First, it was the firewall that shielded the perimeter of our networks from outside intrusion. Firewalls are still a necessary tool in any cybersecurity system, but as more data access came from beyond the internal network, the perimeter shifted to endpoints.

With cloud computing, mobile devices, the Internet of Things (IoT) and the like, much of our information is stored and accessed far away from the original network perimeter. Protecting that data became cybersecurity’s battle cry, and endpoints became the new perimeter.

Now, there is yet another shift. Thanks to digital transformation, identity is the new perimeter.

Identity Is the New Perimeter: Turning Focus

The idea of identity as the new perimeter (and how to secure it) was a primary talking point at Identiverse 2018 earlier this summer. The running theme was that the industry has reached an intersection of people, devices and applications that requires security based on identity.

The world’s digital ecosystem is in a constant state of evolution, said Andre Durand, CEO and founder of security company Ping Identity, in his keynote address. Security professionals rely on identity to meet the challenges of this environment. Durand said identity will be the catalyst of the digital transformation across all industry verticals.

It makes sense: The digital transformation is pushing security professionals to rethink their internal technologies and strategies. As more is accomplished through digital means, they have to develop new ways to identify and verify users — human or machine. Digital identity becomes the doorman, determining access to data and network infrastructure.

Hence, identity is the new perimeter — or, at least, the newest layer of the perimeter.

Accelerate digital growth by establishing digital identity trust

Network Access and Blurred Boundaries

The ability to authenticate identities was easier back when everyone in a single organization shared the same infrastructure. Now, of course, boundaries are more blurred and fluid than ever as devices with network access have multiplied and technologies intersect in the digital atmosphere, Durand said.

This perimeter fluidity is one of the forces shaping identity and identity security. Security professionals can’t put things into neat little piles and expect easy verification of each pile. Multifactor authentication (MFA) is necessary today for identity proofing — and forget passwords as one of those layers. Protecting the identity perimeter requires more sophisticated authentication tools and biometrics integration.

Strong authentication factors help build a circle of trusted identities, but the perimeter needs layers of trust. Think of it this way: Phone calls are one way people attempt to infiltrate personal perimeters. Calls that come from anonymous or unknown numbers are often filtered to voicemail to verify their legitimacy. Calls recognized to be high risk — like a repeated spam phone number — get blocked or reported. But the calls that come from a known identity, such as a number from your contact list, get a positive response.

Digital identity is similar. We must be able to verify trust in the identity before we allow it into our access perimeter.

Building Trust Is Harder Than It Seems

On the surface, the trust level seems obvious. Your IT team should be able to validate known identities and their levels of access. Your security team should be able to spot higher risk identities trying to penetrate.

The problem is threat actors are very good at tricking us into handing over our digital identities.

It’s become much cheaper for malicious actors to practice their trade than it was even a few years ago, which is one reason why security incidents are more frequent today. They are also much smarter about technology and human behavior. They don’t need to use sophisticated attacks to outmaneuver us. Instead, they know that each person is a port into the network and have figured out — often through social engineering and phishing emails — how to breach our identities. From there they can access endpoints and networks using verified authentications.

Your system trusts the identity because it is known — even if you’re not the one using it.

All successful exploits were facilitated by a failure in core identity controls, Richard Bird, client director at Optiv, told the audience at Identiverse 2018. It’s a people problem, but it’s treated like a tech problem.

“Identity-centric security is the only way to win in a world where every information security organization is already out-manned, out-gunned and outmaneuvered by the enemy,” Bird said. “Only re-establishing the core principle of identity as security in your organization will give you a fighting chance.”

If identity is the new perimeter, security must be built in. This could be through identity and access management (IAM) or with privileged account management (PAM) — approaches that give you a first layer of control. You can’t depend on a circle of trust if you don’t have that perimeter strongly guarded.

Everything in security eventually comes back to identity, according to Bird. Defending the identity perimeter must be the first layer in your security system because if you can protect identity, you have a better shot at protecting the endpoints and network.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…