The office perimeter has expanded. Why identity is the control plane.

Why has identity become the new control plane? Historically, employees attended the office Monday to Friday, had no reason to take their work devices away from the office aside from occasional travel for work, helping us contain the attack surface to the office. The office location served as an anchoring point, with controlled access to the building, turnstiles for keeping undesirables out and office networks. But things changed. In a modern work from home, globally distributed team landscape, office locations are no longer a reliable mechanism for granting access to organisational network resources. Identity serves as an alternative validating access to an organisations resources, multiauthentication provides us with confidence that the right access is being granted to the right requester, wherever in the world they may be. In this article, we will evaluate the efficacy of different control planes such as the network perimeter, endpoints and applications. 

Key Takeaways

1. Zero Trust is a non-negotiable for ensuring that the network is protected from advanced persistent threats 

2. Mobile device management is a must for hybrid workforces that allow bring your own device (BYOD)

3. Token based authentication, namely single sign on not only provides productivity gains but prevents password recycling related attacks

Key definitions 

• Zero Trust - assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). (NIST,2020)

• Control plane vs data plane - the control plane is where the network is designed and the parameters for its functionality are set, while the data plane is where data moves between devices. (IBM)

• Authentication vs Authorisation - authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to. (Auth0)

• Network perimeter (legacy model) - the network perimeter is the boundary between an organization's secured internal network and the Internet — or any other uncontrolled external network. (Cloudflare)

• Endpoints - any device that connects to a computer network such as desktop computer, smartphones, tablets, laptops and IoT devices. (Cloudflare)

• Device Trust Signals - data points collected from a device that indicate its posture, compliance and integrity. Supporting context aware decision making for access requests. (Hexnode)

• Applications - An app is a self-contained software package that allows users to perform specific tasks on a mobile or desktop device. (Spiceworks)  

• Least Privilege - users, systems, and processes should operate with the absolute minimum access rights, permissions, and privileges necessary to perform their specific tasks. (NIST)

• Just in Time - an access control approach that grants time-limited, task-specific privileged permissions to a human or non-human identity only when needed, and revokes those privileges immediately after the work is done. (Palo Alto)

Why the network perimeter is an outdated control plane 

The modern network perimeter is no longer restricted to business locations. The ONS reported that in Q1 of 2025 28% of working adults worked hybrid. This means that the traditional ‘castle and moat’ security model, where implicit trust between was granted based on physical or network location is no longer robust enough. With the location of the workforce varying, it quickly becomes impractical or cumbersome to use location as a control plane for security organisational resources. The use and access of company resources outside the controlled perimeter of a physical work location also introduces significant risks such as unauthorised device access and theft. Movement away from the formal office environment, removes preventive physical security controls such as turnstiles with ID badge entry and security personnel, these controls cannot reasonably be extended into the home working environment. In a threat landscape containing advanced persistent threats (APTs), attackers that opt to establish a long term presence within the network (Crowdstrike) implicitly trusting any identity (human or non-human) within the network introduces significant risk. It is possible for an advanced persistent threat to achieve lateral movement (MITRE ATT&CK - TA0008) once they have penetrated the network perimeter, thus the network perimeter cannot be the control plane. In contrast, in the Zero Trust model where identity is the control plane and the least privilege model is in place, attempts to access unauthorised network resources sends signals of unusual access. 

Device compromise becomes P1 for hackers

The use of trusted devices for the control plane is unsuitable in a threat landscape with growing phishing proneness. In 2025, the Cyber Security Breaches Survey reported that 43% of UK businesses reported experiencing a cyber breach in the last 12 months (GOV UK). In a hybrid organisation, if trust is inherited from a device an attacker could focus on compromising devices using phishing (MITRE ATT&CK - T1660) to hijack a device and appear compliant whilst carrying out malicious activities. Phishing remains a significant threat to organisations with a growing level of sophistication and frequency, since the human factor remains the most difficult to defend against. Spear phishing, a highly personalised scam that deceives people into divulging sensitive data or clicking links, remains a very effective form of compromising devices. Researchers analysed 50 billion emails and determined that spear phishing accounted for less than 0.1% of emails but represented 66% of successful breaches (IBM). Zero Trust does not directly prevent the compromise of devices. However, through conditional access, device compliance and device health signalling facilitates the flagging and enforcement of policies intended to protect the network from ‘risky’ behaviour. 

How many passwords are too many?

Users need access to multiple applications during the course of the working day. For an average organisation, there are tools for identity such as active directory, email, finance, IT ticketing, file storage and at least one more for industry specific usage such as a GRC tool, timesheeting, customer support. This technology stack requires multiple passwords per platform, as security professionals we discourage the use of password recycling (MITRE ATT&CK - T1003) but accept that requiring unique passwords across multiple applications adds friction to productivity. Password reuse introduces the risk of inconsistent security across apps, potential time lags in implementing joiners-movers-leavers (JML) changes and credential stuffing if the attacker reuses breached credentials across other applications. In comparison, using identity as the control plane, token based authentication, for example enabling single sign on for multiple applications centralises access control and access governance. 

Exceptions / limitations

Identity as the control plane is a solution to modern organisational needs, but it still requires the implementation of robust identity and access management (IAM) practices as defense-in-depth. IAM practices such as multifactor authentication, least privilege, role based access control, privileged access management and joiner-mover-leaver automation. It is possible for an organisation to be vulnerable to identity based attacks by failing to monitor the access granted on a regular basis and apply conditional access for detecting ‘risky’ behaviour.

In a modern organisation with a hybrid workforce, identity, both human and non-human has emerged as the most reliable control plane for guarding organisation’s resources. 

Key Takeaways

1. Zero Trust is a non-negotiable for ensuring that the network is protected from advanced persistent threats 

2. Mobile device management is a must for hybrid workforces that allow bring your own device (BYOD)

3. Token based authentication, namely single sign on not only provides productivity gains but prevents password recycling related attacks

Have you built your identity and access management maturity roadmap?

 References

1. https://www.nist.gov/publications/zero-trust-architecture 

2. https://www.ibm.com/think/topics/control-plane-vs-data-plane 

3. https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization 

4. https://www.cloudflare.com/en-gb/learning/access-management/what-is-the-network-perimeter/ 

5. https://www.cloudflare.com/en-gb/learning/security/glossary/what-is-endpoint/

6. https://www.hexnode.com/blogs/what-is-device-trust-from-android-enterprise/#:~:text=Built%20on%20Android%20Management%20API,Managed%20vs%20unmanaged%20devices 

7. https://www.spiceworks.com/soft-tech/what-are-apps/

8. https://csrc.nist.gov/glossary/term/least_privilege#:~:text=Definitions:%20A%20security%20principle%20that%20a%20system,the%20minimum%20necessary%20to%20accomplish%20assigned%20tasks. 

9. https://www.paloaltonetworks.com/cyberpedia/what-is-just-in-time-access-jit#:~:text=Just%2Din%2Dtime%20(JIT)%20access%20is%20an%20access,after%20the%20work%20is%20done.n 

10. https://www.ons.gov.uk/employmentandlabourmarket/peopleinwork/employmentandemployeetypes/articles/whohasaccesstohybridworkingreatbritain/2025-06-11#:~:text=1.,the%20early%20days%20of%20pandemic. 

11. https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/advanced-persistent-threat-apt/#:~:text=An%20advanced%20persistent%20threat%20(APT)%20is%20a%20sophisticated%2C%20sustained,identifying%20vulnerabilities%20within%20the%20organization. 

12. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025 

13. https://www.ibm.com/think/topics/spear-phishing#:~:text=In%20a%20report%20from%20Barracuda,to%2066%25%20of%20successful%20breaches