For years, the security industry has pushed the idea that identity is the new perimeter.
It sounds good. It makes for great marketing. But it’s dangerously misleading in today’s cloud and threat landscape.
Identity-based security has been the industry focus with the expansion of cloud footprints, greater workforce mobility, and the rise in remote work. Without traditional network perimeters as we’ve known them in traditional on-premises environments, it makes sense to shift the focus on securing identities as the entry point into sensitive networks.
Identity Gets You In, But Privileges Define the Damage
A compromised identity isn’t the real problem — it’s what that identity can do once inside.
No matter how many MFA layers, behavioral analytics, or AI-driven threat detections we implement, identities will get hacked. It’s not a matter of “if” but “when.”
Phishing. Token theft. Credential stuffing. Attackers will find a way to breach identities. The real question is:
What happens next?
Two Breaches, Two Very Different Outcomes
Scenario 1: An attacker steals a basic corporate email account. They read emails and maybe send a phishing attempt. The impact? Limited.
Scenario 2: An attacker compromises an identity with standing admin rights or privileged database access. They take control of workloads, exfiltrate data, and move laterally. The impact? Catastrophic.
Same attack method. The difference? Privileges.
The Real Perimeter: Privileges Define the Blast Radius
Think about it: privileges define the reach of an attacker.
A compromised identity with no standing privileges hits a dead end. They can’t move laterally, escalate access, or execute malicious commands.
A compromised identity with persistent access unlocks everything in reach — expanding the attack surface instantly.
And in a multi-cloud world, that means instant access to databases, production environments, Kubernetes clusters, and more.
Identity isn’t the perimeter. Privileges are.
The modern security approach must stop treating identity as the perimeter and start controlling privileges as the real security boundary.
The Fix: Zero Standing Privileges (ZSP)
Rather than managing who has access, organizations need to manage when privileged access is granted and for how long.
A cloud-first security model that’s designed for the cloud ensures:
- No standing privileges — No identity (human and non-human) or machine access is provisioned Just-in-Time (JIT) and auto-revoked.
- Time-based, ephemeral access — Privileges automatically expire, leaving nothing to exploit. No inactive high-privilege accounts. No lingering credentials. Attackers have nothing to steal, misuse, or escalate.
- Unified multi-cloud privilege enforcement — Consistent control across AWS, Azure, GCP, SaaS apps, and CI/CD pipelines. No lingering admin rights. Just tightly managed, ephemeral access everywhere it matters.
Traditional PAM Still Leaves Gaps
Traditional privileged access management (PAM) solutions rely on static credentials, password rotation, and vaulting to limit user access to privileged accounts.
While access and entitlements may be granted just-in-time, this still leaves gaps in security since those accounts still exist with all their privileged permissions attached to them.
By adopting a dynamic, ephemeral permissioning model, it doesn’t matter if an identity is compromised—there are no high-level privileges to exploit.
How to Start Implementing Zero Standing Privileges (ZSP)
While identity and security teams must shift away from protecting identities alone, the transition to eliminating standing privileges for all accounts can be time-consuming.
Security teams don’t need to overhaul everything overnight.
A “Crawl, Walk, Run” approach allows for incremental progress to zero standing privileges by:
- Identifying High-Risk Privileges: Discover and audit all cloud entitlements and associated permissions (human and non-human alike).
- Revoke unnecessary standing permissions.
- Enforcing Just-in-Time Access: Temporary, approval-based access workflows should be implemented for privileged tasks.
- Automating Privilege Expiration: Elevated access should be automatically revoked after a set time window to prevent abuse and exploitation.
- Continuous Monitoring & Adjustment: Track privilege escalation attempts and access patterns to continue fine-tuning policies.
Instead of tackling everything at once, start where the risk is highest — secure critical entitlements and permissions first, then work to scale ZSP across your cloud environments.
Perimeter Thinking Needs to Evolve
The next time someone says identity is the new perimeter, ask them:
What happens when that identity is compromised?
If a security strategy doesn’t eliminate standing privileges and enforce the principle of least privilege, it’s securing yesterday’s world, not today’s threats.
Build Security Where It Matters: At the Privilege Layer
Britive has redefined cloud security by putting privileges, not identity, at the center of your security program strategy.
Because it’s not about who you are (identity)—it’s what you can do (privilege) that defines the impact of a breach.
Let’s build security where it matters: at the privilege layer.
Chat with one of our cloud security experts for a demo, or to learn more about how Britive can secure access in your environment.
Britive Team
View All PostsView All Posts
