Identity is the new perimeter

Cloud adoption, mobility and the consumerization of IT present the opportunity to transform the way enterprise employees, partners and customers do business. But as we move to leverage these new capabilities, we realize that the IT environment is quickly becoming more distributed.

The enterprise data center has become more of a virtual concept and is highly fragmented, quickly oozing around the comfortable security perimeter of firewalls and VPNs we so carefully constructed over the last decade. Protecting the cloud-based, mobile enterprise requires a new approach. While we cannot control the whole security stack for every SaaS application, we can leverage new identity standards to fill the gaps left by the disappearance of the traditional perimeter as we know it. Identity is the common denominator. Identity is the new security perimeter for the fragmented IT data center.

How We Got Here

It started with users outside the network. More employees are working remotely and new organizations are being added through mergers and acquisitions. In many organizations, partners and even customers must be connected to application platforms as well to accelerate business interactions. But the diversity of the user is not the only dynamic. The end-user footprint is rapidly expanding as well. According to Forrester Research, 52 percent of all information workers use three or more devices for work. Forrester also states that "in 2016, 350 million employees will use smartphones and 200 million of them will bring their own." The idea of controlling each device to create a network security perimeter is no longer a viable approach.

[Ten identity management metrics that matter]

On the application side, cloud service models are fragmenting the data center. Many new applications are running on private clouds hosted externally or even on public cloud services such as Amazon EC2 or Of course, the cloud service model adopted most frequently is SaaS. IDC reports that "by 2015, about 24 percent of all new business software purchases will be of service-enabled software."

In fact, many of the SaaS purchases are undertaken by business owners, completely bypassing IT and security organizations and creating new instances of the enterprise IT environment. This is known as Shadow IT.

Previously, the Shadow IT movement was about a business owner buying a server, getting an IP address and installing a stealth application. But today's Shadow IT problem presents a far greater threat to the security of an organization through the "Shadow Identities" employees and cloud-based user accounts create. Every Shadow Identity creates a back door to the enterprise. In most cases, employees will use the same account name and password for cloud services or external applications as they do in the enterprise or their personal accounts. In that situation, if the SaaS provider credential database or any personal accounts are compromised, the attacker can come right through the enterprise front door and take whatever they want. You don't want to be pulled into that conversation with your CEO.

The bottom line is that as the data center fragments, IT will often not have control over the network security perimeter, the device or the application security stack. Instead, the role of the corporate security officer is evolving to be the connector of business services. The security challenge is more about connecting the right people to the right business service, which cannot be done if every business service manages its own authentication and identity management. Security professionals need a way to pull identity and access management out of each cloud or business service and keep it within their control. A centralized identity management and authentication service that controls access to every business service, regardless of location or end-user device, will provide the ability to secure every door into the fragmented IT environment. Confirming the identity of each user and securely transmitting that information to each app becomes the new perimeter control.

Making it Work

In the past, creating this model has been challenging, given that each application required its own user list and credentials. However, recent advances and growing adoption around standards such as SAML, OpenID Connect and OAuth for authentication and SCIM for user administration are making it possible to centralize authentication and pass a token to each application.

Given that the central identity service becomes the main access door for every application, initial authentication of the user is critical. Risk-based modeling that adjusts authentication modes based on context such as the device, time of day, location, recent history and/or transaction value are required. These technologies are evolving such that much of this activity can be done transparently, keeping customers happy and ensuring business users dont work around corporate controls.

The security team gains obvious benefits from this architecture. They now have a control point to initiate and remove access to any application across the fragmented datacenter. What is new here is that the business will be supportive as well. The business owners buying their own SaaS applications will gladly cooperate to get single sign-on provided by the identity service. The CIO will welcome the reduction in support costs related to accessing such distributed applications. And everyone involved in compliance will support the identity service to gain the simplicity in reporting provided by a single access point to all applications. IT can even gain some extra kudos from the business owners by leveraging centralized reporting to identify SaaS application licenses that are not being fully used.

For most enterprises, implementation of the new identity perimeter architecture should start with the SaaS applications. For IT, its important to collaborate with the business owners to identify what new projects they are pursuing, as many are likely to be fulfilled by SaaS applications. Next, get ahead of the game by researching the SaaS providers in that application area. Find providers that focus on enterprise-grade security and (or are at least planning to) support standards like SAML and SCIM. Finally, publish a catalog of those SaaS applications so your business owners have several to choose from. Capturing these projects at the outset and directing them through the new identity service will make securing the fragmented IT data center much simpler.

Concluding Thoughts

Whether you decide to build the identity service on-premise or buy it from an IAM-as-a-Service provider, keep in mind that this discussion is about more than just architecture. The value now lies in securely connecting users to distributed business services, using Identity as the new perimeter. But it's about even more than that. It's also about how the role of enterprise security must evolve to that of a business enabler. Once seen in that light, the security function will move from the back office to the boardroom.

John Hawley is Senior Director of Security Strategy at CA Technologies.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Hawley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place