top of page
Search

Identity Is the New Perimeter (And Most Companies Are Defending the Wrong One)


Firewalls didn’t disappear — they just stopped being the boundary. In a SaaS-first world, identity is the perimeter, and most organizations are still defending the wrong one.


The Perimeter Didn’t Vanish. It Moved.

For decades, security strategy revolved around a simple idea: keep attackers out of the network.


Firewalls, VPNs, and segmentation were built to protect a clearly defined edge. If traffic stayed inside the perimeter, it was trusted. If it came from outside, it was inspected.


That model worked — until work stopped happening on the network.


Today, employees log in from anywhere, vendors connect directly to SaaS platforms, and data lives in cloud services IT didn’t deploy. The network is no longer where trust is enforced.

Identity is.

Why Network Security No Longer Maps to Reality

Modern organizations don’t run on servers behind a firewall. They run on:

  • SaaS applications

  • OAuth integrations

  • APIs and service accounts

  • External collaborators and contractors

Each login, token, or delegated permission is now a decision point for trust.

Frameworks like the CISA Zero Trust Maturity Model explicitly recognize this shift: access decisions must be based on identity, not location.

Yet many security programs are still structured as if the network were the control plane.

The Identity Gap No One Sees

If identity is the new perimeter, visibility into identity is the new baseline. And this is where most organizations fall behind.


According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

  • 97% of SaaS applications are unknown to IT

  • Less than 1% of SaaS accounts enforce MFA

  • 100% of organizations have unauthorized AWS, Azure, or GCP accounts


That means most identity decisions — logins, OAuth grants, service connections — are happening outside governance.

The perimeter exists. It’s just not being monitored.


SSO Alone Is Not a Perimeter

Single Sign-On is often treated as the answer to identity sprawl. But SSO only governs what’s integrated — not what’s connected.

Many SaaS apps:

  • “Support” SSO but don’t enforce it

  • Allow local credentials alongside IdP logins

  • Use OAuth tokens that bypass SSO and MFA entirely


CISA’s Secure Cloud Business Applications (SCuBA) guidance warns that unmanaged OAuth permissions create persistent access paths that survive offboarding and evade traditional controls.


If identity is the perimeter, OAuth is the side door most teams forget to lock.


Compliance Already Assumes Identity Is Central

Modern compliance frameworks don’t ask, “Is your network secure?” They ask:

  • Can you prove who accessed data?

  • Can you trace identities across systems?

  • Can you revoke access consistently?

The NIST Privacy Framework and ISO/IEC 27001 both require accountability and traceability — concepts that only work when identity is visible and governed across all systems, not just sanctioned ones.

You can’t demonstrate control over identities you don’t know exist.

What Defending the Right Perimeter Looks Like

Defending the identity perimeter requires a mindset shift:

From:

  • Network-first controls

  • Static access lists

  • Annual inventories

To:

  • Identity-first governance

  • Continuous verification

  • Real-time discovery

Practically, that means:

  • Discovering every SaaS app connected to your domain

  • Identifying identities that bypass SSO

  • Monitoring OAuth tokens and delegated access

  • Treating SaaS and cloud accounts as identity surfaces, not “tools”

This is the foundation of Zero Trust — not as a buzzword, but as an operational model.

Why Discovery Comes Before Enforcement

Many organizations try to “fix identity” by tightening policies. But enforcement without visibility only secures the small portion of the environment you already know about.

Discovery is what turns identity from an assumption into a control surface.

Waldo Security’s SaaS & Cloud Discovery Engine focuses on this prerequisite by:

  • Enumerating known and unknown SaaS applications

  • Mapping identities, OAuth connections, and Shadow CSP accounts

  • Classifying identity risk across compliance frameworks

  • Providing continuous evidence for auditors and security teams

You can’t defend the perimeter if you haven’t mapped it.

Conclusion: Stop Defending the Past

Firewalls still matter. Networks still matter. But they are no longer where trust begins or ends.

Today:

Every login is a perimeter decision. Every token is a perimeter extension. Every unknown app is a blind spot in the perimeter.

Organizations that recognize this shift aren’t abandoning security — they’re modernizing it.

👉 See how other organizations are redefining visibility and defending the real perimeter in the 2025 SaaS & Cloud Discovery Report.

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, Shadow IT, and OAuth risk, Waldo enables CISOs and security leaders to enforce identity-centric security with confidence.


Comments

bottom of page