Share this
How Identity Became the New Perimeter
by Shivan Mandalam on Aug 12, 2020 7:00:00 AM
How enterprise security has changed — and where it’s headed
Not long ago, enterprise security architecture was modeled like a castle, complete with walls and a moat. Enterprises hosted their corporate applications in the data center, and users accessed them from “inside” the corporate network with company-managed devices, within the physical confines of the corporate campus. Identity and access were managed at the network level, using network constructs and network access control within the organization. Life was simple and good.
However, the industry changed, and that fairy tale architecture vanished.
The advent of digital transformation, driven by trends such as mobile, social, cloud, and IoT, has created unprecedented opportunities for enterprises, but also significant challenges with regard to managing identity and access. On one hand, enterprises are stuck with islands of identity, as security teams adopt numerous IAM policy management tools to cope with heterogeneous environments. On the other, traditional ways of managing policy through VLANS, ACLS, firewalls, VRFs, VPNs, and more, no longer provide the level of security that they once did — leaving enterprises vulnerable to attack.
The problem is that the traditional way of managing access relies on excessive trust — placing users within the castle walls. This leaves enterprises continually at risk for unwanted intrusion and lateral movement within their networks. Indeed, with this excessive trust, it is easy to spread malicious activity from a single compromised system to an entire network, thereby compromising an organization’s confidential or regulated data.
Today, enterprises need a new security model — one where the perimeter isn’t defined by physical location. They need robust security, where every access request is rigorously authenticated and authorized with sound policy and inspected for anomalies before access is granted. They need a model that adapts to the complexities of the modern environment, such as cloud and mobility, and protects people, devices, applications, and data wherever they are located. They need identity-based access management.
What do we mean by identity-based access?
Enterprises need to shift from traditional, IP address-based access to user identity-based authentication and authorization. Here, identity refers to any asset that can connect to the enterprise: users, devices, applications, and data. Crucially, such a model must always include strong authentication and authorization mechanisms to ensure that any identity is compliant with access policy, before access is granted. This is a “never trust, always verify” approach to security.
We can elaborate on the definition of asset further:
- Users — User identity includes the identity of the user and their group memberships. Typically, user identity in enterprises is managed in Active Directory (AD). However, is it possible to leverage other user stores, as well.
- Devices — Device identity refers to the device fingerprint of both managed and unmanaged devices. It is crucial for security teams to verify both whether the device is in the domain and whether it is compliant with organizational access policies.
- Applications — Application identity refers to either a traditional three-tier application or a distributed or cloud-based application. To define effective per-application policy, it is important to recognize the varying levels of business criticality that applications may have.
- Data — Data is the single most important asset for an enterprise to protect. For creating data policy, it is important to identify not only the criticality of data, but also the context of assets attempting to access it, such as risk, location, and the time of day of access.
What should next-generation identity and access solutions look like?
To secure the enterprise perimeter in a hyper-connected world, organizations need next-generation solutions that provide a number of key capabilities:
- Identity-based: Identity and access management based on asset identities, including user, device, application, and sensitive data identities.
- Unified Policy: Enterprises need unified policy that is cloud-managed and dynamically distributed for “just-in-time” access.
- Cloud-centric Management: To enable rapid scalability, the management console should be delivered as a cloud-based service, even if enforcement points are distributed locally at the edge.
- PIN Independent: To enable ubiquitous, domain-agnostic policy, policy enforcement points must be deployed locally at the campus, branch, data center, cloud, multi-cloud, remote, and other places-in-the-network (PIN).
- CARTA compliant: Asset behavior should be continuously monitored for risk and compliance and policies must be continuously iterated through AI.
- Standards-based: Both access protection and attack prevention mechanisms must deliver standards-based protection.
The traditional castle-walls-and-moat architecture worked well in another era — but it no longer provides the level of security that enterprises need. To thrive in a world transformed by cloud, mobility, and connected devices, enterprises need to embrace the next-generation of security solutions and make identity the new perimeter.
Share this
- Blog (30)
- Cybersecurity (13)
- Zero Trust (12)
- Enterprise Security (10)
- Identity (5)
- Elisity (4)
- Enterprise Architecture Security (4)
- Network Security (4)
- Remote Access (4)
- microsegmentation (3)
- Black Hat (2)
- Identity and Access Management (2)
- blogs (2)
- Adaptive Trust (1)
- MITRE (1)
- News (1)
- Software Supply Chain Security (1)
- case study (1)
- cyber resilience (1)
- December 2024 (4)
- November 2024 (5)
- October 2024 (7)
- September 2024 (5)
- August 2024 (3)
- July 2024 (4)
- June 2024 (2)
- April 2024 (3)
- March 2024 (2)
- February 2024 (1)
- January 2024 (3)
- December 2023 (1)
- November 2023 (1)
- October 2023 (2)
- September 2023 (3)
- June 2023 (1)
- May 2023 (3)
- April 2023 (1)
- March 2023 (6)
- February 2023 (4)
- January 2023 (3)
- December 2022 (8)
- November 2022 (3)
- October 2022 (1)
- July 2022 (1)
- May 2022 (1)
- February 2022 (1)
- November 2021 (1)
- August 2021 (1)
- May 2021 (2)
- April 2021 (2)
- March 2021 (3)
- February 2021 (1)
- November 2020 (2)
- October 2020 (1)
- September 2020 (1)
- August 2020 (3)
No Comments Yet
Let us know what you think