Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Is Identity The New Perimeter?

Network controls can't scale with cloud and mobile, so CISOs are using IAM as the new lever for security control around corporate access

As the collective strain of BYOD and ad-hoc, cloud-delivered IT dissolves the last vestiges the network-based zone defense mentality in infosec, CIOs and CISOs are still on the hunt for a new security lever. The network tools they once counted on for perimeter defense are not enough to control users. Once users step outside the bounds of those perimeters to use countless SaaS tools that make up what many call enterprise's "shadow IT," the firewall holds no water. And so security leaders are turning to identity and access management (IAM) to define a new perimeter around corporate access.

"The whole notion of identity as a new perimeter stems out of the fact that CIOs and CISOs were kind of blindsided by the way their networks have expanded," says John Hawley, senior director of business strategy for security at CA Technologies. "It used to be that because everything was behind the firewall, they could architect IAM with LDAP authentication and NTLM. But now they've got the business line going out and driving so much via SaaS."

For example, Hawley relates the story of one CISO at a pharmaceutical company his firm engaged with who found that in various corners of the organization, line-of-business managers were tapping into 61 different SaaS applications.

"And you know what? Not one of those business line managers who used those came to the security team or the enterprise architects and said, 'Hey, we're thinking about doing this,'" he says. "It was always, 'This is done, can we get SSO?' or, We're having a problem here.'"

The idea of identity taking over where firewalls left off isn't necessarily a new one, says Nishant Kashik, chief architect of Identropy.

"Identity is not the new perimeter anymore. Identity is the perimeter, plain and simple," Kashik says, pointing to the Jericho Forum's 2007 "deperimiterization of the enterprise" declaration as a crystallization of discussion that happened years ago. "Since then, the explosion of cloud computing, SaaS, and mobile computing has completely destroyed the old, fortress-style model of security that was based on network security, firewalls, and VPNs. Users are accessing their applications from anywhere, at any time, with a myriad of devices."

Regardless of who calls first dibs on the idea of IAM as the perimeter, the fundamental principle still stands. IT leaders want easier ways to make sure former employees and unauthorized users can't access corporate data on SaaS services after they leave the organization. And they are seeking ways to redesign IAM architectures such that they can support the business in fluidly making and breaking relationships with SaaS providers, in allowing access to any devices, while maintaining access control through some form of a centralized identity service, Hawley says.

"So even if they have 60 SaaS applications sitting out there, nobody can go to those applications directly," he says. "That way, we know who's going there, we can do multifactor authentication if that's what we think is appropriate for that app, and when they leave the organization, we can know for sure that they can't get into any of those SaaS applications that lead outside of our traditional boundaries."

[Can you see the error of your IAM ways? See 7 Costly IAM Mistakes.]

A recent survey of security leaders in the CISO Executive Network showed that IAM stands as one of the highest priorities on CISOs' minds today, second only to BYOD security. A huge component of the IAM focus revolves on this idea of identity as perimeter, says Bill Sieglein, founder of the CISO Executive Network.

"We are in what I call the next generation of identity and access management," he says.

This is hardly any enterprise CISO's first rodeo when it comes to wide-scale identity initiatives. Many within the industry put a lot of effort in the past five to 10 years to get their arms around federation and single sign-on deployments for internal network systems. Even enterprises that did bring those projects to successful fruition are now finding, though, that the cloud and mobile wildcards require going back to the drawing board. He relates a thought one of his CISO members told him.

"In the old days in the closed network, when you had people coming to the office, in effect, one-factor authentication was almost two-factor because you were sitting at a terminal that was a known entity," he says. "That's completely gone. Users are logging in from every conceivable location. There are so many factors and contextual things we have to consider when we authenticate a user."

The difficulty is helping management understand the factors of the new risks to convince them to fund a new round of IAM retrofits, he says. That's not the only sale CISOs need to make, either.

"There are all those users who go outside the system to get services for shadow IT. CISOs haven't figured out a way to convince users to come back into the fold," Sieglein says.

The ultimate goal for CIOs and CISOs is to offer technologies that make it easier on the end user, essentially luring them with the ability to still log into SaaS -- to still use multiple devices while simplifying the log-in process. Rather than memorizing a whole bunch of account information, single sign-on gives them less to worry about. Same thing with password synchronization and automated password resets.

"So there's a lure on that hook to get them to come through you," he says. "And, of course, our ulterior motive is better control. We have no control when they're outside that fold."

Of course, there are many slips twixt the cup and the lip, and no more so than in the field of IAM -- an IT niche haunted by enough ghosts of failed deployments past to scare people away from federation or SSO. The trick is to learn from those ghosts -- namely, that it will take a phased strategy to bring every identity aspect into the fold.

"They can't do it all at once, and I think that's one part of the process that everybody has learned over the past seven to 10 years of trying to do this," Hawley says. "They have to start small. What they're trying to do is just get that infrastructure in place -- and then try to get ahead of it, so as new [services or devices] come in, they're able to drop it in going forward."

Standards like SAML and OAuth should play a big part in gradually building the infrastructure out. As enterprises seek to scale up SSO and federation across cloud infrastructure, they're leaning on SaaS providers to get with the standards program to support their identity efforts. He says the only way these enterprises can scale with a fragmented data center is to push those standards.

"A lot of the more mature organizations that I work with, they're able to go to the SaaS vendors the business says are important to them and say, 'We're going to do federated authentication. Either you leverage those standards, or we're not doing business together,'" Hawley says.

Also tightly woven into IAM success is how the organization deals with data governance, Seiglein says.

"These companies are going to have to figure out where their sensitive data is. So identify your critical data, find out who the owners are, and then start working out roles -- who can access what," he says. "It becomes an opportunity for a clean slate to build data governance and better roles management. But that can be a lengthy process."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Will This Be the Year of the Branded Cybercriminal?
Raveed Laeb, Product Manager at KELA,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Give us your best shot! You might win an Amazon gift card!
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.