Identity-first zero trust: are perimeter controls keeping up?

TL;DR: Traditional perimeter security breaks down when attackers exploit identity, SaaS, and cloud trust relationships, as Unosecur argues in its analysis of identity-first Zero Trust. Continuous verification, least privilege, MFA, passwordless access, and ITDR shift control to the identity layer, where modern attacks actually operate.

NHIMG editorial — based on content published by Unosecur: Why identity-first Zero Trust security trumps traditional perimeter: Lessons for managers

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams reduce blast radius in identity-first Zero Trust programmes?

A: They should focus on entitlement scope, not only authentication strength.

Q: Why do cloud and SaaS environments weaken perimeter-based security models?

A: Because the most sensitive actions happen inside provider-managed control planes after authentication, not at the network edge.

Q: What do security teams get wrong about MFA when adopting Zero Trust?

A: They often treat MFA as the finish line rather than one control in a wider governance model.

Practitioner guidance

• Map identities before redesigning controls Inventory human users, privileged accounts, service accounts, API keys, and workload identities across SaaS and cloud platforms so you can see where trust is actually granted.
• Enforce MFA and passwordless for high-risk access Start with administrative and remote users, then extend to sensitive applications where credential theft would create immediate lateral movement risk.
• Deploy adaptive access policies with identity telemetry Use risk-based step-up checks for unfamiliar locations, anomalous device health, and abnormal token behaviour, then feed those signals into ITDR response.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• The article walks through the Commvault Metallic case in more detail, including how the SaaS compromise exposed application secrets and OAuth tokens.
• It explains the practical sequence for moving from perimeter assumptions to identity-first controls across cloud and SaaS estates.
• It expands the implementation advice for MFA, passwordless access, adaptive policies, entitlement review, and ITDR.
• It ties the model to Zero Trust metrics such as MFA coverage, privilege reduction, and response speed.

👉 Read Unosecur's analysis of identity-first Zero Trust and perimeter limits →

Identity-first zero trust: are perimeter controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →