Identity security in a changing IT landscape

For a long time, identity was the neglected part of IT security. User accounts, groups and permissions were necessary to keep systems running, but rarely the subject of strategic security decisions. For many organisations, identity began and ended with Microsoft Active Directory: a central directory primarily designed for authentication inside the corporate network. Security was largely incidental, not an explicit design objective.

This has only changed fundamentally in recent years. Cloud, SaaS and mobile working have shifted identity from an administrative foundation to a primary security control. Access to applications and data is no longer determined by network boundaries, but by who the user is, the context in which they operate and the risk associated with that access. In this context, identity has matured into a fully-fledged cybersecurity domain.

From Active Directory to Entra ID

Microsoft Entra ID reflects this evolution. Where Active Directory was focused on on-premises environments, Entra ID now offers capabilities such as Conditional Access, multi-factor authentication (MFA) and identity threat detection. Compared to the directory model of the past, this represents a clear step forward.

At the same time, we see in practice that many organisations run into limitations. Not because Entra ID is technically weak, but because it is primarily designed around the Microsoft ecosystem. For organisations that are largely standardised on Microsoft, this may be sufficient. For larger enterprises with multiple clouds, legacy applications, OT environments and diverse compliance requirements, the reality is far more complex.

The limits of a single identity platform

In such environments, a single identity platform is rarely enough. Identity governance, lifecycle management, privileged access and auditing across multiple technology stacks require a broader and more specialised approach. Entra ID often remains an important component, but not the central control layer for the entire landscape.

As a result, we see growing demand for dedicated identity solutions that operate independently of any single vendor ecosystem. Platforms such as Okta, One Identity, SailPoint and CyberArk each fulfil a specific role within the identity domain. They are explicitly designed for heterogeneous environments and better match the scale and complexity of large organisations.

With the acquisition of Intragen, Nomios has significantly strengthened its portfolio and expertise in this area. Identity security requires more than technology alone; it demands continuous management, integration and policy enforcement. Increasingly, identity is therefore consumed as a managed service. In addition, we are developing our own on-prem identity solution in Finland, aimed at organisations with specific requirements around sovereignty, regulation or operational control.

Identity and SASE converging

In parallel, integration between identity platforms and SASE solutions from vendors such as Palo Alto Networks, Zscaler, Fortinet and HPE is becoming deeper and more mature. Where network security was traditionally based on location and IP addresses, enforcement is shifting towards user identity and contextual signals.

Identity and the edge are converging. Identity determines who is granted access, under which conditions and with what risk profile, regardless of network or location. In a mature Zero Trust architecture, identity is no longer just one building block among many, but the engine that drives policy and enforcement. Without mature identity security, Zero Trust remains a theoretical model.

Implications for organisations

The relevant question is not whether Entra ID still plays a role — it clearly does — but whether it is sufficient as the sole identity solution. For a growing number of organisations, the answer is no. Identity security requires deliberate architectural choices, specialised tooling and continuous operational management.

The integration of Intragen into Nomios reflects this reality. Identity is no longer a supporting function, but a strategic security domain. Organisations that recognise this are building a foundation that is resilient not only to today’s complexity, but also to the continued shift towards Zero Trust and SASE-driven architectures.