Is
identity really the new firewall?
In the beginning there were usernames and passwords. Today we have the
FIDO Alliance,
biometrics,
Passkeys, and
non-human IAM tools to protect the enterprise and hybrid-cloud networks.
So,
is identity truly the new perimeter, firewall or attack surface? Just ask breach victims
JP Morgan,
Change Healthcare,
Microsoft and so on. Each of these firms are connected by an identity-related attack.
The answer to my question, depending on the vendor you ask, may just be a resounding “yes”. As attackers slip deeper and more adeptly into the inner sanctum of the enterprise, the legacy approach to
Identity Access Management (IAM) that worked just a
short time ago needs a refresh. If we learned one thing about identity from last month’s
RSAC 2025, the only thing shifting faster than the identity of style-chameleon Lady Gaga’s is IAM.
Avoiding the Identity Crisis
Just as many now peer into their Ring camera app to see who is and was at the front door, companies are evolving at a breakneck pace beyond the ancient name and password. The table stakes have never been higher.
An identity-first stance is the obvious counter punch to years of breaches tied to compromised identities and abused permissions.
As traditional network perimeters disappear with the rise of remote work and cloud services, identity has become the new security boundary—defining who gets access, from where, and under what conditions. Instead of trusting devices or locations, modern security
frameworks like Zero Trust rely on verifying user identity as the foundation for access control and risk management.
Zeroing in on the fix
At
RSAC, IAM was the focal point for CISOs hungry to implement modern security standards and procedures. IAM is now the hill that these leaders are fighting for and dying on. Identity has reached boardroom-level imperatives and the forward-facing key to mitigating risk and data protection. But implementing an identity-first, Zero Trust, FIDO Alliance-backed or non-human identity security solution can’t be a CISO checkbox or a compliance officer’s checklist item.
New Challenges, New Tech
The other big trend at RSAC–as it has been
everywhere lately–was artificial intelligence (AI). The rapid and pervasive onslaught of AI is complicating and confounding IAM efforts, as fraudsters are utilizing AI tools to hack access. Case in point: Two out of five applications (40%) failed to distinguish
between human and machine-based activity, creating a major attribution challenge for security teams, according to SaaS vendor Vorlon.
So-called
authorization sprawl, a term coined by SANS Fellow Joshua Wright to describe the unchecked growth of user privileges across hybrid cloud and Security as a Service (SaaS) environments, creates another issue in providing IT security through identity verification. According to Wright’s SANS Institute colleague, Ed Skoudis, president of the SANS Technology Institute, “Complexity is outpacing human comprehension. AI may be the only way we keep up.”
And cyber-crooks are aware of that the cat-and-mouse battle IAM presents. According to the
IBM X-Force 2025 Threat Intelligence Index nearly one-third of intrusions last year were identity-based attacks. Three out of 10 exploits were tied to the misuse of valid credentials, according to the report. Last year was the second year in a row that using
real logins, tied with the exploitation of public-facing applications, was a major cybercrime access vector, IBM said.
Is Identity the New Firewall? Hell Yeah!
“This isn’t about EDR bypass or malware sophistication… This is about an attacker using a browser, as a logged-in user, to hopscotch through environments you thought were segmented,” Wright said.
Who we are, how we define ourselves, our identity in all its forms in our professional and personal lives, is not only essential to security, it is the root of
trust in our personal relationships with our banks and investment firms, our doctors and other healthcare providers, our employers, our social media contacts, and the like. When that identity becomes compromised, it is not simply a matter of security, but a matter of broken trust at the most basic human level.
At
SC Media, we recognize the importance of identity-based cybersecurity. This inaugural weekly column is a first of many to come to explore Identity in its many digital incarnations. Let this
New Identity column be a stake in the ground to make sense of the daily barrage of IAM news, tech, tools, companies and identity breaches.
What role does identity play in your cyber defenses? How are you implementing IAM? What are the biggest challenges IAM creates for you? What best practices for multi-factor authentication can you share? How does identity fit into SaaS platform? Drop me a line and let's start this dialogue together.
You can reach the real Pepper Hoffman at karen[.]pepper[.]hoffman(at)gmail.com.Bio: Pepper Hoffman has been covering business and technology issues, particularly cybersecurity and FinTech, for more than three decades as a writer and industry analyst. Look for her latest New Identity column on SC Media each week. And stay up on the latest in Identity with SC Media here. 
