Apr 1, 2026

Security that follows identity

Infrastructure Series
| Part
4

Reading time:

7 min

Access controls in a spreadsheet aren’t access controls. On building security architecture that travels with the user.

Author

Dimitri Phalen is the marketing lead at ISM who prefers plain language over big claims. For years, he’s worked behind the scenes, translating messy, complex IT problems into something teams can actually use. If something sounds like it was written by someone with not enough coffee, who’s been sitting too close to the delivery team for too long, that’s probably his fault.

Most security programs still talk like the internet is polite.

As if the bad stuff arrives in neat little packets that say “malware” on the label, like a suspicious box left on the front porch. In reality, a lot of today’s incidents start with someone logging in, looking normal and doing one tiny thing they shouldn’t, then another, then another, until suddenly you’re in a room full of people saying “how did they even get that far?”

Here’s the annoying truth: the perimeter is not gone, but it’s not the point anymore. Identity is the point.

If you’re still making most access decisions after traffic has already moved, you’re playing defence on rough ice with dull skates. You might stay upright, but you’re eventually going to lose the goal.

The problem nobody wants to admit

Most environments can’t answer these cleanly, without a scavenger hunt:

  • who is this, really?
  • what device are they on?
  • should they be allowed to do this right now?
  • if it goes sideways, will we see it quickly enough to matter?

When those answers are fuzzy, security becomes a game of “spot the weird thing in a sea of normal.” The human brain is not built for that. It’s built for spotting bears, not analysing ten thousand authentication events before lunch.

Also, Gary is going to click something. Not because Gary is reckless, but because Gary is human and the phishing email looked like a payroll update. Gary has a mortgage, and his mind on a project. Plan accordingly.

Why the old model keeps letting you down

Classic controls still matter. Firewalls still matter. Endpoint still matters. Logging still matters.

But the failure mode we keep seeing looks like this:

1) an attacker gets valid credentials, or a session, or a token
2) they move fast, because they can
3) defenders move slower, because the environment needs translation before action

Unit 42’s 2026 global incident response report puts the median time to exfiltration at about two days. [source] The fastest quarter of incidents hit exfiltration in just 72 minutes. That’s a 4x acceleration in a single year. Two days is not a lot of time for a committee-based response model, and 72 minutes is not a lot of time for anything.

The same report found identity weaknesses played a material role in nearly 90% of investigations, with 65% of initial access being identity-driven: stolen credentials, MFA bypass, IAM misconfigurations. This is why identity-driven security matters. Not as a slogan, as an operating constraint: speed is part of the threat model now, you need your break-away.

Identity as the enforcer, not the guest list

Identity should be the enforcer with a chip on his shoulder, not the clipboard in the back office.

That means access decisions happen before traffic moves, not after something looks suspicious. Microsoft Entra ID does most of this. If you’re on Okta, Ping or Duo, the principle is the same. It also means identity is not just “username and password,” it’s context: device health and posture, location and risk signals, privilege level and intent, what the user normally does, and what the user is doing right now.

If that sounds like work, it is. The alternative is treating every login as equally trustworthy until proven otherwise, right up until it ruins your quarter. This is also where SASE and SSE platforms earn their keep. Fortinet, Palo Alto, Cisco, pick your flavour, the goal is consistent policy and evidence, not which logo gets the credit. And yes, this is how you stop replaying the same mess every time Gary clicks something.

What actually helps, in real environments

Make identity the control plane

If identity is bolted on, you end up with security rules that can’t keep up with how people actually work. Build your access model around identity signals and enforce it consistently across apps, data and infrastructure.

Stop letting “exceptions” become permanent architecture

Exceptions are not evil. They’re just dangerous when they never expire. Most environments have at least one access exception that exists because Gary needed it once, then nobody wanted to own removing it. Make exceptions time-bound by default.

Reduce the noise before it hits humans

If every alert looks urgent, nothing is. The goal is fewer high-confidence signals and faster action, not a larger dashboard collection. Microsoft’s Defender XDR includes automatic attack disruption, designed to contain attacks in progress and buy time for security teams. [source] That’s the right direction of travel: reduce blast radius quickly, then let humans do the judgement work.

Tie response to operational reality

Response fails when it relies on people remembering steps under pressure. Runbooks should be executable and consistent, not tribal knowledge handed down like a family recipe.

The Canadian angle that actually matters

Canada’s security reality has a few extra layers: residency expectations, regulatory obligations and the practical need to keep accountability local when something goes sideways.

Kyndryl has built a Security Operations Centre in Barrie, Ontario, built on Microsoft Azure, integrating with tools like Microsoft Sentinel and using Microsoft Defender for advanced threat protection. [source] That matters because it is concrete, not theoretical: a real capability, in Canada, designed to turn identity and device signals into action, not another weekly report.

The point is not “look, a building.” The point is operational:

  • the teams are operating in the same regulatory environment you are
  • escalation and response are easier when you’re not crossing time zones and handoffs
  • data residency requirements are not a footnote, they’re part of the design

ISM’s role in this story is delivery and architecture. The global scale and tooling matter when the estate is big and messy, but the day-to-day implementation still lives or dies on local execution, stable technical ownership and people who can work through your actual constraints without turning it into a three-week workshop series.

What to fix first

Catalogue what you have Map identities, privileges, access paths and the systems where enforcement actually happens.

Build privacy into daily work Security operations generate data. Make sure those artefacts have residency and access controls.

Operationalise governance Turn access policy into enforcement, evidence and review cycles.

Secure the data itself Identity-based access is table stakes, but data needs its own controls too: classification, encryption and monitoring.

Security fails in boring ways. Not movie-hacker ways. It fails because an exception became permanent, an access path never got revisited, and nobody wants to be the person who breaks Gary’s “critical” workflow.

If you want to tighten this without turning your business into a locked basement, talk to ISM. We design identity-driven access and security edge architectures that actually work in messy environments, then operate them with Canadian teams who stick around. The tooling can be Fortinet SASE, Cisco security edge services, Cloudflare Zero Trust or Palo Alto Prisma patterns, but the real value is the operating model: fewer blind spots, fewer “we’ll fix it later” moments, more evidence when the questions start.

Want to understand how we work?

Every conversation starts with your environment. Not our product list.

Get in touch
ArrowArrow

It's not about the technology, or the processes. It's about your clients, your users, and the hard won trust you've built. Every team here keeps that at heart.

Mobile CTA