Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

1/28/2021
10:00 AM
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Digital Identity Is the New Security Control Plane

Simplifying the management of security systems helps provide consistent protection for the new normal.

2020 saw a hugely accelerated evolution in the cybersecurity landscape. The pandemic pushed workforces remote and caused companies to move up plans for digital transformation, cloud services, and a plethora of remote access technologies. Meanwhile, the traditional operating models are not and will not be completely replaced in most organizations, and organizations have been left with a huge range of perimeters — from the endpoint to secure access service edge (SASE), from system-level role-based access control to virtual private networks, creating huge operational complexity. This is compounded by a technical staff that was probably already stretched, and a workforce that is operating under a new paradigm.

Related Content:

COVID-19's Acceleration of Cloud Migration & Identity-Centric Security

Special Report: Understanding Your Cyber Attackers

New From The Edge: Understanding TCP/IP Stack Vulnerabilities in the IoT

Despite this fragmentation of vendors, platforms, and security models, it remains vital that data and applications continue to be appropriately protected. Complexity is the enemy of security, so it's vital that we simplify administering systems to avoid complexity leading to misconfiguration leading to exposures. The controls must be as transparent as possible to the end user — security as an enabler of access, not a frustration to be avoided or circumvented.

We have a parallel for this challenge, at least. As networks grew, it became infeasible to manage routing on every single device via static routing — it was both overly complex and very inflexible. Users needed to be able to access resources easily and without interference; admins needed not to be making constant updates. The RIPv1 routing protocol was standardized in 1988 and BGP in 1989, and these protocols allowed for consistent packet handling across multiple devices and vendors with less-manual intervention. They provided a consistent control plane across all these disparate routing platforms.

Our security infrastructures now consist of disparate, possibly layered, controls. These controls are from multiple vendors, in multiple places, with multiple implementations, and are applying different types of protection. It's vanishingly rare that a single pane of glass can manage even a subset of the controls that are needed to enforce the security policy. To simplify this, we need a consistent "control plane" equivalent for these controls, and one that can be applied to as many as possible of the huge range of enforcement points

Digital identity — in the form of trusted contextual data defining who is accessing a system and how — provides this control plane. Users are already providing identity (and likely at multiple points). Systems are already consuming it — in the case of software-as-a-service (SaaS) environments, it may be one of the few configurable security controls available — but the decoupling of security from location and IP address is present in many other solutions. It can be tailored to an organization's needs and be risk-sensitive, with different methods and phases required, depending on the resource accessed. Even better, it's a control plane that can and should be implemented in a phased approach and provides a path to a zero-trust network architecture.

The steps to building this are conceptually simple, and we can do extensive preparation. First, ensure even before you implement that the technologies you are investing in are identity-aware and able to make differentiated security decisions in the data plane based on that identity. This must extend to SaaS applications — one of the largest benefits of using identity as your control plane is the ability to bring these into the fold, as it were, and to match them to your security model. Second, consolidate identity to a single "source of trust" — that is, a single secure, consistent, and accurate repository for identity. Doing so means that your control plane is authoritative and reliable, while fragmented domains and sources add complexity and risk. The single source also can be integrated to business process (HR and customer/vendor management), further aligning security to address business risk.

Once the source is established and managed, it's a matter of integration work. In terms of driving toward zero-trust network access, tying in the remote access and SaaS applications that support your remote workers is an excellent starting place, as well as ensuring that all critical internal applications are part of the control plane. As with most of security — it'll be a journey, but in this case the result is a decrease in complexity that facilitates the new normal.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
yashprakash
50%
50%
yashprakash,
User Rank: Author
1/29/2021 | 6:15:22 PM
Nice article
Digital Identity has indeed become the core of security and a important control plane in a defense-in-depth strategy. 
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32077
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
CVE-2020-23263
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-23264
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...