Secure Access: 3 Critical Lessons for the Identity-First Perimeter

Why Secure Access Keeps Coming Back Into Focus

It’s no secret that organisations in general have been moving away from traditional methods of securing their network traffic. This of course is nothing new, and the technologies around it have been here for a while now. Even the relatively new term SASE was coined back in 2019. So why does this seem to keep surfacing as a hot topic? I believe it’s because even though most professionals know it’s an option, it’s not always the most straightforward thing to implement.

We’ve seen an ever increasing number of attacks on organisations, but the focus has pivoted to  impersonating or breaching individuals to bypass the traditional perimeter. Recent 2025 and early 2026 high-profile breaches – such as Scattered Spider attacks on UK retailers and vishing campaigns targeting SSO credentials – have all been tied to one person being targeted, compromised via social engineering and then used to gain access into wider networks. We’ve seen this extend into supply chain attacks as well, proving that the threat extends beyond your own networks.

Redefining Your Guardrails Through Identity

As we’ve explored previously in our blog, ‘What is Identity in Cyber Security? It’s Not Who You Say You Are’ modern security isn’t just about checking a username. The breaches of the last 12 months have taught us three critical lessons:

1. 2FA is no longer a silver bullet: Attackers are now socially engineering the authentication process itself (AI-generated voice/video) or using ‘MFA fatigue’ to bypass traditional prompts. In 2025, vishing attacks surged by over 440% due to AI deepfakes, proving that human judgment is being outpaced by technology.
2. Context is King: A stolen password is useless if your system can see the request is coming from an unmanaged device in a geographic location you never visit.
3. Validation must be continuous: Authentication shouldn’t just happen at the start of a session. As per the latest NCSC Zero Trust guidelines (reviewed Jan 2026), we should continue to validate user and device properties throughout the session to prevent lateral movement.

So even though the reasoning has changed somewhat, the impact of deploying something in the secure access space can make huge differences to your security posture. Many organisations may be using a secure access product to help solve connectivity issues and not realising the potential security at their fingertips. Others might be looking at implementing without knowing the extra power they gain by doing so.

3 Critical Lessons for an Identity‑First Perimeter

Making the User Experience Better with Identity

It is also worth noting that this isn’t just about putting up more barriers. In fact, a well-implemented Secure Access strategy often removes the friction that traditional VPNs create. By using identity as the key, your team gets a seamless, “always-on” experience where they can access what they need, from where they are, without the constant “re-authentication” dance. 

It’s that rare win-win: making your organisation harder to hack, but easier to work in.

The Identity-First Advantage

By additional security, I am of course referring to the identity-based security abilities you can leverage over any existing security rules you may be using. When you move to securing based on a user’s identity, and perform validation checks to confirm that identity, you move away from a world of “implicit trust” and into a world where trust alone is enough. 

The breaches we have seen lately have shown that 2FA is no longer enough to stop determined attackers, so leverage the capability to confirm someone is who they say they are and are in the location you expect them to be on. This applies both geographically and from a machine identification point of view. This can shut down these types of attacks immediately; you might have stolen my credentials but do you have my digital fingerprint as well?

If you already have a Secure Access product in place, are you taking full advantage of the features it can provide? If you are still relying on traditional site-to-site VPNs or remote access gateways, how much more flexibility and security could you actually overlay onto those connections?

Ready to Modernise Your Access?

I think if you are using these products already, or are thinking about it, it’s certainly worth giving SEP2 a call to see if you could be doing more to protect your identity perimeter in 2026.

Discover our approach: Visit our Wingman Secure Access page to see how we help organisations transition to identity-centric security.

Ready for a deeper dive? Contact us today to book a discovery call with one of our engineers and see how we can strengthen your identity perimeter.