Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

1/28/2021
10:00 AM
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Digital Identity Is the New Security Control Plane

Simplifying the management of security systems helps provide consistent protection for the new normal.

2020 saw a hugely accelerated evolution in the cybersecurity landscape. The pandemic pushed workforces remote and caused companies to move up plans for digital transformation, cloud services, and a plethora of remote access technologies. Meanwhile, the traditional operating models are not and will not be completely replaced in most organizations, and organizations have been left with a huge range of perimeters — from the endpoint to secure access service edge (SASE), from system-level role-based access control to virtual private networks, creating huge operational complexity. This is compounded by a technical staff that was probably already stretched, and a workforce that is operating under a new paradigm.

Related Content:

COVID-19's Acceleration of Cloud Migration & Identity-Centric Security

Special Report: Understanding Your Cyber Attackers

New From The Edge: Understanding TCP/IP Stack Vulnerabilities in the IoT

Despite this fragmentation of vendors, platforms, and security models, it remains vital that data and applications continue to be appropriately protected. Complexity is the enemy of security, so it's vital that we simplify administering systems to avoid complexity leading to misconfiguration leading to exposures. The controls must be as transparent as possible to the end user — security as an enabler of access, not a frustration to be avoided or circumvented.

We have a parallel for this challenge, at least. As networks grew, it became infeasible to manage routing on every single device via static routing — it was both overly complex and very inflexible. Users needed to be able to access resources easily and without interference; admins needed not to be making constant updates. The RIPv1 routing protocol was standardized in 1988 and BGP in 1989, and these protocols allowed for consistent packet handling across multiple devices and vendors with less-manual intervention. They provided a consistent control plane across all these disparate routing platforms.

Our security infrastructures now consist of disparate, possibly layered, controls. These controls are from multiple vendors, in multiple places, with multiple implementations, and are applying different types of protection. It's vanishingly rare that a single pane of glass can manage even a subset of the controls that are needed to enforce the security policy. To simplify this, we need a consistent "control plane" equivalent for these controls, and one that can be applied to as many as possible of the huge range of enforcement points

Digital identity — in the form of trusted contextual data defining who is accessing a system and how — provides this control plane. Users are already providing identity (and likely at multiple points). Systems are already consuming it — in the case of software-as-a-service (SaaS) environments, it may be one of the few configurable security controls available — but the decoupling of security from location and IP address is present in many other solutions. It can be tailored to an organization's needs and be risk-sensitive, with different methods and phases required, depending on the resource accessed. Even better, it's a control plane that can and should be implemented in a phased approach and provides a path to a zero-trust network architecture.

The steps to building this are conceptually simple, and we can do extensive preparation. First, ensure even before you implement that the technologies you are investing in are identity-aware and able to make differentiated security decisions in the data plane based on that identity. This must extend to SaaS applications — one of the largest benefits of using identity as your control plane is the ability to bring these into the fold, as it were, and to match them to your security model. Second, consolidate identity to a single "source of trust" — that is, a single secure, consistent, and accurate repository for identity. Doing so means that your control plane is authoritative and reliable, while fragmented domains and sources add complexity and risk. The single source also can be integrated to business process (HR and customer/vendor management), further aligning security to address business risk.

Once the source is established and managed, it's a matter of integration work. In terms of driving toward zero-trust network access, tying in the remote access and SaaS applications that support your remote workers is an excellent starting place, as well as ensuring that all critical internal applications are part of the control plane. As with most of security — it'll be a journey, but in this case the result is a decrease in complexity that facilitates the new normal.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
yashprakash
50%
50%
yashprakash,
User Rank: Author
1/29/2021 | 6:15:22 PM
Nice article
Digital Identity has indeed become the core of security and a important control plane in a defense-in-depth strategy. 
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...