People are the new perimeter and identity is at the very core of maintaining a secure, trusted environment.
New technologies and trends, including the mobile workforce, BYOD, IoT, digital transformation, and the consumerisation of IT, are shifting identity and access management to the very core of digital organisations – the IT environment is becoming increasingly distributed.
So says Adeshni Rohit, business unit manager for Cisco at Axiz, adding that as the IT environment becomes more distributed, all these technologies, while delivering significant benefits and value, are ultimately widening the attack surface and greatly increasing enterprise risk. “What is crucial, is that the way we secure today’s businesses under the digital age has changed. Perimeter security, which acts as layers around our valuable assets is ineffective. We are trying to protect our data, and need to start building that protection around our IP and other information assets.”
Moreover, she says today’s data centres are becoming fragmented, no longer constrained by the comfortable security perimeter of firewalls and VPNs we so carefully constructed over the last decade. “Protecting today’s cloud-based, mobile enterprise requires a whole new approach. Although it is impossible to control the whole security stack for every cloud application, it is possible to employ tools and new identity standards to fill the gaps left by the disappearance of the traditional perimeter as we once knew it.”
IAM that was once about defining and managing the roles and access privileges of individual users across the company network, and under which circumstances in which users are granted or denied access privileges, has changed, explains Rohit. “It now goes far beyond a tool used to manage user identities and access, is it used to uniquely profile users, track their needs and behaviours, and drive security and efficiency.”
Traditional security architectures were designed with two groups in mind, trusted individuals, who need to be able to access everything inside the business, and untrusted ones, who are kept at arms length.
There was a time, she says, when the tech department threw money at the latest and greatest defensive tools that formed a barrier between the two types of users, and emphasised securing the network perimeter, usually with firewalls. And this worked for while, the barrier kept potential threats at bay, and attackers out. But it also caused problems, because should the barrier fail, or a bad actor find a chink in its armour and gain a foothold on the company network, they would effectively have carte blanche over anything and everything on the organisations systems.
According to Rohit, another problem was the increased adoption of mobile and cloud technologies, that sees work being conducted more and more outside the safety of the company network.
“This effectively breaks down the barrier between the two types of user, and the network perimeter becomes increasingly difficult to enforce. Employees, contractors, partners and suppliers, all access company data from beyond the traditional perimeter. In today’s cloud and mobile world, more individuals access more and more resources and data from a wide range of devices. And it only takes one attacker to wreak havoc within the company network, which means that businesses can no longer assume trust across any part of the IT environment, that throws away the idea of a trusted internal network and versus an untrusted external network.”
Identity is the common denominator, she adds, and the new security perimeter. “It is the only hope of securely connecting a vast ecosystem of users, devices and locations. And this is where zero trust comes in. Zero Trust is a security framework, developed by Forrester Research analyst Jon Kindervag in 2009. With zero trust, organisations cannot automatically trust anything inside or outside their perimeters. They need to verify anything and everything that is trying to connect to its systems, before it grants any access at all.”
Zero trust security rids security teams of the notion that organisations should have a “trusted” internal network and an “untrusted” external network. Technologies such as IoT, mobile and cloud mean that a network perimeter-centric view of security no longer works. What is needed now, is the ability to securely enable access for all users, including staff, third-party partners, contractors, suppliers and suchlike, irrespective of where they are located, or which device and network they are using.
In this way, zero trust model makes sense. “In today’s security landscape, it’s not about the network any more, it’s about the people who access your systems, and the access controls for those people. This is where identity comes in, and making identity the foundation of zero trust. ‘Never trust, always verify’, is the key principle here. In this way, on the right people have the right level of access, to the right resources, in the right context, at the right time. And all this access is assessed on an ongoing basis, without impacting on the user at all,” says Rohit.
However, she says choosing the right IAM solution is critical. “Beginning a zero trust journey by employing a mixture of on-premises and cloud applications that are not well integrated, means the IT department will be burdened with the task of managing disparate identities across a number of systems, as well as the numerous applications and services used that IT awareness. The user is encumbered with having to remember multiple, and therefore most likely weak passwords, and a lack of visibility and ownership over these fragmented identities leaves IT and security teams with massive gaps for threat actors to slither through.