All writing
CybersecurityIdentitySSOMFA

Identity is the new perimeter

SSO, MFA, and password management are the foundation everything else rests on. Why identity is now the front line of security for growing firms.

Drew Jonsen · Founder, Jonsen LLC April 23, 2026 7 min read

There used to be a wall. Your systems lived in the office, behind a firewall, and security meant guarding the edge of the building. That wall is gone. Your team works from home, from phones, from coffee shops; your platforms live in a dozen different clouds. The thing that now decides who gets in isn't a location. It's an identity — a login.

Which means your security is only as strong as how your people sign in. And for most growing firms, that's the weakest part of the whole operation.

How identity actually fails

It rarely fails in a dramatic, movie-style breach. It fails in small, ordinary ways.

Here's one we see constantly: a team shares a single login for an important account — the "owner's" credentials — and everyone uses it. It feels efficient. Then one day the platform notices the same account signing in from several people and places at once, flags it as suspicious activity, and locks the account. Now nobody can get in, work stops, and the team spends a day filing appeals to restore access. The fix everyone arrives at, after the fact, is the thing that should have been true from the start: everyone should have their own login.

Shared logins, reused passwords, accounts that outlive the employee, admin rights handed out "just to be safe" — none of these look like security incidents until they are. They're the cracks attackers and bad luck both walk through.

The four things that actually matter

You don't need a sprawling security program to fix this. You need four foundations, done well.

1. Single sign-on (SSO)

Give people one strong, managed identity that unlocks the apps they're allowed to use. SSO means fewer passwords to steal, one place to grant access when someone joins, and — critically — one place to cut access when someone leaves. Tools like Microsoft Entra make this the front door for the whole firm.

2. Multi-factor authentication (MFA)

A password alone is a single point of failure. MFA adds a second factor so a stolen password isn't enough on its own. It's the highest-return security control most firms can turn on, and it belongs on every account that touches client data — no exceptions for "the busy partner."

3. Password management at scale

People reuse passwords because remembering dozens of strong ones is impossible. A managed password manager removes the excuse — unique, strong credentials everywhere, shared securely when sharing is truly necessary, and revocable in one click. Moving a firm off ad-hoc password habits and onto a managed vault is unglamorous and enormously protective.

4. Identity lifecycle: provisioning and deprovisioning

The riskiest account in most firms belongs to someone who left months ago. Access should be granted cleanly when someone is hired, scoped to what their role actually needs, and removed the day they depart. When SSO is the front door, this becomes a switch instead of a scavenger hunt across twenty different platforms.

Least privilege, by default

Once identity is the perimeter, the next question is simple: does this person need this access?

Most don't need most of what they have. Giving everyone broad rights "to avoid friction" is how a single compromised login becomes a firm-wide problem. The healthier default is least privilege — people get exactly what their role requires, and elevated access is the exception, granted deliberately and reviewed. It's not about distrust. It's about making sure one mistake stays small.

Don't forget the device

A login is only as trustworthy as the device it comes from. Identity and device management are two halves of the same control.

Mobile Device Management — Microsoft Intune and the like — lets you set baseline policy across the laptops and phones your team uses: encryption on, screen lock enabled, the ability to wipe a lost device, and a way to keep work data off personal devices that were never meant to hold it. For a hybrid team, this is what keeps "work from anywhere" from meaning "client data anywhere."

This is the foundation, not a side project

It's tempting to treat SSO, MFA, and password hygiene as IT housekeeping — something to get to after the "real" work. That's backwards. Identity is the layer every other system now sits on. Get it right and the rest of your security has something solid to stand on. Get it wrong and the best tools in the world are protecting a door that's propped open.

The good news: none of this requires grinding the firm to a halt. Done pragmatically, identity security is mostly invisible to your team — one login, one extra tap, and a lot less risk. That's the goal. Protect the firm without slowing it down.

What does "identity is the new perimeter" mean?

With teams working remotely and systems living in the cloud, there's no physical network edge to defend anymore. Access is now decided by who's logging in, so the login — the identity — has become the real security boundary.

What's the single most important identity control to start with?

Multi-factor authentication on every account that touches client data. It's the highest-return control and stops a stolen password from being enough on its own. Single sign-on and a managed password manager come right behind it.

Why are shared logins a problem?

They remove accountability, can't be protected by individual MFA cleanly, often trigger platform security locks, and can't be revoked for one person without disrupting everyone. Individual logins tied to SSO are safer and easier to manage.

DJ
Drew JonsenFounder, Jonsen LLC

Drew leads Jonsen LLC — a Denver technology practice guiding law firms and growing businesses through AI, cybersecurity, and systems that compound over time.