The Disappearing Perimeter

There was a time when companies thought of security in terms of walls and gates. Offices were locked. Firewalls guarded the edges. Access was largely about whether you stepped through the right door or plugged into the trusted network. Devices, too, were typically corporate-issued machines, connected to the office LAN or VPN. Everything “outside” was viewed with suspicion; everything “inside” was assumed to be under control.

That world was comfortable. It was simple. It had boundaries.

Over the past few years, though, that world has changed—radically and forever. SaaS applications now live in every major cloud. Remote and hybrid work aren’t temporary adaptations; they are entrenched norms. Employees log in from home, coffee shops, on trains. Devices are personal, mobile, unmanaged. And vendors, contractors, partners all connect directly to core business systems on a regular basis. There is no neat border anymore.

The shift to a borderless enterprise didn’t happen overnight—it crept in through decisions made under pressure. When remote work first surged, many organizations relied on VPNs and perimeter firewalls as lifelines. They presumed that if someone connected through “our network,” they were safer. But VPNs extend the perimeter outward rather than replace it. Once inside that perimeter, users often gained broad access, sometimes far more than they needed.

Organizations are waking up to how brittle this approach has become. According to a 2025 Zero Trust report by Tailscale, only 29% of companies say their primary model for granting access is identity-based. Many still mix identity and network location, and some still rely heavily on IP-based access. ¹

Another survey (Aviatrix, 2025) shows that while more than 30% of enterprises are exploring Zero Trust API models, only a small fraction—about 8%—are actually putting in place Zero Trust architectures for inter-cloud traffic.  These statistics highlight that while people talk about Zero Trust and removing perimeters, many infrastructures still depend on what we used to call “inside.” That inside is becoming porous.

Remote work was the hammer that broke the old frame. Before the pandemic, many companies had foreshadowed flexible workplaces. But once lockdowns forced full remote setups, everything changed: policies, tools, priorities. Security teams who had deferred investments in remote access, device management, or identity-first security woke up to urgent gaps.

Reports indicate that organizations adopting identity-centered security saw better resilience, but only when identity was treated as a core pillar—meaning that remote access, personal devices, cloud apps all required verification.²  Without that shift, employees working from non-corporate networks became attack vectors; unmanaged devices became conduits for malware, misconfigured apps, or credential theft. The perimeter crumbled quietly.

Because the real perimeter now is identity. Who you are, where you are, what device you’re using, what the risk context is—all that matters now more than “inside vs. outside.”

Putting identity first means altering many of our assumptions. It means that access policy no longer depends on the network zone, but rather on the confidence in the identity, the device posture, the app being accessed, potentially even the behavior of the user in recent history.

Identity-centric access demands continuous verification. That means requiring strong authentication (MFA), requiring device compliance, inspecting session behavior, and enforcing least privilege. It is not enough to check once. The organization must verify often—ideally, at every sensitive step.

Zero Trust architecture, when properly implemented, supports this identity-first model. It removes reliance on network location and shifts towards a posture in which access policies are based on identity plus contextual signals. Many organizations are trying to get there—and some are still stuck halfway.

Transitioning to a perimeterless identity-based model is hard. Old applications might not support modern authentication methods. Some role and attribute data will be inconsistent or incomplete. Legacy VPNs, firewalls, and network appliances may still be entrenched in operations.

There’s also resistance within the organization. Security teams often speak of trust-based models as risky. App owners and business leadership may see more friction. Budget constraints and staffing limitations slow down progress.

Then there’s the fact that visibility is harder in a hybrid and multi-cloud environment. When apps move to SaaS providers, and devices are personal or unmanaged, tracking and controlling access become more complex. Log collection, device posture checks, and continuous monitoring all gain prominence—but those require tooling, investment, and discipline.

An organization that’s winning this shift looks fundamentally different in how it handles access and identity.

They do not grant access simply because someone is connected from what used to be “inside.” Instead, they make identity and device verification part of every access decision. They log and review sessions in real time. They enforce policy that ties access to specific conditions—such as device health, user behavior, and risk signals—not just network location.

They have minimized reliance on VPNs and IP-based access, replacing them with Zero Trust Network Access (ZTNA) or applied proxying. They employ strong identity hygiene—standardizing roles, ensuring accurate attribute data (department, title, location), and cleaning up stale accounts.

They also build tools and policies that can adapt. When an app wants to move from internal hosting to cloud, they plan for how access will remain secure throughout. When employees shift between roles or locations, identity data adapts. When threats or attack vectors evolve, policies evolve too.

The firewall wall made us feel secure. The VPN gave us comfort. But the real boundary—the real point of control—is identity. It lives in every login, every device check, every access decision.

Holding onto old models of inside vs. outside may make some stakeholders feel safe—but it won’t stop breaches. Identity can’t wait. It must become the lens through which every access request, every application deployment, and every device connection is evaluated.

Your organization’s identity program isn’t just a compliance checkbox. It’s now the most critical barrier in your security architecture—because everything else has become borderless.

Trust used to rely on infrastructure. Now, infrastructure must support trust.