A companion blog to The China Hack and the New Front Line: Why Identity is the Only Perimeter Left
The recent 60 Minutes segment The China Hack showed how a small town’s water supply became a target...not through some high-end zero-day exploit, but through the most basic vector imaginable: stolen credentials.
It was a clear reminder that identity is now the front door to every system we depend on, from enterprise SaaS to municipal infrastructure. If attackers can “become” you, they can bypass every other defense you’ve built.
At Ory, we think about this every day. Our mission is to make identity infrastructure secure, scalable, and sovereign so that organizations of any size can operate safely in a world where identity is the new perimeter.
Here are ten practical steps that every organization (from startups to city utilities) should take to build true identity resilience.
The 10 Practical Steps
- Treat Identity as Critical Infrastructure
Identity is not an IT afterthought, it’s part of your security fabric. Just as you protect your data center or water plant, you must protect the system that decides who gets in. Ory’s open, distributed architecture ensures your identity system itself never becomes a single point of failure.
- Enforce Strong, Adaptive Authentication
Static passwords are relics of another era. Adopt multi-factor authentication across every account; and go further by adapting authentication to context. With Ory, you can implement risk-based authentication that steps up verification when behavior looks unusual.
- Apply Least Privilege Everywhere
Every identity, human or machine, should have the minimum access necessary, for the shortest time needed. Rotate credentials, shorten token lifetimes, and use automation to prevent privilege creep. Ory’s policy-driven access management makes this easy to enforce across users, APIs, and services.
- Secure Machine and Service Identities
Attackers increasingly pivot through non-human identities; APIs, IoT devices, and background services. Treat these with the same rigor as user accounts. Ory allows you to centrally manage and authenticate these entities, limiting lateral movement inside your environment.
- Monitor and Verify Continuously
Authentication shouldn’t be a one-time event. Implement continuous verification and behavioral monitoring. Watch for legitimate credentials being used in illegitimate ways. Ory integrates with observability and SIEM platforms, so you can track and respond to identity anomalies in real time.
- Adopt Zero-Trust Principles
Never trust, always verify, even inside your own network. Micro-segment systems, enforce per-request authorization, and assume breach as your design baseline. Ory’s infrastructure was built for this: policy-based, context-aware, and globally consistent.
- Protect Administrative Interfaces
Your control plane is a crown jewel. Separate admin credentials, restrict console access, and monitor all privileged actions. Ory provides granular role-based access control and audit logs, so you always know who did what, and when.
- Design for Regional and Regulatory Resilience
Data sovereignty isn’t optional... It's foundational. Ensure identity data can be pinned to specific regions and aligned with GDPR, CCPA, or NIS2 mandates. Ory’s multi-region model lets you deploy identity services where you need them, while maintaining full compliance and control.
- Maintain Strong Identity Hygiene
Old accounts are open doors. Automate on-boarding and off-boarding. Regularly rotate credentials and API keys. Ory’s open standards make it simple to integrate with HR, CI/CD, and provisioning systems for continuous identity hygiene.
- Build a Culture of Awareness
Technology only goes so far, people are still the first line of defense. Educate teams about phishing, credential misuse, and the importance of identity safety. Run drills. Practice incident response. Make “identity security” part of the organizational DNA.
Bottom Line
Identity resilience isn’t just about preventing hacks; it’s about ensuring continuity, trust, and safety across everything we build and rely on. As The China Hack reminded us, adversaries are patient and pragmatic. They go where the defenses are weakest.
At Ory, we’re building the infrastructure that makes identity strength a default, not a differentiator. Because when identity is secure, everything built on top of it; from SaaS platforms to city water systems, stays safe, sovereign, and running.
Next Steps
