First, it was the firewall that shielded the perimeter of our networks from outside intrusion. Firewalls are still a necessary tool in any cybersecurity system, but as more data access came from beyond the internal network, the perimeter shifted to endpoints.

With cloud computing, mobile devices, the Internet of Things (IoT) and the like, much of our information is stored and accessed far away from the original network perimeter. Protecting that data became cybersecurity’s battle cry, and endpoints became the new perimeter.

Now, there is yet another shift. Thanks to digital transformation, identity is the new perimeter.

Identity Is the New Perimeter: Turning Focus

The idea of identity as the new perimeter (and how to secure it) was a primary talking point at Identiverse 2018 earlier this summer. The running theme was that the industry has reached an intersection of people, devices and applications that requires security based on identity.

The world’s digital ecosystem is in a constant state of evolution, said Andre Durand, CEO and founder of security company Ping Identity, in his keynote address. Security professionals rely on identity to meet the challenges of this environment. Durand said identity will be the catalyst of the digital transformation across all industry verticals.

It makes sense: The digital transformation is pushing security professionals to rethink their internal technologies and strategies. As more is accomplished through digital means, they have to develop new ways to identify and verify users — human or machine. Digital identity becomes the doorman, determining access to data and network infrastructure.

Hence, identity is the new perimeter — or, at least, the newest layer of the perimeter.

Accelerate digital growth by establishing digital identity trust

Network Access and Blurred Boundaries

The ability to authenticate identities was easier back when everyone in a single organization shared the same infrastructure. Now, of course, boundaries are more blurred and fluid than ever as devices with network access have multiplied and technologies intersect in the digital atmosphere, Durand said.

This perimeter fluidity is one of the forces shaping identity and identity security. Security professionals can’t put things into neat little piles and expect easy verification of each pile. Multifactor authentication (MFA) is necessary today for identity proofing — and forget passwords as one of those layers. Protecting the identity perimeter requires more sophisticated authentication tools and biometrics integration.

Strong authentication factors help build a circle of trusted identities, but the perimeter needs layers of trust. Think of it this way: Phone calls are one way people attempt to infiltrate personal perimeters. Calls that come from anonymous or unknown numbers are often filtered to voicemail to verify their legitimacy. Calls recognized to be high risk — like a repeated spam phone number — get blocked or reported. But the calls that come from a known identity, such as a number from your contact list, get a positive response.

Digital identity is similar. We must be able to verify trust in the identity before we allow it into our access perimeter.

Building Trust Is Harder Than It Seems

On the surface, the trust level seems obvious. Your IT team should be able to validate known identities and their levels of access. Your security team should be able to spot higher risk identities trying to penetrate.

The problem is threat actors are very good at tricking us into handing over our digital identities.

It’s become much cheaper for malicious actors to practice their trade than it was even a few years ago, which is one reason why security incidents are more frequent today. They are also much smarter about technology and human behavior. They don’t need to use sophisticated attacks to outmaneuver us. Instead, they know that each person is a port into the network and have figured out — often through social engineering and phishing emails — how to breach our identities. From there they can access endpoints and networks using verified authentications.

Your system trusts the identity because it is known — even if you’re not the one using it.

All successful exploits were facilitated by a failure in core identity controls, Richard Bird, client director at Optiv, told the audience at Identiverse 2018. It’s a people problem, but it’s treated like a tech problem.

“Identity-centric security is the only way to win in a world where every information security organization is already out-manned, out-gunned and outmaneuvered by the enemy,” Bird said. “Only re-establishing the core principle of identity as security in your organization will give you a fighting chance.”

If identity is the new perimeter, security must be built in. This could be through identity and access management (IAM) or with privileged account management (PAM) — approaches that give you a first layer of control. You can’t depend on a circle of trust if you don’t have that perimeter strongly guarded.

Everything in security eventually comes back to identity, according to Bird. Defending the identity perimeter must be the first layer in your security system because if you can protect identity, you have a better shot at protecting the endpoints and network.

More from Fraud Protection

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

What Are the Biggest Phishing Trends Today?

According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That's a 33% increase from 2021. One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…

NFT Security Risks: Old Scams and New Tricks

The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021. To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account. As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as…