How Identity Became the New Perimeter

How enterprise security has changed — and where it’s headed

Not long ago, enterprise security architecture was modeled like a castle, complete with walls and a moat. Enterprises hosted their corporate applications in the data center, and users accessed them from “inside” the corporate network with company-managed devices, within the physical confines of the corporate campus. Identity and access were managed at the network level, using network constructs and network access control within the organization. Life was simple and good.

However, the industry changed, and that fairy tale architecture vanished.

The advent of digital transformation, driven by trends such as mobile, social, cloud, and IoT, has created unprecedented opportunities for enterprises, but also significant challenges with regard to managing identity and access. On one hand, enterprises are stuck with islands of identity, as security teams adopt numerous IAM policy management tools to cope with heterogeneous environments. On the other, traditional ways of managing policy through VLANS, ACLS, firewalls, VRFs, VPNs, and more, no longer provide the level of security that they once did — leaving enterprises vulnerable to attack.

The problem is that the traditional way of managing access relies on excessive trust — placing users within the castle walls. This leaves enterprises continually at risk for unwanted intrusion and lateral movement within their networks.  Indeed, with this excessive trust, it is easy to spread malicious activity from a single compromised system to an entire network, thereby compromising an organization’s confidential or regulated data.

Today, enterprises need a new security model — one where the perimeter isn’t defined by physical location. They need robust security, where every access request is rigorously authenticated and authorized with sound policy and inspected for anomalies before access is granted. They need a model that adapts to the complexities of the modern environment, such as cloud and mobility, and protects people, devices, applications, and data wherever they are located. They need identity-based access management.

What do we mean by identity-based access?

Enterprises need to shift from traditional, IP address-based access to user identity-based authentication and authorization. Here, identity refers to any asset that can connect to the enterprise: users, devices, applications, and data. Crucially, such a model must always include strong authentication and authorization mechanisms to ensure that any identity is compliant with access policy, before access is granted. This is a “never trust, always verify” approach to security.

We can elaborate on the definition of asset further:

• Users — User identity includes the identity of the user and their group memberships. Typically, user identity in enterprises is managed in Active Directory (AD). However, is it possible to leverage other user stores, as well.
• Devices — Device identity refers to the device fingerprint of both managed and unmanaged devices. It is crucial for security teams to verify both whether the device is in the domain and whether it is compliant with organizational access policies.
• Applications — Application identity refers to either a traditional three-tier application or a distributed or cloud-based application. To define effective per-application policy, it is important to recognize the varying levels of business criticality that applications may have.
• Data — Data is the single most important asset for an enterprise to protect. For creating data policy, it is important to identify not only the criticality of data, but also the context of assets attempting to access it, such as risk, location, and the time of day of access.

What should next-generation identity and access solutions look like?

To secure the enterprise perimeter in a hyper-connected world, organizations need next-generation solutions that provide a number of key capabilities:

• Identity-based: Identity and access management based on asset identities, including user, device, application, and sensitive data identities.
• Unified Policy: Enterprises need unified policy that is cloud-managed and dynamically distributed for “just-in-time” access.
• Cloud-centric Management: To enable rapid scalability, the management console should be delivered as a cloud-based service, even if enforcement points are distributed locally at the edge.
• PIN Independent: To enable ubiquitous, domain-agnostic policy, policy enforcement points must be deployed locally at the campus, branch, data center, cloud, multi-cloud, remote, and other places-in-the-network (PIN).
• CARTA compliant: Asset behavior should be continuously monitored for risk and compliance and policies must be continuously iterated through AI.
• Standards-based: Both access protection and attack prevention mechanisms must deliver standards-based protection.

The traditional castle-walls-and-moat architecture worked well in another era — but it no longer provides the level of security that enterprises need.  To thrive in a world transformed by cloud, mobility, and connected devices, enterprises need to embrace the next-generation of security solutions and make identity the new perimeter.