace any clients that depend on legacy auth.

For Google Workspace estates: the equivalent is "Less Secure Apps" and IMAP / POP3 basic-auth access. Disable both.

Step 02: MFA everywhere, with phishing-resistance for admins

Two policies:

• MFA required for all users on all applications, period. No exceptions for legacy clients (which were eliminated in Step 01).
• Phishing-resistant MFA (FIDO2 / WebAuthn) required for admin roles, executive accounts, and any account with access to sensitive data.

Procure FIDO2 keys for the admin population (typical cost €30-€60 per key, one-time). Document the break-glass procedure.

Step 03: Conditional Access baseline policy stack

The minimum baseline:

1. Block legacy authentication (from Step 01)
2. Require MFA for all users
3. Block sign-ins from a geofence allow-list (countries you operate in)
4. Require compliant device for sensitive applications
5. Sign-in risk High → block; Medium → require MFA

Roll out in report-only mode for 1-2 weeks. Watch the impact. Promote to enforced.

Step 04: Device compliance baseline

Define what "compliant" means. Typical baseline:

• Encryption at rest (BitLocker / FileVault) enforced
• OS patched within 30 days of release
• EDR running and healthy (Defender for Endpoint / CrowdStrike / SentinelOne)
• Local admin not the user's daily account
• Screen lock with appropriate timeout

Configure these in Intune (or Jamf / Kandji / Google Endpoint Management). Surface non-compliance to users with self-remediation guides where possible.

Step 05: Identity governance cadence

Start the operating discipline that keeps the model honest:

• Quarterly access review for privileged roles
• Quarterly access review for sensitive applications
• Monthly orphaned-account scan + cleanup
• Annual joiner-mover-leaver process audit

For Entra ID P2 estates, Access Reviews automates much of this. For other identity stacks, the workflow is manual but the cadence matters more than the tooling.

The licensing reality, briefly

You cannot do identity-first on free-tier identity. The minimum that makes the model viable:

Platform	Minimum	Recommended
Microsoft 365	E3 + Entra ID P1	E5 (includes Entra P2, Defender, Purview)
Google Workspace	Business Plus	Enterprise Plus (Context-Aware Access, BeyondCorp)
Stand-alone identity	Okta or Auth0 Adaptive MFA	Okta Identity Engine + Workflow + ITP add-on

For most regulated SMBs, E5 or Workspace Enterprise Plus is the right answer. The licensing cost is real but smaller than the operational cost of operating identity-first on a too-thin license tier.

What this is not

Honest scoping. Identity-first is not:

• A passwordless future where MFA disappears (passwordless is a refinement within identity-first, not a replacement for it)
• A reason to retire firewalls completely (they still defend the network perimeter against direct-internet attacks; they are just no longer the only line)
• An overnight transition (most 200-seat companies take 6-12 months to complete the foundational steps)
• A vendor decision (the vendors differ in implementation, not in the underlying model)
• A solution for endpoint security, application security, or data protection (it is the access-control layer that those other layers compose with)

The signs you are doing it right

Six concrete indicators a mature identity-first programme should produce within 12 months:

1. Every user authentication carries MFA — no exceptions, no carve-outs
2. Admin role usage is just-in-time, with approval workflow and audit trail
3. Compromised credentials become a Conditional Access event within minutes, not hours
4. Device compliance is enforced on every access to sensitive data
5. Access reviews surface 5-15% reductions in standing access each quarter
6. The team can articulate, in writing, what happens when an account is compromised — and the runbook is tested

The signs you are doing it wrong

Three patterns that look like identity-first but are not:

1. MFA at VPN entry, then everything inside is trusted. This is the old model with stronger gate. The post-VPN access does not check anything.
2. Conditional Access policies in audit mode forever. Audit mode is for the 2-week ramp. After that, enforced or rolled back — never "we'll enforce it later".
3. "We have Okta / Entra, we're done." The platform is the foundation, not the implementation. The conditional access policies, the device compliance, the access reviews, the operational discipline — those are the work.

The one paragraph version

The firewall stopped being the perimeter. Identity is now the perimeter. Identity-first security means every access request is a fresh decision based on who, what device, where, doing what, with what risk signal — evaluated continuously, not once at network entry. The five operational consequences are: VPN candidate for retirement, firewall becomes one signal among many, device matters as much as user, audit moves from network logs to per-access logs, identity governance becomes recurring discipline. The 90-day starter pack is five steps: retire legacy auth, MFA everywhere with phish-resistant for admins, Conditional Access baseline, device compliance, identity-governance cadence. The licensing investment is real (E5 / Workspace Enterprise Plus for most regulated SMBs). The model is not overnight — 6-12 months to mature.

If you want a scoped diagnostic — current-state assessment of your identity posture, the 90-day plan tailored to your stack — that is the engagement shape. The technical baseline is delivered under Microsoft 365 Defender + Microsoft 365 Management (M365 estates) or Google Workspace Management (Workspace estates). The deeper Conditional Access rollout is covered in our practitioner-level Conditional Access deep-dive.