The first time it really clicked for me was during an app-onboarding sprint: half the “users” weren’t employees. We had contractors, service accounts, APIs calling other APIs, and data living across SaaS and GCP. A network firewall didn’t help much there. What actually decided whether something was safe (or scary) was identity, who or what was asking for access, from where, on which device, with what level of proof.
That’s the core idea: in a cloud-and-SaaS world, identity is your perimeter. Here’s the playbook I use when I need to tighten it without slowing the business.
1) Start with impact, not org charts
Before tweaking policies, map identities → systems → data sensitivity → business impact. Keep it brutally simple:
- Who/what: workforce users, partners, service accounts, automations.
- What they touch: HR/finance, source code, customer data, internal tools
- Blast radius if compromised: high, medium, low.
- Required assurance per tier: phishing-resistant factor, device posture, step-up on risky actions.
Make this a one-pager everyone aligns on. It beats a 200-role catalog no one trusts.
2) Stronger MFA… that feels lighter
Security wins when it gets out of the way. Move beyond SMS codes. Favor passkeys/FIDO2 and platform biometrics for everyday flows, and adaptive authentication when risk rises (new device, odd geo, high-value export). The goal isn’t “more prompts”; it’s the right prompt at the right moment.
Pro tip: add transaction-level step-up for sensitive moves (payroll changes, bulk data exports). It’s invisible until it matters.
3) Kill standing privilege with JIT access
If attackers dream at night, they dream about always-on admin rights. Swap them for just-in-time (JIT), time-boxed access with an approval trail. Pair it with PAM for session recording on your crown jewels. You’ll still move fast, but your default state becomes no lingering power.
4) Treat machines like people (because they outnumber us)
Service accounts and automations quietly become your biggest identity population. Give them first-class treatment:
- Provision via your IdP/IGA (SCIM when available).
- Rotate secrets/keys automatically; ban shared creds.
- Track ownership and last use; decommission on owner change.
This closes a blind spot attackers happily exploit.
5) Automate the lifecycle: joiner → mover → leaver
Manual offboarding and role drift cause more risk than clever malware. Wire HR/MDM into your IdP so:
- Joiners get least-privileged access on day one.
- Movers receive delta access (adds and removes) automatically.
- Leavers lose access immediately across IdP, SaaS, VPN, and data layers.
If you run Okta Workflows or similar, this is low drama and high payoff. Quarterly access attestations for high-risk roles keep you audit-ready without chasing spreadsheets.
6) Use RBAC + ABAC together
Roles alone explode; attributes alone get messy. Combine them:
- RBAC defines the what (e.g., Marketing-Analyst).
- ABAC narrows the scope (region=GCC, brand=Retail, env=Prod).
Guardrail policy: no direct group grants without a ticketed reason. It keeps reviews sane.
7) Push policy to the edge (Zero Trust without the buzzwords)
Assume the network is hostile and focus on continuous evaluation: identity strength, device posture, context, and behavior. Enforce modern protocols (SAML/OIDC), close legacy auth, and micro-segment access at the application and action level. Your aim: even if someone wanders in, they can’t wander far.
8) Log like an auditor, alert like an analyst
When something goes wrong, you’ll need to answer who accessed what, when, how, and from where. Centralize IdP, PAM, and application logs with identity context. Useful detections:
- “Impossible travel” + high-value data export
- Mass permission grants after hours
- Repeated step-up failures on the same action
Keep evidence artifacts (policy versions, approvals, attestation results). Your future self will thank you during audits.
What this looked like in practice
On a recent identity modernization, we migrated apps to modern auth, automated joiner-mover-leaver with SCIM and workflows, and introduced JIT for admin roles. Two things happened quickly: (1) help-desk tickets fell because access was predictable, and (2) audit questions got easier because we had clean trails for “why this person had that access on that day.” None of this required exotic tech, just disciplined identity plumbing and a clear risk map.
A 90-day plan you can actually run
Days 1 to 30 – Baseline and quick wins
- Publish the risk map.
- Block legacy auth on top-10 apps; enable passkeys where easy.
- Turn on adaptive step-up for high-value actions.
Days 31 to 60 – Lifecycle + privilege
- Automate joiner/mover/leaver for your most used SaaS via SCIM/HR triggers.
- Pilot JIT admin on one critical platform and retire standing admin groups.
Days 61 to 90 – Scale and prove
- Expand SCIM coverage; add quarterly attestations for high-risk roles.
- Stream IdP/PAM logs to SIEM with identity context.
- Report four board-friendly metrics:
- % users on phishing-resistant MFA,
- % apps SCIM-managed,
- time to deprovision,
- JIT adoption for admin actions.
Common mistakes I’ve made (so you don’t)
- Shipping policy without change-management. Tell people what will change and why.
- Under-valuing movers. Promotions and transfers create silent privilege creep.
- Ignoring service accounts. If you don’t own them, no one does.
- Letting “temporary” access live forever. Time-box it by default.
The takeaway
Perimeters didn’t vanish; they moved to identity. If you raise assurance when risk rises, eliminate standing privilege, automate the lifecycle, and give machine identities real governance, you’ll lower incident risk while making life easier for your teams. That’s security people actually want to use.
