Is Identity The New Perimeter?

  /     /     /  
Publicated : 22/11/2024   Category : security


Is Identity The New Perimeter?


Network controls cant scale with cloud and mobile, so CISOs are using IAM as the new lever for security control around corporate access



As the collective strain of BYOD and ad-hoc, cloud-delivered IT dissolves the last vestiges the network-based zone defense mentality in infosec, CIOs and CISOs are still on the hunt for a new security lever. The network tools they once counted on for perimeter defense are not enough to control users. Once users step outside the bounds of those perimeters to use countless SaaS tools that make up what many call enterprises shadow IT, the firewall holds no water. And so security leaders are turning to identity and access management (IAM) to define a new perimeter around corporate access.
The whole notion of identity as a new perimeter stems out of the fact that CIOs and CISOs were kind of blindsided by the way their networks have expanded, says John Hawley, senior director of business strategy for security at CA Technologies. It used to be that because everything was behind the firewall, they could architect IAM with LDAP authentication and NTLM. But now theyve got the business line going out and driving so much via SaaS.
For example, Hawley relates the story of one CISO at a pharmaceutical company his firm engaged with who found that in various corners of the organization, line-of-business managers were tapping into 61 different SaaS applications.
And you know what? Not one of those business line managers who used those came to the security team or the enterprise architects and said, Hey, were thinking about doing this, he says. It was always, This is done, can we get SSO? or, Were having a problem here.
The idea of identity taking over where firewalls left off isnt necessarily a new one, says Nishant Kashik, chief architect of Identropy.
Identity is not the new perimeter anymore. Identity
is
the perimeter, plain and simple, Kashik says, pointing to the Jericho Forums 2007 deperimiterization of the enterprise declaration as a crystallization of discussion that happened years ago. Since then, the explosion of cloud computing, SaaS, and mobile computing has completely destroyed the old, fortress-style model of security that was based on network security, firewalls, and VPNs. Users are accessing their applications from anywhere, at any time, with a myriad of devices.
Regardless of who calls first dibs on the idea of IAM as the perimeter, the fundamental principle still stands. IT leaders want easier ways to make sure former employees and unauthorized users cant access corporate data on SaaS services after they leave the organization. And they are seeking ways to redesign IAM architectures such that they can support the business in fluidly making and breaking relationships with SaaS providers, in allowing access to any devices, while maintaining access control through some form of a centralized identity service, Hawley says.
So even if they have 60 SaaS applications sitting out there, nobody can go to those applications directly, he says. That way, we know whos going there, we can do multifactor authentication if thats what we think is appropriate for that app, and when they leave the organization, we can know for sure that they cant get into any of those SaaS applications that lead outside of our traditional boundaries.
[Can you see the error of your IAM ways? See
7 Costly IAM Mistakes
.]
A recent survey of security leaders in the CISO Executive Network showed that IAM stands as one of the highest priorities on CISOs minds today, second only to BYOD security. A huge component of the IAM focus revolves on this idea of identity as perimeter, says Bill Sieglein, founder of the CISO Executive Network.
We are in what I call the next generation of identity and access management, he says.
This is hardly any enterprise CISOs first rodeo when it comes to wide-scale identity initiatives. Many within the industry put a lot of effort in the past five to 10 years to get their arms around federation and single sign-on deployments for internal network systems. Even enterprises that did bring those projects to successful fruition are now finding, though, that the cloud and mobile wildcards require going back to the drawing board. He relates a thought one of his CISO members told him.
In the old days in the closed network, when you had people coming to the office, in effect, one-factor authentication was almost two-factor because you were sitting at a terminal that was a known entity, he says. Thats completely gone. Users are logging in from every conceivable location. There are so many factors and contextual things we have to consider when we authenticate a user.
The difficulty is helping management understand the factors of the new risks to convince them to fund a new round of IAM retrofits, he says. Thats not the only sale CISOs need to make, either.
There are all those users who go outside the system to get services for shadow IT. CISOs havent figured out a way to convince users to come back into the fold, Sieglein says.
The ultimate goal for CIOs and CISOs is to offer technologies that make it easier on the end user, essentially luring them with the ability to still log into SaaS -- to still use multiple devices while simplifying the log-in process. Rather than memorizing a whole bunch of account information, single sign-on gives them less to worry about. Same thing with password synchronization and automated password resets.
So theres a lure on that hook to get them to come through you, he says. And, of course, our ulterior motive is better control. We have no control when theyre outside that fold.
Of course, there are many slips twixt the cup and the lip, and no more so than in the field of IAM -- an IT niche haunted by enough ghosts of failed deployments past to scare people away from federation or SSO. The trick is to learn from those ghosts -- namely, that it will take a phased strategy to bring every identity aspect into the fold.
They cant do it all at once, and I think thats one part of the process that everybody has learned over the past seven to 10 years of trying to do this, Hawley says. They have to start small. What theyre trying to do is just get that infrastructure in place -- and then try to get ahead of it, so as new [services or devices] come in, theyre able to drop it in going forward.
Standards like SAML and OAuth should play a big part in gradually building the infrastructure out. As enterprises seek to scale up SSO and federation across cloud infrastructure, theyre leaning on SaaS providers to get with the standards program to support their identity efforts. He says the only way these enterprises can scale with a fragmented data center is to push those standards.
A lot of the more mature organizations that I work with, theyre able to go to the SaaS vendors the business says are important to them and say, Were going to do federated authentication. Either you leverage those standards, or were not doing business together, Hawley says.
Also tightly woven into IAM success is how the organization deals with data governance, Seiglein says.
These companies are going to have to figure out where their sensitive data is. So identify your critical data, find out who the owners are, and then start working out roles -- who can access what, he says. It becomes an opportunity for a clean slate to build data governance and better roles management. But that can be a lengthy process.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Is Identity The New Perimeter?