Identity Is the New Perimeter — But Where’s Its Firewall?
First, it was the firewall that shielded the perimeter of our networks from outside intrusion. Firewalls are still a necessary tool in any cybersecurity system, but as more data access came from beyond the internal network, the perimeter shifted to endpoints.
With cloud computing, mobile devices, the Internet of Things (IoT) and the like, much of our information is stored and accessed far away from the original network perimeter. Protecting that data became cybersecurity’s battle cry, and endpoints became the new perimeter.
Now, there is yet another shift. Thanks to digital transformation, identity is the new perimeter.
Identity Is the New Perimeter: Turning Focus
The idea of identity as the new perimeter (and how to secure it) was a primary talking point at Identiverse 2018 earlier this summer. The running theme was that the industry has reached an intersection of people, devices and applications that requires security based on identity.
The world’s digital ecosystem is in a constant state of evolution, said Andre Durand, CEO and founder of security company Ping Identity, in his keynote address. Security professionals rely on identity to meet the challenges of this environment. Durand said identity will be the catalyst of the digital transformation across all industry verticals.
It makes sense: The digital transformation is pushing security professionals to rethink their internal technologies and strategies. As more is accomplished through digital means, they have to develop new ways to identify and verify users — human or machine. Digital identity becomes the doorman, determining access to data and network infrastructure.
Hence, identity is the new perimeter — or, at least, the newest layer of the perimeter.
Network Access and Blurred Boundaries
The ability to authenticate identities was easier back when everyone in a single organization shared the same infrastructure. Now, of course, boundaries are more blurred and fluid than ever as devices with network access have multiplied and technologies intersect in the digital atmosphere, Durand said.
This perimeter fluidity is one of the forces shaping identity and identity security. Security professionals can’t put things into neat little piles and expect easy verification of each pile. Multifactor authentication (MFA) is necessary today for identity proofing — and forget passwords as one of those layers. Protecting the identity perimeter requires more sophisticated authentication tools and biometrics integration.
Strong authentication factors help build a circle of trusted identities, but the perimeter needs layers of trust. Think of it this way: Phone calls are one way people attempt to infiltrate personal perimeters. Calls that come from anonymous or unknown numbers are often filtered to voicemail to verify their legitimacy. Calls recognized to be high risk — like a repeated spam phone number — get blocked or reported. But the calls that come from a known identity, such as a number from your contact list, get a positive response.
Digital identity is similar. We must be able to verify trust in the identity before we allow it into our access perimeter.
Building Trust Is Harder Than It Seems
On the surface, the trust level seems obvious. Your IT team should be able to validate known identities and their levels of access. Your security team should be able to spot higher risk identities trying to penetrate.
The problem is threat actors are very good at tricking us into handing over our digital identities.
It’s become much cheaper for malicious actors to practice their trade than it was even a few years ago, which is one reason why security incidents are more frequent today. They are also much smarter about technology and human behavior. They don’t need to use sophisticated attacks to outmaneuver us. Instead, they know that each person is a port into the network and have figured out — often through social engineering and phishing emails — how to breach our identities. From there they can access endpoints and networks using verified authentications.
Your system trusts the identity because it is known — even if you’re not the one using it.
All successful exploits were facilitated by a failure in core identity controls, Richard Bird, client director at Optiv, told the audience at Identiverse 2018. It’s a people problem, but it’s treated like a tech problem.
“Identity-centric security is the only way to win in a world where every information security organization is already out-manned, out-gunned and outmaneuvered by the enemy,” Bird said. “Only re-establishing the core principle of identity as security in your organization will give you a fighting chance.”
If identity is the new perimeter, security must be built in. This could be through identity and access management (IAM) or with privileged account management (PAM) — approaches that give you a first layer of control. You can’t depend on a circle of trust if you don’t have that perimeter strongly guarded.
Everything in security eventually comes back to identity, according to Bird. Defending the identity perimeter must be the first layer in your security system because if you can protect identity, you have a better shot at protecting the endpoints and network.