I’ve recently heard the phrase, “identity is the new perimeter” as it relates to information security. That said, I’ve also heard the same about endpoints, artificial intelligence, email, you name it. If I didn’t have experience in identity management and understand the importance it has in an environment, I may have just blown off that statement along with the rest as another vendor ploy to get my business. Because I have been dealing with identities for quite a few years in several roles, it got me thinking.
One thing data breaches have in common is that some form of identity-based information is compromised (whether initially to gain access or the identity data involved in the loss or attack). Also, when responding to security incidents, not only are you looking for the root cause, but also the identity of the attacker. Identity management is certainly important.
Perimeter security has been known as the baseline of protection to ensure no one can get in. It’s thought of as the “hard candy shell” of a network that should be very difficult to break through. The problem many of us face today is that nothing is 100%. Meaning even if you have a strong perimeter, it can still be compromised. Once it is, attackers can traverse your internal network for additional vulnerabilities open to exploit. Many times (upwards of 80% of the time), it’s based on compromised credentials – directly involving the identity of an individual.
Assuming most have strong Perimeter security in place, should we be focusing on the identity? Absolutely! But more importantly, a strong security program with a broad focus is required to ensure your risk is reduced.
I do want to touch on the topic of automation. Manual processes work, but there are inherent mistakes that occur. As new people are hired, it’s a time-save to have a basic identity provisioned for them so they can be productive on day one. As people leave the company, removing their access is not only critical to the company from a compliance standpoint; but now that we have connectivity to so many externally-hosted cloud applications, it increases the risk exponentially!
There are technologies that will make this an easier task to tackle. For instance, one of our partners, Okta, is a great product that offers a whole product suite dedicated just to managing identities in today’s world. With the fully integrated API stack that allows for very easy integration to existing architectures, it can provide ROI very quickly.
Technology and automation can help, but with any good practice, you must first understand the problem you are trying to solve. The adage of people, process, and technology must be considered – but please establish the process and support methods prior to throwing technology at the issue. Whether or not you agree that identity is the new perimeter, plan accordingly, and you can ensure your identities are protected.