For years, corporate security was imagined as a castle: a sturdy wall, a well-guarded moat, and a single point of entry. As long as the equipment, the data, and the people stayed inside the office, that model was enough. But when, within a matter of weeks, employees began connecting from the dining room table, over home networks and shared devices, the wall simply ceased to exist. The perimeter became blurred, and with it, much of the certainty on which your organization's defense rested.
In brief: The traditional network perimeter no longer defines what needs protecting, because work is done outside it. The attack surface grew with home devices, overloaded VPNs, and more sophisticated phishing campaigns. The answer is not to build higher walls, but to move security's center of gravity from the network toward identity and continuous monitoring.
The classic security model starts from a premise that is untenable today: that everything inside the corporate network is trustworthy and everything outside is suspicious. That assumption worked when the perimeter firewall coincided with the company's physical walls. With remote work, most legitimate traffic originates precisely outside that edge, while an attacker, once they obtain valid credentials, automatically lands on the "trusted" side.
The underlying problem is conceptual. When network location stops being a reliable indicator of trust, continuing to base controls on the IP address or the network segment is like guarding a door no one uses anymore. The most relevant risks today are:
Each new connection point is a new potential door. By distributing employees, the organization multiplies the places where an attacker can try to get in, and reduces its ability to monitor them all with the same depth. Three fronts concentrate most of this expansion.
The corporate laptop that once lived behind several layers of defense now shares a router with game consoles, smart TVs, and third-party devices. If the machine is not well managed, with an encrypted disk, up-to-date antivirus, and a hardened configuration, it becomes the weakest link in the entire chain.
The VPN was the fast, reasonable answer for extending the corporate network into homes. But used as the sole defense it has important limits: it concentrates all traffic at one point, grants broad access once the connection is established, and, if credentials are compromised, it opens the entire network. The VPN protects the tunnel, not necessarily what travels through it nor who is at the other end.
Away from the office, without the ability to turn and ask a colleague whether an email is legitimate, people are more vulnerable to deception. Phishing campaigns have become more targeted, imitating internal communications, requests from management, or notices from everyday services. The goal is almost always the same: steal credentials to get in as a legitimate user.
If the network no longer defines the boundary of trust, what does? The answer gaining ground is clear: identity. When you can no longer trust the place someone connects from, what matters is to rigorously verify who they are, with what device, and which resource they are trying to access, every time.
This approach, a precursor to what the industry is beginning to call Zero Trust, boils down to a simple principle: never trust by default, always verify. In practice, it means building security around identity with measures such as:
Adopting this model does not require replacing all your infrastructure overnight. It is a shift in priorities: putting identity at the center and advancing in layers, starting with the most critical access. You can explore how to approach it in a structured way in our cybersecurity practice.
Verifying identity at the moment of access is necessary, but not sufficient. A legitimate credential can be used by the wrong person, and a trusted device can be compromised after connecting. That is why the second pillar of this new approach is visibility: knowing, at all times, what is happening.
Continuous monitoring seeks to detect the anomalous before it becomes an incident. For an organization with distributed teams, this means paying attention to signals such as:
Sustaining this vigilance around the clock is hard to achieve with isolated efforts. This is where a Security Operations Center adds value, by combining technology, processes, and analysts dedicated to detecting and responding continuously. If your organization does not yet have that capability, it is worth learning how a modern SOC operates.
The transition to identity-centered security is a journey, not a switch. These initial steps offer tangible progress without paralyzing the operation:
Is the VPN useless now? It still serves a purpose, but it should not be your only defense. The VPN encrypts traffic, which is valuable, but it does not continuously verify who is at the other end nor limit access once the connection is established. It is best complemented with strong authentication and least-privilege controls.
What exactly is the Zero Trust approach? It is a security model that eliminates implicit trust based on network location. Its principle is "never trust, always verify": every access request is validated according to identity, device, and context, no matter where it originates.
Can a mid-sized company adopt this model? Yes. It does not require replacing all the infrastructure at once. You advance in layers, prioritizing the most critical access and data. Measures such as MFA and privilege review offer a high return on a reasonable investment.
Why do I need monitoring if I already verify identity? Because the initial verification does not guarantee that nothing changes afterward. A legitimate session can be hijacked or a device compromised after connecting. Continuous monitoring detects those anomalous behaviors in time.
The blurred perimeter is not a passing problem: it is the new reality of work. The organizations that thrive will be those that stop defending a nonexistent wall and start protecting what truly matters, the identities, the data, and the ability to see what is happening. At SUMāTO we support LATAM companies through that transition, with a pragmatic, staged approach. If you would like to assess where your organization stands today and where to begin, let's talk.