top of page
Search

“Identity is the new perimeter” Are you kidding me?

ree

If identity were the perimeter, we wouldn’t keep getting burned by accounts, tokens, guests, and plug-ins nobody knows exist. IdPs protect the front door; modern SaaS has side doors everywhere. Waldo Security gives you the map of those doors—we discover every SaaS app, tenant, account, and OAuth grant in minutes, flag SSO/MFA bypasses, right-size risky scopes, and export audit-ready evidence. Start with Instant SaaS Discovery and keep proof tidy via the SaaS Compliance Overview.


The uncomfortable truth

  • Credentials still win. In Verizon’s 2025 DBIR, about 88% of Basic Web Application Attacks involved stolen creds—proof that “supports SSO” ≠ “enforces SSO everywhere.” (Verizon)

  • Your app count is wrong. Okta’s 2025 data shows the average company finally crossed 101 apps; BetterCloud still sees ~106 per org. If you’re modeling identities on 20–30 “core apps,” your math is fantasy. (Okta)

  • AI inflated the shadow. Netskope tracks hundreds of genAI apps in enterprise traffic and near-universal adoption. Identities now include browser plug-ins, side tenants, and OAuth clients you never approved. (Netskope)

Translation: the identity layer matters—but the SaaS layer is where identities multiply, persist, and leak.


Math check: why you’re off by 10–20×

Think “people = identities”? Try again.

  1. Per-person app spread: 30–50 apps per knowledge worker is common; orgs average ~101–106 apps total. Even light usage creates multiple accounts per person across suites and micro-tools. (Okta)

  2. Guests & contractors: External users don’t live in your HRIS. Many retain editor/admin rights long after projects end.

  3. OAuth clients: Each “Sign in with …” can mint a new application identity with delegated scopes (often offline_access refresh tokens), persisting access after a password reset. Microsoft explicitly tells admins to restrict user consent to verified publishers and low-impact permissions. (Microsoft Learn)

  4. Tokens & keys: Personal access tokens (PATs) and SSH keys sit outside SSO unless explicitly tied back—GitHub requires separate SSO authorization for PAT/SSH. (GitHub Docs)

  5. Shadow AI & extensions: Netskope sees 317+ distinct genAI apps across customers; many run under personal identities. That’s a lot of invisible “users.” (Netskope)

Add those up and the real count of identities with access is routinely 10–20× your headcount.


Why the “identity perimeter” keeps failing

Because it assumes everyone walks through the IdP.

SaaS doesn’t. It tolerates local passwords, grants durable tokens, and invites guests by email. A modern model must govern resources directly—what NIST’s Zero Trust describes as enforcing least privilege at the resource plane, not just at the login page. (CISA)


Because point-in-time isn’t protection.

CISA’s Cloud Security Technical Reference Architecture is blunt: start with inventory → least privilege → logging for SaaS specifically. Otherwise your SIEM only sees the slice you integrated. (CISA)


Because cost follows visibility.

IBM’s 2025 study ties lower breach cost (global avg $4.44M) to faster identification and containment—impossible if half your identities live off the books. (IBM)


Field guide: SaaS-layer controls that actually work

1) Enforce SSO where it counts (and measure coverage).

Alert on password logins to apps in your SSO catalog; close suite loopholes (guest exclusions, unmanaged tenants). DBIR’s numbers make this priority one. (Verizon)


2) Govern consent, not just login.

In Microsoft Entra, limit end-user consent to verified publishers and low-impact permissions; require admin approval for write/tenant-wide scopes. Review and revoke grants with offline_access and broad *.ReadWrite.All-style scopes. (Microsoft Learn)


3) Kill token persistence.

Inventory refresh tokens, PATs, and SSH keys; revoke idle tokens and re-authorize PAT/SSH via SSO where supported (e.g., GitHub). Automate this in offboarding. (GitHub Docs)


4) Control sharing & guests.

Default-deny public links in sensitive spaces; restrict external domains; time-box guest elevations and require an internal owner.


5) Make evidence continuous.

Stream SaaS audit logs; ship a monthly packet: SSO/MFA coverage, admin changes, OAuth diffs, offboarding timestamps, public-link exceptions. CISA’s TRA expects this; auditors and insurers do, too. (CISA)


With Waldo: we correlate identity + network + OAuth, flag SSO bypass, bulk-revoke risky grants, and package the proof in one click via the SaaS Compliance Overview.

Quick diagnostic: are you off by 10–20×?

  • Can you list all apps, tenants, and OAuth clients in use (including genAI and browser plug-ins)?

  • Do you know which apps enforce SSO vs. merely support it?

  • How many grants with offline_access exist right now?

  • Which PATs/SSH keys are still authorized? (Check GitHub’s SSO-authorization status.) (GitHub Docs)

  • How many external guests still have editor/admin roles?

If you can’t answer in minutes, your “perimeter” is wishful thinking.


The move: shift from identity-only to SaaS-layer reality

  1. See it. Build a living inventory from IdP sign-ins, email/collab logs, DNS/proxy, browser extensions, and spend. (That’s the TRA playbook.) (CISA)

  2. Shrink it. Enforce SSO/MFA by data sensitivity; lock down consent; revoke persistent tokens; fix public links and guest sprawl.

  3. Prove it. Keep evidence rolling monthly—faster detection and containment = lower loss. (IBM)


Want the fast lane? Start by mapping reality with Instant SaaS Discovery. Then turn identity chaos into clean, exportable proof with the SaaS Compliance Overview.

Comments

bottom of page