2020 saw a hugely accelerated evolution in the cybersecurity landscape. The pandemic pushed workforces remote and caused companies to move up plans for digital transformation, cloud services, and a plethora of remote access technologies. Meanwhile, the traditional operating models are not and will not be completely replaced in most organizations, and organizations have been left with a huge range of perimeters — from the endpoint to secure access service edge (SASE), from system-level role-based access control to virtual private networks, creating huge operational complexity. This is compounded by a technical staff that was probably already stretched, and a workforce that is operating under a new paradigm.
Despite this fragmentation of vendors, platforms, and security models, it remains vital that data and applications continue to be appropriately protected. Complexity is the enemy of security, so it's vital that we simplify administering systems to avoid complexity leading to misconfiguration leading to exposures. The controls must be as transparent as possible to the end user — security as an enabler of access, not a frustration to be avoided or circumvented.
We have a parallel for this challenge, at least. As networks grew, it became infeasible to manage routing on every single device via static routing — it was both overly complex and very inflexible. Users needed to be able to access resources easily and without interference; admins needed not to be making constant updates. The RIPv1 routing protocol was standardized in 1988 and BGP in 1989, and these protocols allowed for consistent packet handling across multiple devices and vendors with less-manual intervention. They provided a consistent control plane across all these disparate routing platforms.
Our security infrastructures now consist of disparate, possibly layered, controls. These controls are from multiple vendors, in multiple places, with multiple implementations, and are applying different types of protection. It's vanishingly rare that a single pane of glass can manage even a subset of the controls that are needed to enforce the security policy. To simplify this, we need a consistent "control plane" equivalent for these controls, and one that can be applied to as many as possible of the huge range of enforcement points
Digital identity — in the form of trusted contextual data defining who is accessing a system and how — provides this control plane. Users are already providing identity (and likely at multiple points). Systems are already consuming it — in the case of software-as-a-service (SaaS) environments, it may be one of the few configurable security controls available — but the decoupling of security from location and IP address is present in many other solutions. It can be tailored to an organization's needs and be risk-sensitive, with different methods and phases required, depending on the resource accessed. Even better, it's a control plane that can and should be implemented in a phased approach and provides a path to a zero-trust network architecture.
The steps to building this are conceptually simple, and we can do extensive preparation. First, ensure even before you implement that the technologies you are investing in are identity-aware and able to make differentiated security decisions in the data plane based on that identity. This must extend to SaaS applications — one of the largest benefits of using identity as your control plane is the ability to bring these into the fold, as it were, and to match them to your security model. Second, consolidate identity to a single "source of trust" — that is, a single secure, consistent, and accurate repository for identity. Doing so means that your control plane is authoritative and reliable, while fragmented domains and sources add complexity and risk. The single source also can be integrated to business process (HR and customer/vendor management), further aligning security to address business risk.
Once the source is established and managed, it's a matter of integration work. In terms of driving toward zero-trust network access, tying in the remote access and SaaS applications that support your remote workers is an excellent starting place, as well as ensuring that all critical internal applications are part of the control plane. As with most of security — it'll be a journey, but in this case the result is a decrease in complexity that facilitates the new normal.