Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Is Identity the New Perimeter? What Would Donald Trump Think?

I recently attended yet another security conference where a vendor triumphantly declared that “identity is the new perimeter”. As often as this statement has been made, it seems as though it is perceived to be some sort of generally accepted truth.

I recently attended yet another security conference where a vendor triumphantly declared that “identity is the new perimeter”. As often as this statement has been made, it seems as though it is perceived to be some sort of generally accepted truth.

This conventional wisdom is founded on the idea that with the rise of the four horsemen of IT – cloud, mobile, social, consumerization – that the old perimeter, based on firewalls, is too porous to provide protection alone, requiring a fallback perimeter based on controlling the identities of those who can access information.

As an employee of an identity management vendor, I’m tempted to join this bandwagon. Yet, this approach perpetuates a flawed way of thinking that really isn’t any different than what it replaces. Identity isn’t the new perimeter because the idea of a perimeter at all is antiquated.

What would Donald Trump think?

In this season’s heated presidential political campaign, the national perimeter of the United States has been a leading topic, thanks to the magniloquence of Donald Trump. His simplistic prescription for blocking illegal immigration relies largely on building a better wall on the southern border of the United States.

Perimeter SecurityIt is not difficult to imagine all the ways to circumvent physical border walls – tunnels, boats, legitimate border crossings, airports – and that’s assuming that the wall itself is unbreachable. With each escalation of perimeter defense comes ever-more inventive means of circumvention. Just like in IT security.

Of course, once the perimeter is in place, the question of how to identify those in the country arises. There are laws to prevent those without proper visas from working, and yet official estimates put the number of illegal workers at over 11 million. If identity were to be the new perimeter of the United States, what sort of police state would that require? Apparently, Mr. Trump can solve this problem with a wave of his outstretched palms – security practitioners have no such luxury. 

Is identity a preventative or enabling technology?

Moving past outmoded ways of thinking of identity requires answering this question: is the purpose of identity to enable business users, or is it primarily a foundation for controlling access? 

Advertisement. Scroll to continue reading.

To be fair, it’s both, but your perspective of which is primary indicates your way of thinking. Identity should not be considered the toll booth, but the road itself. It is the avenue to most efficiently connect users with the resources and information they need to conduct business. This change in mindset is a part of the broader repositioning of IT security as secure enablers rather than the “department of no”.

What about keeping attackers out?

Yes, the perimeter has a role in keeping out less-sophisticated attackers. But the idea that we can lock everything down has already proven impossible as breach after breach is reported. Keeping out determined attackers who are finding it ever easier to obtain insider credentials to take information undetected poses its own ongoing challenges to this identity-as-the-perimeter concept. 

The concept of securely enabling business users is different. It starts from the mindset of how to help those users get to the information and applications they need – whether in the cloud, on mobile devices, or connected to legacy systems. The security elements have to be as transparent as possible. If breaches are inevitable, then part of that transparency is monitoring identity behavior to establish a baseline of normalcy, so that abnormal behavior can be flagged when legitimate credentials are being abused. 

The true value of identity is not in creating more defense in depth, which means that identity is not the new perimeter. The immigration debate gets lost in enforcement rhetoric rather than focusing on a means of fairly matching willing providers of labor with those who want to purchase it. Let’s not make the same mistake in IT security, but focus instead on how to use identity to make our businesses more productive, and better at working with others.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...