Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/1/2014
11:00 AM
Patrick Harding
Patrick Harding
Commentary
Connect Directly
Twitter
Google+
LinkedIn
RSS
E-Mail vvv
50%
50%

5 New Truths To Teach Your CIO About Identity

When CIOs talk security they often use words like "firewall" and "antivirus." Here's why today's technology landscape needs a different vocabulary.

Modern businesses are more open than ever before, but that doesn’t mean they are more secure. On the business side, companies are taking advantage of cloud computing by focusing on their internal competencies and outsourcing what they can to third-party vendors. On the consumer side, employees armed with devices are increasingly demanding flexible and frictionless access to data from anywhere.

When a CIO thinks about security he or she likely thinks "firewall" and "antivirus." While these security technologies are still relevant, the changing technology landscape to cloud and mobile require today's CIOs to embrace a new set of security technologies. Security professionals will need to make sure that "identity" enters the lexicon of every CIO’s vocabulary.

Here are five new truths every CISO should teach the CIO about identity:

Truth 1: Identity is the new perimeter
The traditional approach to enterprise security has focused on keeping users out by employing firewalls as security perimeters. Today, businesses inundated with mobile, cloud, and SaaS, along with access demands from partners and customers, can no longer survive on that approach. Businesses today must validate users based on identity along with specific attributes such as role, privileges, location, and device regardless of where the request originates and where the data resides. As a result, traditional security perimeters are giving way to a virtualized world where trusted and federated identities are shaping a new security perimeter.

Truth 2: Cloud makes identity management easier
CIOs can use modern identity tools to add the word “anywhere” to their authentication vocabulary. They can take users from any repository anywhere and attach them to any authentication/security infrastructure anywhere, then connect them to any application anywhere. Current internal identity management systems and end-user directories can be integrated with cloud-based IAM services, allowing enterprises to outsource IAM for non-critical user populations and applications, while managing critical identities and privileges internally. Features such as multi-factor authentication are now add-ons that sit in the cloud, making them convenient and inexpensive to add.

Truth 3: The identity experience needs to be consistent across all channels
Many businesses invest heavily in a security regime that works for web applications, but it doesn’t necessarily extend to mobile apps. New identity standards such as OpenID Connect and OAuth 2.0 offer a consistent experience for user authentication across web and mobile applications. OpenID Connect allows you to always send your users to the same place to authenticate, so that you see what your users are doing under all circumstances, and you can apply the full force of your security tools. Users get a consistent experience everywhere. In addition, the same standards can be used to secure identity-based API access to applications.

Truth 4: Deep subject matter experience is no longer a requirement
It used to be that if you wanted Internet Single Sign-On (SSO), you had to understand the Security Assertion Markup Language (SAML), or hire somebody who does. These days, wizard-based options let anyone on staff quickly make an industry-best practice connection in a very short period of time.

Truth 5: Compliance and usability go hand-in-hand
When you use Internet-grade security to connect your user community to their apps, your compliance story becomes very easy to tell. Your employees are less likely to put your corporation at risk by reusing their corporate credentials in the cloud. And because the corporation agrees to every cloud application access on behalf of the employee, control and visibility becomes much stronger. Meanwhile, your users spend less time remembering and resetting passwords, and their application access “just works.”

These days, identity and access management is a moving target shaped by the forces of cloud and mobile. By understanding these new realities, your IT execs will be positioned to make decisions that will benefit your organizations now and in the future.

Patrick Harding is responsible for the Ping Identity product and technology strategy. He brings more than 20 years of software development, networking infrastructure, and information security to the role, which includes oversight of the Office of the CTO and Ping Labs. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.