Is Identity The New Perimeter?Network controls can't scale with cloud and mobile, so CISOs are using IAM as the new lever for security control around corporate access
As the collective strain of BYOD and ad-hoc, cloud-delivered IT dissolves the last vestiges the network-based zone defense mentality in infosec, CIOs and CISOs are still on the hunt for a new security lever. The network tools they once counted on for perimeter defense are not enough to control users. Once users step outside the bounds of those perimeters to use countless SaaS tools that make up what many call enterprise's "shadow IT," the firewall holds no water. And so security leaders are turning to identity and access management (IAM) to define a new perimeter around corporate access.
"The whole notion of identity as a new perimeter stems out of the fact that CIOs and CISOs were kind of blindsided by the way their networks have expanded," says John Hawley, senior director of business strategy for security at CA Technologies. "It used to be that because everything was behind the firewall, they could architect IAM with LDAP authentication and NTLM. But now they've got the business line going out and driving so much via SaaS."
For example, Hawley relates the story of one CISO at a pharmaceutical company his firm engaged with who found that in various corners of the organization, line-of-business managers were tapping into 61 different SaaS applications.
"And you know what? Not one of those business line managers who used those came to the security team or the enterprise architects and said, 'Hey, we're thinking about doing this,'" he says. "It was always, 'This is done, can we get SSO?' or, We're having a problem here.'"
The idea of identity taking over where firewalls left off isn't necessarily a new one, says Nishant Kashik, chief architect of Identropy.
"Identity is not the new perimeter anymore. Identity is the perimeter, plain and simple," Kashik says, pointing to the Jericho Forum's 2007 "deperimiterization of the enterprise" declaration as a crystallization of discussion that happened years ago. "Since then, the explosion of cloud computing, SaaS, and mobile computing has completely destroyed the old, fortress-style model of security that was based on network security, firewalls, and VPNs. Users are accessing their applications from anywhere, at any time, with a myriad of devices."
Regardless of who calls first dibs on the idea of IAM as the perimeter, the fundamental principle still stands. IT leaders want easier ways to make sure former employees and unauthorized users can't access corporate data on SaaS services after they leave the organization. And they are seeking ways to redesign IAM architectures such that they can support the business in fluidly making and breaking relationships with SaaS providers, in allowing access to any devices, while maintaining access control through some form of a centralized identity service, Hawley says.
"So even if they have 60 SaaS applications sitting out there, nobody can go to those applications directly," he says. "That way, we know who's going there, we can do multifactor authentication if that's what we think is appropriate for that app, and when they leave the organization, we can know for sure that they can't get into any of those SaaS applications that lead outside of our traditional boundaries."
[Can you see the error of your IAM ways? See 7 Costly IAM Mistakes.]
A recent survey of security leaders in the CISO Executive Network showed that IAM stands as one of the highest priorities on CISOs' minds today, second only to BYOD security. A huge component of the IAM focus revolves on this idea of identity as perimeter, says Bill Sieglein, founder of the CISO Executive Network.
"We are in what I call the next generation of identity and access management," he says.
This is hardly any enterprise CISO's first rodeo when it comes to wide-scale identity initiatives. Many within the industry put a lot of effort in the past five to 10 years to get their arms around federation and single sign-on deployments for internal network systems. Even enterprises that did bring those projects to successful fruition are now finding, though, that the cloud and mobile wildcards require going back to the drawing board. He relates a thought one of his CISO members told him.
"In the old days in the closed network, when you had people coming to the office, in effect, one-factor authentication was almost two-factor because you were sitting at a terminal that was a known entity," he says. "That's completely gone. Users are logging in from every conceivable location. There are so many factors and contextual things we have to consider when we authenticate a user."
The difficulty is helping management understand the factors of the new risks to convince them to fund a new round of IAM retrofits, he says. That's not the only sale CISOs need to make, either.
"There are all those users who go outside the system to get services for shadow IT. CISOs haven't figured out a way to convince users to come back into the fold," Sieglein says.
The ultimate goal for CIOs and CISOs is to offer technologies that make it easier on the end user, essentially luring them with the ability to still log into SaaS -- to still use multiple devices while simplifying the log-in process. Rather than memorizing a whole bunch of account information, single sign-on gives them less to worry about. Same thing with password synchronization and automated password resets.
"So there's a lure on that hook to get them to come through you," he says. "And, of course, our ulterior motive is better control. We have no control when they're outside that fold."
Of course, there are many slips twixt the cup and the lip, and no more so than in the field of IAM -- an IT niche haunted by enough ghosts of failed deployments past to scare people away from federation or SSO. The trick is to learn from those ghosts -- namely, that it will take a phased strategy to bring every identity aspect into the fold.
"They can't do it all at once, and I think that's one part of the process that everybody has learned over the past seven to 10 years of trying to do this," Hawley says. "They have to start small. What they're trying to do is just get that infrastructure in place -- and then try to get ahead of it, so as new [services or devices] come in, they're able to drop it in going forward."
Standards like SAML and OAuth should play a big part in gradually building the infrastructure out. As enterprises seek to scale up SSO and federation across cloud infrastructure, they're leaning on SaaS providers to get with the standards program to support their identity efforts. He says the only way these enterprises can scale with a fragmented data center is to push those standards.
"A lot of the more mature organizations that I work with, they're able to go to the SaaS vendors the business says are important to them and say, 'We're going to do federated authentication. Either you leverage those standards, or we're not doing business together,'" Hawley says.
Also tightly woven into IAM success is how the organization deals with data governance, Seiglein says.
"These companies are going to have to figure out where their sensitive data is. So identify your critical data, find out who the owners are, and then start working out roles -- who can access what," he says. "It becomes an opportunity for a clean slate to build data governance and better roles management. But that can be a lengthy process."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.