Risk
2/8/2013
01:04 AM
Connect Directly
RSS
E-Mail
50%
50%

Is Identity The New Perimeter?

Network controls can't scale with cloud and mobile, so CISOs are using IAM as the new lever for security control around corporate access

As the collective strain of BYOD and ad-hoc, cloud-delivered IT dissolves the last vestiges the network-based zone defense mentality in infosec, CIOs and CISOs are still on the hunt for a new security lever. The network tools they once counted on for perimeter defense are not enough to control users. Once users step outside the bounds of those perimeters to use countless SaaS tools that make up what many call enterprise's "shadow IT," the firewall holds no water. And so security leaders are turning to identity and access management (IAM) to define a new perimeter around corporate access.

"The whole notion of identity as a new perimeter stems out of the fact that CIOs and CISOs were kind of blindsided by the way their networks have expanded," says John Hawley, senior director of business strategy for security at CA Technologies. "It used to be that because everything was behind the firewall, they could architect IAM with LDAP authentication and NTLM. But now they've got the business line going out and driving so much via SaaS."

For example, Hawley relates the story of one CISO at a pharmaceutical company his firm engaged with who found that in various corners of the organization, line-of-business managers were tapping into 61 different SaaS applications.

"And you know what? Not one of those business line managers who used those came to the security team or the enterprise architects and said, 'Hey, we're thinking about doing this,'" he says. "It was always, 'This is done, can we get SSO?' or, We're having a problem here.'"

The idea of identity taking over where firewalls left off isn't necessarily a new one, says Nishant Kashik, chief architect of Identropy.

"Identity is not the new perimeter anymore. Identity is the perimeter, plain and simple," Kashik says, pointing to the Jericho Forum's 2007 "deperimiterization of the enterprise" declaration as a crystallization of discussion that happened years ago. "Since then, the explosion of cloud computing, SaaS, and mobile computing has completely destroyed the old, fortress-style model of security that was based on network security, firewalls, and VPNs. Users are accessing their applications from anywhere, at any time, with a myriad of devices."

Regardless of who calls first dibs on the idea of IAM as the perimeter, the fundamental principle still stands. IT leaders want easier ways to make sure former employees and unauthorized users can't access corporate data on SaaS services after they leave the organization. And they are seeking ways to redesign IAM architectures such that they can support the business in fluidly making and breaking relationships with SaaS providers, in allowing access to any devices, while maintaining access control through some form of a centralized identity service, Hawley says.

"So even if they have 60 SaaS applications sitting out there, nobody can go to those applications directly," he says. "That way, we know who's going there, we can do multifactor authentication if that's what we think is appropriate for that app, and when they leave the organization, we can know for sure that they can't get into any of those SaaS applications that lead outside of our traditional boundaries."

[Can you see the error of your IAM ways? See 7 Costly IAM Mistakes.]

A recent survey of security leaders in the CISO Executive Network showed that IAM stands as one of the highest priorities on CISOs' minds today, second only to BYOD security. A huge component of the IAM focus revolves on this idea of identity as perimeter, says Bill Sieglein, founder of the CISO Executive Network.

"We are in what I call the next generation of identity and access management," he says.

This is hardly any enterprise CISO's first rodeo when it comes to wide-scale identity initiatives. Many within the industry put a lot of effort in the past five to 10 years to get their arms around federation and single sign-on deployments for internal network systems. Even enterprises that did bring those projects to successful fruition are now finding, though, that the cloud and mobile wildcards require going back to the drawing board. He relates a thought one of his CISO members told him.

"In the old days in the closed network, when you had people coming to the office, in effect, one-factor authentication was almost two-factor because you were sitting at a terminal that was a known entity," he says. "That's completely gone. Users are logging in from every conceivable location. There are so many factors and contextual things we have to consider when we authenticate a user."

The difficulty is helping management understand the factors of the new risks to convince them to fund a new round of IAM retrofits, he says. That's not the only sale CISOs need to make, either.

"There are all those users who go outside the system to get services for shadow IT. CISOs haven't figured out a way to convince users to come back into the fold," Sieglein says.

The ultimate goal for CIOs and CISOs is to offer technologies that make it easier on the end user, essentially luring them with the ability to still log into SaaS -- to still use multiple devices while simplifying the log-in process. Rather than memorizing a whole bunch of account information, single sign-on gives them less to worry about. Same thing with password synchronization and automated password resets.

"So there's a lure on that hook to get them to come through you," he says. "And, of course, our ulterior motive is better control. We have no control when they're outside that fold."

Of course, there are many slips twixt the cup and the lip, and no more so than in the field of IAM -- an IT niche haunted by enough ghosts of failed deployments past to scare people away from federation or SSO. The trick is to learn from those ghosts -- namely, that it will take a phased strategy to bring every identity aspect into the fold.

"They can't do it all at once, and I think that's one part of the process that everybody has learned over the past seven to 10 years of trying to do this," Hawley says. "They have to start small. What they're trying to do is just get that infrastructure in place -- and then try to get ahead of it, so as new [services or devices] come in, they're able to drop it in going forward."

Standards like SAML and OAuth should play a big part in gradually building the infrastructure out. As enterprises seek to scale up SSO and federation across cloud infrastructure, they're leaning on SaaS providers to get with the standards program to support their identity efforts. He says the only way these enterprises can scale with a fragmented data center is to push those standards.

"A lot of the more mature organizations that I work with, they're able to go to the SaaS vendors the business says are important to them and say, 'We're going to do federated authentication. Either you leverage those standards, or we're not doing business together,'" Hawley says.

Also tightly woven into IAM success is how the organization deals with data governance, Seiglein says.

"These companies are going to have to figure out where their sensitive data is. So identify your critical data, find out who the owners are, and then start working out roles -- who can access what," he says. "It becomes an opportunity for a clean slate to build data governance and better roles management. But that can be a lengthy process."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.