TL;DR: Remote work has pushed identity digital security from a login problem into a continuous trust problem, with the article highlighting Zero Trust, MFA, UBA, IAM, SSO, and SASE as the main response patterns, according to GlobalSign. The practical takeaway is that access, context, and user behaviour now have to be governed together rather than as separate controls.
NHIMG editorial — based on content published by GlobalSign: remote work and the evolution of digital identity security
By the numbers:
- 28% of all workdays were remote last year, according to WFH Research.
- 30% of respondents said they wanted to be fully remote, according to WFH Research.
Questions worth separating out
Q: How should security teams govern remote access when users are outside the office perimeter?
A: Security teams should govern remote access with identity, device, and session context instead of trusting location.
Q: Why does remote work increase identity risk for IAM programmes?
A: Remote work increases identity risk because users connect from more places, more devices, and more applications, which expands the number of trust decisions IAM must make.
Q: How can organisations know whether behavioural analytics is actually helping?
A: Behavioural analytics is working when it surfaces meaningful anomalies that correlate with risky access, not when it simply generates alerts.
Practitioner guidance
- Harden remote access policy at the identity layer Require MFA, device checks, and contextual access decisions for remote logins instead of relying on network location or VPN presence alone.
- Standardise SSO and IAM coverage across apps Bring collaboration, developer, and business applications under a single provisioning and deprovisioning model so remote users do not accumulate unmanaged access paths.
- Add behavioural review to access monitoring Use UBA to flag anomalous session behaviour after authentication, especially for contractors and high-value users working from unmanaged networks.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- The article expands on practical remote-work identity patterns, including how MFA, SSO, and IAM are framed together for distributed teams.
- It discusses user behaviour analysis and SASE in a way that helps practitioners connect access policy with session-level monitoring.
- It touches on legal and compliance considerations such as GDPR and CCPA that shape remote identity governance decisions.
- It includes broader commentary on blockchain, quantum readiness, and future identity models that go beyond this post's governance focus.
👉 Read GlobalSign's analysis of remote work and digital identity security →
Remote work identity security: what IAM teams need to do now?
Explore further
Remote work has converted human identity into a continuously exposed control surface. The article is not really about remote work itself; it is about the collapse of office-based trust assumptions in IAM. When users authenticate from unmanaged locations, identity, device, and session context have to do the work that the network perimeter once did. Practitioners should treat remote access as an identity governance problem, not just an endpoint or VPN problem.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: What is the difference between SSO and Zero Trust for remote identity security?
A: SSO simplifies how users authenticate across applications, while Zero Trust governs whether each access request should be allowed in the first place. SSO reduces password sprawl and user friction, but Zero Trust adds the continuous verification and contextual policy needed when users operate outside the corporate office.
👉 Read our full editorial: Remote work identity security is forcing stronger IAM controls