top of page
Search

How to Map Your Identity Perimeter in 30 Minutes

You don’t need a new IAM stack to understand your identity exposure. This 30-minute walkthrough shows how to map your real identity perimeter across SaaS, OAuth, and cloud access.




What “Identity Perimeter” Actually Means

Your identity perimeter is every way a human or system can access your data — not just users in your IdP.


It includes:

  • SaaS logins (SSO and non-SSO)

  • OAuth tokens and third-party integrations

  • Service accounts and API keys

  • External collaborators and contractors

  • Shadow cloud (AWS, Azure, GCP) accounts


If any of these exist outside visibility, your perimeter is already breached — even without an attacker.


This is why modern frameworks like the CISA Zero Trust Maturity Model treat identity as the primary control plane, not the network: https://www.cisa.gov/zero-trust-maturity-model


The 30-Minute Identity Perimeter Map

This exercise doesn’t require deploying new tools. It uses data you already have — and produces an actionable map you can refine later.

Goal: Identify who can access what, where, and how — across SaaS and cloud services.

Minute 0–5: Export Identity Sources

Start with your primary identity systems:

  • Google Workspace / Microsoft 365

  • Okta / Entra ID / other IdP


Export:

  • All active users

  • All groups and roles

  • All connected applications


You’re not auditing permissions yet — you’re identifying identity surfaces.


Minute 5–10: Enumerate OAuth & App Integrations

Next, export all third-party app connections and OAuth grants from your workspace or IdP.


Look specifically for:

  • Apps with file, inbox, calendar, or cloud access

  • AI assistants and automation tools

  • Apps connected by individual users (not IT)


CISA’s Secure Cloud Business Applications (SCuBA) guidance calls unmanaged OAuth permissions one of the most common sources of silent access: https://www.cisa.gov/secure-cloud-business-applications-scuba


These connections are identity — even though they don’t look like users.


Minute 10–15: Identify Non-SSO Accounts

Now compare your SaaS app list against your IdP integrations.

Flag any application that:

  • Allows local credentials

  • Has users not tied to your IdP

  • Was provisioned directly by a department


These accounts sit outside centralized enforcement — even if the app “supports SSO.”

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report, fewer than 1% of SaaS accounts enforce MFA, largely because SSO coverage is incomplete: https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report


Minute 15–20: Surface External & Shadow Identities

Next, identify identities that don’t belong to full-time employees:

  • Contractors

  • Agencies

  • Partners

  • Former employees with lingering access


Then check for Shadow CSP accounts:

  • AWS, Azure, or GCP tenants not registered in your cloud inventory

  • Cloud accounts without clear ownership


The report found 100% of organizations had at least one unauthorized cloud account — each representing a separate identity perimeter.


Minute 20–25: Classify Access Paths

Create a simple classification for each identity surface:

Identity Type

Access Method

Data Reach

Visibility

Employee

SSO + MFA

SaaS + Files

High

Contractor

Local login

CRM

Medium

OAuth App

Token

Drive + Mail

Low

Shadow CSP

API keys

Cloud resources

None

This immediately shows where trust is assumed instead of verified.


Minute 25–30: Draw the Perimeter

Finally, answer three questions:

  1. Which identities bypass SSO or MFA?

  2. Which access paths persist after offboarding?

  3. Which systems are invisible to security and compliance?


What you’re left with is your actual identity perimeter — not the one described in policy documents.


This mapping directly supports requirements in the NIST Privacy Framework and ISO/IEC 27001 for accountability and traceability:


Why This Exercise Works

Most identity failures don’t come from missing tools. They come from missing visibility.


This 30-minute map:

  • Replaces assumptions with evidence

  • Exposes OAuth and shadow access

  • Creates a foundation for Zero Trust enforcement

  • Gives security, IAM, and GRC teams a shared reality


From Mapping to Continuous Control

Manual mapping works once. Modern SaaS environments change daily.


Waldo Security’s SaaS & Cloud Discovery Engine automates this process by:

  • Continuously discovering SaaS and cloud services

  • Mapping identities, tokens, and integrations

  • Classifying identity risk across compliance frameworks

  • Providing real-time evidence for audits and reviews


Discovery turns identity from a static diagram into a living control surface.


Conclusion: You Can’t Defend What You Haven’t Mapped

Identity is the new perimeter — but most organizations are still defending the outline they think they have.

Mapping your real identity perimeter doesn’t take months. It takes 30 focused minutes and the right questions.

Once you see the perimeter, you can finally secure it.

👉 See how other organizations are mapping and defending their real identity perimeter in the 2025 SaaS & Cloud Discovery Report.


About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, Shadow IT, and OAuth risk, Waldo enables security and compliance teams to enforce identity-centric controls with confidence.

Comments

bottom of page