top of page
Search

Why Identity-Centric Security Scales Better Than App-Centric Security

App-by-app security breaks at SaaS scale. Identity-centric security scales with the business — because it governs access, not tools.



The Scaling Problem No One Talks About

Most security programs still grow the same way they did ten years ago: one app at a time.

A new SaaS tool appears. Security reviews it. Controls are configured. Exceptions are documented.

Then it happens again. And again. And again.


This model collapses at modern SaaS scale — not because teams are lazy, but because the unit of control is wrong.


Why App-Centric Security Fails at Scale

App-centric security assumes:

  • You know which apps exist

  • You can evaluate them individually

  • They change slowly

  • Ownership is clear


None of that holds true anymore.


According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

  • 97% of SaaS applications are unknown to IT

  • 100% of organizations have unauthorized cloud accounts

  • Less than 1% of SaaS accounts enforce MFA


If most apps are unknown, app-by-app governance is mathematically impossible.


The issue isn’t effort. It’s architecture.


SaaS Broke the App Boundary

In modern environments:

  • Apps connect to other apps

  • Data flows across platforms

  • OAuth tokens act independently

  • APIs outlive the tools that created them


The idea that each app is a self-contained security boundary is obsolete.

Security decisions now happen between apps — at the identity layer.


Identity Is the Only Stable Control Plane

Applications come and go. Identities persist.


Employees change roles. Integrations remain.


Departments adopt tools independently .Access patterns repeat.


Identity-centric security works because it governs:

  • Who can access

  • How access is granted

  • What that access can reach

  • Whether it should still exist


This is why the CISA Zero Trust Maturity Model places identity at the center of security architecture — not as a feature, but as the foundation:https://www.cisa.gov/zero-trust-maturity-model


Scaling Security Means Governing Patterns, Not Products

Identity-centric security doesn’t ask:

“Is this app secure?”

It asks:

  • Does this identity enforce SSO and MFA?

  • Is access least-privileged?

  • Is delegated access visible?

  • Is access revocable everywhere?


Those questions scale because they apply regardless of which app is used.


The same identity rules can govern:

  • 10 apps or 1,000 apps

  • Known tools and shadow tools

  • Human users and non-human identities


OAuth Proves the Point

OAuth exposes the limits of app-centric thinking.


An OAuth token:

  • Is granted once

  • Applies across apps

  • Operates without re-authentication

  • Persists beyond app lifecycle


CISA’s Secure Cloud Business Applications (SCuBA) guidance warns that OAuth permissions create durable access paths that bypass traditional app-level controls:https://www.cisa.gov/secure-cloud-business-applications-scuba


You can’t secure OAuth by securing one app at a time. You secure it by governing identity and delegation.


Compliance Already Favors Identity-Centric Models

Modern compliance frameworks don’t evaluate apps in isolation.

The NIST Privacy Framework and ISO/IEC 27001 require:

  • Traceability of access

  • Accountability across systems

  • Continuous validation


Those requirements align naturally with identity-centric security.


Trying to meet them with static app inventories creates gaps auditors will eventually find.


What Identity-Centric Security Looks Like in Practice

At scale, identity-centric programs focus on:

  • Continuous discovery of identities and integrations

  • Centralized enforcement (SSO, MFA, lifecycle)

  • Visibility into delegated and non-human access

  • Evidence generation for audits and Zero Trust initiatives


Apps become attributes, not control points.


This flips the model:

  • Apps adapt to identity rules

  • Identity rules don’t adapt to apps


Why Most Organizations Are Mid-Transition

Many teams are already identity-centric — without realizing it.

They:

  • Centralize authentication

  • Enforce MFA

  • Standardize access reviews


But they stop at known apps.

Without discovery, identity-centric security governs only part of the environment — and assumes the rest doesn’t exist.

That’s where scale breaks again.


How Waldo Security Enables Identity at Scale

Waldo Security’s SaaS & Cloud Discovery Engine supports identity-centric security by:

  • Discovering known and unknown SaaS apps

  • Surfacing identities that bypass SSO

  • Mapping OAuth and delegated access

  • Exposing Shadow CSP environments

  • Providing continuous visibility for compliance and Zero Trust programs


It doesn’t replace IAM. It makes IAM scalable.


Conclusion: Scale Comes From the Right Abstraction

App-centric security scales linearly. Identity-centric security scales exponentially.

One governs tools. The other governs access.

In a SaaS-first world, only one of those can keep up.

Security doesn’t fail because there are too many apps. It fails when identity isn’t treated as the control plane.

👉 See how organizations are scaling identity-centric security in the 2025 SaaS & Cloud Discovery Report.

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, OAuth risk, and Shadow IT, Waldo enables security teams to scale identity-centric controls with confidence.

 
 
 

Comments

bottom of page