Light Dark
August 10, 2018 By Sue Poremba 3 min read
Identity & Access
Fraud Protection

First, it was the firewall that shielded the perimeter of our networks from outside intrusion. Firewalls are still a necessary tool in any cybersecurity system, but as more data access came from beyond the internal network, the perimeter shifted to endpoints.

With cloud computing, mobile devices, the Internet of Things (IoT) and the like, much of our information is stored and accessed far away from the original network perimeter. Protecting that data became cybersecurity’s battle cry, and endpoints became the new perimeter.

Now, there is yet another shift. Thanks to digital transformation, identity is the new perimeter.

Identity Is the New Perimeter: Turning Focus

The idea of identity as the new perimeter (and how to secure it) was a primary talking point at Identiverse 2018 earlier this summer. The running theme was that the industry has reached an intersection of people, devices and applications that requires security based on identity.

The world’s digital ecosystem is in a constant state of evolution, said Andre Durand, CEO and founder of security company Ping Identity, in his keynote address. Security professionals rely on identity to meet the challenges of this environment. Durand said identity will be the catalyst of the digital transformation across all industry verticals.

It makes sense: The digital transformation is pushing security professionals to rethink their internal technologies and strategies. As more is accomplished through digital means, they have to develop new ways to identify and verify users — human or machine. Digital identity becomes the doorman, determining access to data and network infrastructure.

Hence, identity is the new perimeter — or, at least, the newest layer of the perimeter.

Accelerate digital growth by establishing digital identity trust

Network Access and Blurred Boundaries

The ability to authenticate identities was easier back when everyone in a single organization shared the same infrastructure. Now, of course, boundaries are more blurred and fluid than ever as devices with network access have multiplied and technologies intersect in the digital atmosphere, Durand said.

This perimeter fluidity is one of the forces shaping identity and identity security. Security professionals can’t put things into neat little piles and expect easy verification of each pile. Multifactor authentication (MFA) is necessary today for identity proofing — and forget passwords as one of those layers. Protecting the identity perimeter requires more sophisticated authentication tools and biometrics integration.

Strong authentication factors help build a circle of trusted identities, but the perimeter needs layers of trust. Think of it this way: Phone calls are one way people attempt to infiltrate personal perimeters. Calls that come from anonymous or unknown numbers are often filtered to voicemail to verify their legitimacy. Calls recognized to be high risk — like a repeated spam phone number — get blocked or reported. But the calls that come from a known identity, such as a number from your contact list, get a positive response.

Digital identity is similar. We must be able to verify trust in the identity before we allow it into our access perimeter.

Building Trust Is Harder Than It Seems

On the surface, the trust level seems obvious. Your IT team should be able to validate known identities and their levels of access. Your security team should be able to spot higher risk identities trying to penetrate.

The problem is threat actors are very good at tricking us into handing over our digital identities.

It’s become much cheaper for malicious actors to practice their trade than it was even a few years ago, which is one reason why security incidents are more frequent today. They are also much smarter about technology and human behavior. They don’t need to use sophisticated attacks to outmaneuver us. Instead, they know that each person is a port into the network and have figured out — often through social engineering and phishing emails — how to breach our identities. From there they can access endpoints and networks using verified authentications.

Your system trusts the identity because it is known — even if you’re not the one using it.

All successful exploits were facilitated by a failure in core identity controls, Richard Bird, client director at Optiv, told the audience at Identiverse 2018. It’s a people problem, but it’s treated like a tech problem.

“Identity-centric security is the only way to win in a world where every information security organization is already out-manned, out-gunned and outmaneuvered by the enemy,” Bird said. “Only re-establishing the core principle of identity as security in your organization will give you a fighting chance.”

If identity is the new perimeter, security must be built in. This could be through identity and access management (IAM) or with privileged account management (PAM) — approaches that give you a first layer of control. You can’t depend on a circle of trust if you don’t have that perimeter strongly guarded.

Everything in security eventually comes back to identity, according to Bird. Defending the identity perimeter must be the first layer in your security system because if you can protect identity, you have a better shot at protecting the endpoints and network.

 |  |  |  | 
Sue Poremba

More from Identity & Access
April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature