Author: Malhar Vora, Principal Security Engineer and People & Engineering Leader – Group Cyber Security at ANZ Bank https://medium.com/@malhar.vora
We all talk about identity as “the new perimeter,” but that statement misses a critical truth.
You can’t secure identity if you don’t understand the data behind it.
Today, identity isn’t just a login or a directory entry rather it is a constantly changing dataset of who has access to what, when, from where, and why.
And that dataset is scattered across IAM, IGA, PAM, SaaS, secrets vaults, DevOps pipelines, cloud providers, and endpoint agents.
Most organizations don’t have a breach problem.
They have a visibility problem.
Identity Data Is Messy And That’s Why It’s Valuable
Every digital identity creates fragments of data
Identity Artifact:
- Credentials (Examples: Passwords, tokens, SSH keys, API Keys)
- Metadata (Examples: Role, department, group, owner)
- Entitlements (Examples: AWS policy, AD group, Salesforce roles)
- Behaviour (Examples: Login location, device, time, command executed)
- Lifecycle State (Examples: Joiner, Mover, Leaver, Orphaned)
Without this data, identity governance becomes guesswork.
With it, identity becomes security’s strongest decision engine.
Identity Data Should Be Treated Like Threat Intelligence
Just like we prioritize logs from firewalls and endpoints, identity data must be treated as a first-class security feed.
Why? Because identity threats are often silent.
- A dormant admin account
- An API key with wildcard permissions
- A privileged SaaS role nobody remembers assigning
- A contractor who left six months ago but still has access
These don’t trigger alerts in EDRs, firewalls, or SIEM searches.
They exist in identity metadata, not network telemetry.
Identity risk lives in access combinations, not single events.
What Happens When Identity Data Is Unified
When organizations unify identity data across IGA, PAM, SSO, and cloud, three transformative outcomes emerge,
1.Continuous Access Review
Not yearly. Not quarterly but in real-time.
2.Risk-Adaptive Controls
Authentication and authorization change dynamically based on,
- Behaviour anomalies
- Device risk
- Privilege level
3.Lifecycle Automation That Actually Works
No more orphaned accounts, stale roles, or guesswork privilege assignments.
The Architecture
Identity Data Lake
Forward-looking organisations are building Identity Data Lakes , scalable stores of normalised identity metadata.
Sources feeding the lake,
- Identity Directory Platforms
- IGA platforms
- PAM platform
- Cloud entitlements / IAM Roles
- Secrets stores
- SaaS role exports
This is not just logging.
The value is in normalisation, correlation, and continuous analytics.
Identity as a Security Asset: Practical Next Steps
Here’s how organisations can start treating identity data strategically
- Inventory identity sources including non-human ones
- Normalise entitlements across systems
- Prioritise visibility before control
- Feed identity intelligence into SOC and SIEM
- Automate lifecycle with risk scoring
Identity isn’t just a login anymore.
It’s the most context-rich security signal in your organisation.
Final Thought
If identity is the new perimeter, then identity data is the perimeter defence strategy.
Organisations that treat identity data as an asset will detect breaches faster, design controls smarter, and eliminate privilege risk before it ever becomes an incident.
Identity isn’t just how users access systems.
Identity is how security understands risk.
