The Shifting Sandbags: Why Your Identity Perimeter Never Stays Where You Left It

The Fortress That Moves: Understanding the Shifting Identity Perimeter

Think of your organization's identity perimeter like a line of sandbags around a castle. In the old days, you'd pile them up once and feel secure—the castle walls were fixed, the moat was static. But in today's digital world, the ground itself is shifting. Every time a new employee joins, a contractor connects from a coffee shop, or a SaaS app is adopted without IT's knowledge, those sandbags move. The perimeter isn't a single wall anymore; it's a constantly evolving boundary that never stays where you left it. This article is your guide to understanding why that happens and, more importantly, what you can do about it. We'll skip the jargon and focus on real-world examples you can relate to.

Why the Old Model of 'Castle and Moat' Fails

The traditional security model assumed everything inside the corporate network was safe, and everything outside was dangerous. You built a strong firewall, managed your on-premises servers, and controlled access through VPNs. But today, users access resources from home, from airports, and from their phones. They use cloud apps like Slack, Salesforce, and Google Workspace that live outside your network. The castle walls have dissolved. Your identity perimeter now includes every identity—employee, partner, customer—and every device they use. It's no longer about where they are, but who they are and what they're doing.

The Sandbag Analogy: A Concrete Image

Imagine you're a small business owner with ten employees. You set up permissions for each person: who can access the financial system, who can edit the shared drive, who can log into the CRM. That's your sandbag perimeter. But then you hire someone new—you add a sandbag. An employee leaves—you remove one. You adopt a new project management tool—a whole new section of bags appears. A contractor needs temporary access—you shift a few bags. The perimeter is in constant flux. If you don't actively manage it, gaps appear. Someone might still have access after they leave, or a new hire might lack the permissions they need, causing frustration and security holes.

The core problem is that identity isn't a static asset. It's a dynamic, living system. Every change in your organization—hires, fires, role changes, new apps, new devices—ripples through your identity perimeter. And because most of these changes happen without fanfare, it's easy for the perimeter to drift out of alignment with your actual security needs. In this guide, we'll show you how to keep those sandbags in place, even as the ground moves beneath you.

The Invisible Architects: What Drives Identity Perimeter Drift

To manage a shifting perimeter, you first need to understand what's causing it to move. Think of these forces as invisible architects constantly redesigning your security landscape. Some are obvious, like employee turnover, but others are more subtle, like the silent adoption of a new cloud app by a single team. Let's explore the main drivers of identity perimeter drift, so you can spot them before they create gaps.

Shadow IT and SaaS Sprawl: The Unseen Expansion

One of the biggest culprits is shadow IT—when employees adopt software without IT's knowledge or approval. A marketing team might sign up for a social media scheduling tool, a sales rep might start using a personal file-sharing service, and a developer might spin up a test server in the cloud. Each of these creates a new identity: a user account on an external platform. Suddenly, your identity perimeter has expanded to include dozens or hundreds of external services, each with its own login, permissions, and security settings. You can't manage what you don't know about, so these new sandbags are often left unmonitored. The result? A fragmented perimeter with weak spots that attackers love to exploit. For example, an old account on a forgotten project management tool might still have access to sensitive data, even though the employee left months ago.

Identity Federation: When Boundaries Blur

Modern identity solutions like single sign-on (SSO) and federation (using a central identity provider like Okta or Azure AD) are meant to simplify access, but they can also blur the perimeter. When you federate with a partner organization or a third-party app, you're extending your trust boundary. If that partner's identity system is compromised, attackers can potentially access your resources through the trusted connection. Similarly, if you deactivate a user in your directory but forget to remove their access in a federated app, that user might still be able to log in. Federation adds complexity—the sandbags now include not just your own bags, but also those of your partners, vendors, and customers. Managing these relationships requires constant attention. A simple mistake, like not revoking a federated session after a partner contract ends, can leave a door open for months.

Device Diversity and Remote Work

The explosion of remote work has multiplied the number of devices accessing your resources. Employees use company laptops, personal phones, home desktops, and tablets—all of which need to be authenticated and authorized. Each device is a potential entry point into your identity perimeter. If an employee's personal phone is compromised, an attacker might steal their credentials and access corporate apps. The perimeter now extends to every device, everywhere. Without robust device management and continuous authentication, you're essentially adding sandbags made of paper. You need to know which devices are trusted, enforce policies like multi-factor authentication (MFA), and monitor for anomalous behavior. But even with these measures, the sheer number of devices makes the perimeter highly dynamic. A device that was safe yesterday might be compromised today, and your perimeter needs to adapt in real time.

These forces—shadow IT, federation, and device diversity—are not going away. They're the new normal. The key is to accept that your identity perimeter will always shift and build processes to track and respond to those shifts. In the next section, we'll dive into practical steps you can take to keep your sandbags aligned.

Building a Living Map: Continuous Discovery and Monitoring

If your identity perimeter is constantly shifting, you need a map that updates in real time. You can't rely on a static spreadsheet or an annual audit. Instead, you need continuous discovery and monitoring—a living map that shows you every identity, every access right, and every device connected to your organization. This section walks you through the practical steps to create and maintain that map, using tools and processes that even a small team can manage.

Step 1: Inventory Every Identity

Start by listing every identity that has access to your resources. This includes employees, contractors, partners, service accounts (automated accounts used by applications), and even customer accounts if you run a customer-facing platform. Use your identity provider (IdP) like Azure AD, Okta, or Google Workspace as a starting point, but don't stop there. You also need to discover accounts in other systems: your HR software (which creates employee identities), your payroll system, your cloud infrastructure (AWS, Azure, GCP), and all your SaaS apps. Tools like cloud access security brokers (CASBs) or identity governance and administration (IGA) platforms can help automate this discovery. For a small business, a manual audit every quarter might suffice, but as you grow, automation becomes essential. The goal is a single, authoritative list of every identity that can access your resources. Without this foundation, you're building your perimeter on quicksand.

Step 2: Map Access Rights Continuously

Once you have your identity inventory, you need to map what each identity can access. This is where the sandbags really start to shift. An employee's access might include: email, file shares, CRM, ERP, project management tools, and cloud servers. Each of these systems has its own permissions—some might be role-based, others might be individually assigned. The challenge is that access rights change frequently: a promotion grants new permissions, a project requires temporary access, a system migration alters configurations. To keep your map accurate, you need to regularly pull access data from each system and correlate it with your identity inventory. Many IGA tools can do this automatically, sending alerts when they detect unusual access changes. For example, if a marketing intern suddenly gains admin rights to the financial system, that should trigger an immediate investigation. Continuous mapping also helps you spot orphaned accounts—accounts that still exist but are no longer associated with an active employee or service. These are prime targets for attackers.

Step 3: Monitor for Anomalies and Changes

Discovery and mapping are only useful if you act on the information. You need to monitor for changes and anomalies in real time. This means setting up alerts for: new accounts created outside your standard provisioning process, privilege escalations (e.g., a user being added to an admin group), failed login attempts from unusual locations, and access to sensitive data outside business hours. Many identity security platforms offer user and entity behavior analytics (UEBA) that can detect these patterns. For a smaller team, you can start with basic logging and manual review, but as you scale, automated monitoring is a game-changer. The key is to create a feedback loop: every change to the identity perimeter should be logged, reviewed, and (if necessary) acted upon. Think of it like a security camera system for your sandbags—you need to know when someone moves a bag, even if it's a legitimate move.

Continuous discovery and monitoring turn your identity perimeter from a static liability into a dynamic, manageable asset. You'll catch issues before they become breaches, and you'll have the data you need to make informed decisions about access policies. In the next section, we'll look at tools and technologies that can help you scale these efforts.

Tools of the Trade: Choosing the Right Identity Security Stack

Managing a shifting identity perimeter requires more than good intentions—you need the right tools. But with hundreds of products on the market, it's easy to get overwhelmed. This section breaks down the key categories of identity security tools, what they do, and how to choose the right mix for your organization. We'll focus on practical considerations like budget, team size, and complexity, so you can make an informed decision without drowning in marketing hype.

Identity and Access Management (IAM) Platforms

At the core of your identity stack is an IAM platform, which handles user authentication, authorization, and lifecycle management. Popular options include Microsoft Entra ID (formerly Azure AD), Okta, Ping Identity, and Google Cloud Identity. These platforms provide single sign-on (SSO), multi-factor authentication (MFA), and user provisioning. For most organizations, this is the first tool you should invest in. When evaluating IAM platforms, consider: how well does it integrate with your existing apps and directories? Does it support the authentication protocols you need (SAML, OAuth, OpenID Connect)? Can it automate user provisioning and deprovisioning from your HR system? A good IAM platform acts as the central nervous system for your identity perimeter, making it easier to add, modify, and remove access across all your systems. For a small business, a simple Google Workspace or Microsoft 365 setup might suffice initially, but as you grow, a dedicated IAM platform becomes essential.

Identity Governance and Administration (IGA) Tools

While IAM handles day-to-day access, IGA tools focus on governance—ensuring that access rights align with policy and regulations. IGA solutions like SailPoint, Saviynt, and One Identity help you: automate access certification (reviewing who has access to what), enforce separation of duties, and detect policy violations. They also provide the continuous discovery and mapping capabilities we discussed earlier. IGA is particularly important for regulated industries like finance and healthcare, where you need to prove compliance with standards like SOX, HIPAA, or GDPR. For smaller organizations, the cost and complexity of a full IGA suite might be overkill, but you can still achieve some governance through manual processes and built-in features of your IAM platform. The key is to have a process for regularly reviewing access rights, especially for privileged accounts.

Privileged Access Management (PAM) Solutions

Privileged accounts—like admin accounts, service accounts, and root users—are the crown jewels of your identity perimeter. If an attacker compromises a privileged account, they can move laterally across your systems with impunity. PAM tools like CyberArk, BeyondTrust, and Delinea help you: vault credentials (store passwords securely), rotate passwords frequently, and monitor session activity. They also provide just-in-time (JIT) access, granting elevated privileges only when needed and for a limited time. For any organization with more than a handful of administrators, a PAM solution is a must-have. It directly addresses the risk of privileged account abuse, which is a common vector in major breaches. When selecting a PAM tool, consider: ease of use for administrators, integration with your existing IAM platform, and support for cloud environments (AWS, Azure, GCP).

Cloud Access Security Brokers (CASBs) and SaaS Security

As shadow IT and SaaS sprawl expand your perimeter, CASBs like Netskope, Zscaler, and McAfee MVISION help you discover and control cloud app usage. They sit between users and cloud apps, enforcing security policies like data loss prevention (DLP), threat protection, and access control. For example, a CASB can block access to a risky cloud app or prevent a user from downloading sensitive data to an unmanaged device. CASBs are especially valuable for organizations with a large fleet of SaaS apps. They provide visibility into the shadow IT that IAM platforms often miss. However, they can be complex to deploy and require ongoing tuning. For smaller teams, starting with a solid IAM platform and manual app discovery might be more practical, then adding a CASB as the SaaS portfolio grows.

Choosing the right tools depends on your specific needs, budget, and risk appetite. Start with the basics—IAM and MFA—then layer in IGA, PAM, and CASB as your perimeter expands. The goal is not to buy every tool, but to build a cohesive stack that gives you visibility and control over your shifting identity landscape.

Growing Pains: Scaling Identity Management as You Expand

What works for a 10-person startup breaks for a 100-person company, and what works for 100 people fails at 1,000. As your organization grows, the identity perimeter doesn't just get bigger—it gets exponentially more complex. New departments, new locations, new acquisitions, and new cloud services all add layers of complexity. This section explores the common scaling challenges and how to adapt your identity management practices to keep pace with growth, without sacrificing security or usability.

The Role of Automation in Scaling

Manual processes that worked for a small team—like onboarding users by hand or using a shared spreadsheet for access rights—become untenable as you scale. Automation is the key to managing a growing identity perimeter. Start by automating user provisioning and deprovisioning. Connect your HR system (like Workday or BambooHR) to your IAM platform, so that when a new hire is added to the HR system, their accounts are automatically created in all required apps. When an employee leaves, their access should be revoked across the board automatically. This eliminates the common problem of orphaned accounts. Next, automate access certification. Instead of manually reviewing every user's access once a year, use your IGA tool to send periodic review tasks to managers, with automated reminders and escalation. Automation reduces human error and frees up your IT team to focus on more strategic tasks. For example, one growing company I read about used automation to reduce their onboarding time from two days to two hours, while also eliminating a backlog of 500 unrevoked accounts that had accumulated over six months.

Managing Third-Party and Contractor Access

As you grow, you'll rely more on contractors, vendors, and partners. These external identities add a new dimension to your perimeter because they often need temporary access to specific resources. The challenge is managing their lifecycle: granting access when a project starts, modifying it as needs change, and revoking it when the engagement ends. Best practice is to create a separate identity provider or directory for external users, or use the built-in guest user features of platforms like Azure AD (B2B collaboration) or Okta. Define policies for temporary access: set expiration dates on accounts, require MFA for external users, and limit access to only the resources they need. Regularly audit external access to ensure no one still has access after their contract ends. A common pitfall is treating external users as permanent—they often get added to the same groups as employees, which can lead to over-privileged access. Instead, create specific groups for each project or vendor, and enforce time-bound access.

Adapting to Mergers and Acquisitions

If your company acquires another, you suddenly inherit a completely different identity perimeter with its own users, apps, and policies. This is one of the most challenging scenarios for identity management. The first step is to discover and inventory the acquired company's identities and access rights. Then, plan a gradual integration: align their identity provider with yours, migrate users to your IAM platform, and harmonize access policies. This process can take months and requires careful coordination to avoid disrupting business operations. A common mistake is to rush the integration, leaving gaps that attackers can exploit. For example, old accounts from the acquired company that were never migrated might still have access to resources, creating a persistent backdoor. Take a phased approach: start with critical systems, enforce consistent MFA and password policies, and continuously monitor for anomalies during the transition. Mergers and acquisitions are a high-risk period for identity security, so treat them with the attention they deserve.

Scaling identity management is about building repeatable processes and investing in automation early. The cost of fixing identity issues after a breach is far higher than the cost of proactive scaling. By anticipating growth and planning for it, you can keep your sandbags in order even as your organization expands.

When Sandbags Leak: Common Pitfalls and How to Avoid Them

Even with the best intentions, managing a shifting identity perimeter is fraught with pitfalls. Some are obvious, like ignoring orphaned accounts, but others are more subtle, like over-relying on a single tool or assuming your cloud provider handles security. This section highlights the most common mistakes we've seen—and how to avoid them. By learning from others' missteps, you can strengthen your own perimeter without having to experience the breach yourself.

Pitfall 1: Neglecting Service Accounts and Non-Human Identities

In many organizations, the focus is on user accounts—employees, contractors, and customers. But service accounts (automated accounts used by applications, scripts, and APIs) are often overlooked. These accounts can have powerful permissions, and because they're not associated with a person, they're rarely reviewed. A classic example is a service account with admin rights to a database that was created for a project and never decommissioned. Attackers who compromise a service account can often move laterally with ease. To avoid this pitfall, treat service accounts as first-class identities. Inventory them, assign them the minimum permissions necessary, rotate their credentials regularly, and monitor their activity. Use dedicated service account management features in your PAM solution to vault and rotate passwords automatically. Remember, a service account is just as dangerous as a compromised user account—sometimes more so.

Pitfall 2: Over-Privileged Users and 'Access Creep'

Over time, employees accumulate permissions. They switch roles, take on new responsibilities, and get added to groups—but rarely are old permissions removed. This phenomenon, known as access creep, means that many users have far more access than they need. A salesperson who was once a project manager might still have access to the project management system and its sensitive data, even though they no longer need it. Access creep is a major risk because it expands the attack surface. If a salesperson's account is compromised, the attacker can access not just the CRM, but also the project management system. The solution is regular access reviews—at least quarterly—where managers certify that their team members' access is still appropriate. Use your IGA tool to automate these reviews and flag users with excessive permissions. Additionally, implement the principle of least privilege: grant the minimum access needed for a user to do their job, and require approval for any privilege escalation.

Pitfall 3: Ignoring the Human Element

No tool can fully protect against a user who clicks a phishing link or uses a weak password. The human element is often the weakest link in the identity perimeter. Attackers know this, which is why phishing attacks remain one of the most common initial access vectors. To mitigate this, invest in security awareness training. Teach users how to recognize phishing emails, use strong passwords (or better yet, passkeys), and report suspicious activity. But don't stop at training—enforce MFA everywhere, and consider using phishing-resistant MFA methods like FIDO2 security keys or biometrics. Also, implement conditional access policies that block sign-ins from unusual locations or devices. For example, if a user based in New York suddenly tries to log in from a location known for cybercrime, the system should block the attempt and alert the user. Remember, technology alone can't prevent social engineering; you need a culture of security awareness.

By avoiding these common pitfalls, you can significantly reduce your risk of a breach. The key is to stay vigilant, review your practices regularly, and never assume that your perimeter is secure just because you've implemented some tools. The shifting sandbags require constant attention.

Quick Answers to Common Identity Perimeter Questions

Readers often have specific questions about how to apply these concepts in their own organizations. This section addresses the most common ones, providing clear, actionable answers. Whether you're just starting your identity journey or looking to refine an existing program, these FAQs will help you navigate the shifting landscape.

Q: How often should I review user access?

For most organizations, a quarterly review of user access is a good starting point. Critical systems (like financial or healthcare data) should be reviewed monthly. Use automated certification campaigns in your IGA tool to streamline this process. For smaller teams, a manual review every quarter can work, but as you grow, automation becomes essential. The key is to have a regular cadence—don't let access reviews slip, because that's when access creep and orphaned accounts accumulate.

Q: What's the most important single step I can take to improve identity security?

If you could only do one thing, enforce multi-factor authentication (MFA) on all accounts, especially privileged ones. MFA blocks the vast majority of credential-based attacks. According to many industry reports, MFA can prevent over 99% of account compromise attempts. It's not a silver bullet, but it's the highest-impact, lowest-cost measure you can take. Pair it with a strong password policy (or passwordless authentication) for even better protection.

Q: How do I handle identity security on a tight budget?

Start with free or low-cost tools. Most IAM platforms offer free tiers or basic versions (e.g., Azure AD Free, Google Workspace). Use built-in MFA and conditional access features. For monitoring, leverage the logging capabilities of your cloud providers (AWS CloudTrail, Azure Monitor) and set up basic alerts. For small businesses, a manual process of user inventory and quarterly access reviews using spreadsheets can work initially, but plan to invest in automation as you grow. Also, consider open-source tools like Keycloak for IAM or Wazuh for security monitoring. The most important thing is to have a process, not the most expensive tools.

Q: What should I do if I discover an orphaned account?

Immediately disable the account to prevent any unauthorized access. Then investigate why it was orphaned: did the user leave without being deprovisioned? Was it a service account that was forgotten? After investigating, either delete the account or, if it's needed for historical purposes, revoke all permissions and archive it. Update your deprovisioning process to prevent future orphaned accounts. For example, ensure that your HR system triggers automatic deprovisioning when an employee is terminated.

Q: How do I manage identities in a hybrid cloud environment?

Hybrid environments (on-premises plus multiple clouds) require a unified identity strategy. Use a central identity provider that supports both on-premises directories (like Active Directory) and cloud directories (like Azure AD). Implement consistent policies across all environments: enforce MFA, use conditional access, and monitor for anomalies. Tools like Azure Arc or AWS Identity Center can help you manage identities across hybrid infrastructure. The key is to avoid managing identities separately in each environment—that leads to fragmentation and gaps.

These answers cover the most frequent concerns we hear from readers. Remember, identity security is a journey, not a destination. Start with the basics, iterate, and continuously improve.

Keeping Your Sandbags in Place: A Call to Action

We've covered a lot of ground: from understanding why your identity perimeter is always shifting to building a living map, choosing the right tools, scaling with growth, avoiding common pitfalls, and answering your top questions. Now it's time to put this knowledge into action. The shifting sandbags of identity security can feel overwhelming, but you don't need to tackle everything at once. Start with a single, high-impact step, and build from there.

Your first priority should be to gain visibility. If you don't know what identities exist in your environment, you can't protect them. Run an inventory of all your users, service accounts, and devices. Use the free tools available in your current platforms to get started. Next, enforce MFA everywhere. This is the single most effective control you can implement. Finally, set up a regular cadence for access reviews—even if it's just a manual review every quarter. These three steps alone will dramatically improve your security posture.

Remember, the goal is not to build a static fortress—that's impossible. Instead, aim for a resilient, adaptive perimeter that you actively manage. Treat identity security as an ongoing process, not a one-time project. Invest in automation as you scale, educate your users, and stay informed about emerging threats and best practices. The landscape will continue to shift, but with the right mindset and tools, you can keep your sandbags in place.

Now, take the first step. Open your IAM dashboard, review your user list, and start the journey toward a more secure identity perimeter. Your future self—and your organization—will thank you.