Connect with us

Hi, what are you looking for?


Identity & Access

Is Identity the New Perimeter? What Would Donald Trump Think?

I recently attended yet another security conference where a vendor triumphantly declared that “identity is the new perimeter”. As often as this statement has been made, it seems as though it is perceived to be some sort of generally accepted truth.

I recently attended yet another security conference where a vendor triumphantly declared that “identity is the new perimeter”. As often as this statement has been made, it seems as though it is perceived to be some sort of generally accepted truth.

This conventional wisdom is founded on the idea that with the rise of the four horsemen of IT – cloud, mobile, social, consumerization – that the old perimeter, based on firewalls, is too porous to provide protection alone, requiring a fallback perimeter based on controlling the identities of those who can access information.

As an employee of an identity management vendor, I’m tempted to join this bandwagon. Yet, this approach perpetuates a flawed way of thinking that really isn’t any different than what it replaces. Identity isn’t the new perimeter because the idea of a perimeter at all is antiquated.

What would Donald Trump think?

In this season’s heated presidential political campaign, the national perimeter of the United States has been a leading topic, thanks to the magniloquence of Donald Trump. His simplistic prescription for blocking illegal immigration relies largely on building a better wall on the southern border of the United States.

Perimeter SecurityIt is not difficult to imagine all the ways to circumvent physical border walls – tunnels, boats, legitimate border crossings, airports – and that’s assuming that the wall itself is unbreachable. With each escalation of perimeter defense comes ever-more inventive means of circumvention. Just like in IT security.

Of course, once the perimeter is in place, the question of how to identify those in the country arises. There are laws to prevent those without proper visas from working, and yet official estimates put the number of illegal workers at over 11 million. If identity were to be the new perimeter of the United States, what sort of police state would that require? Apparently, Mr. Trump can solve this problem with a wave of his outstretched palms – security practitioners have no such luxury. 

Is identity a preventative or enabling technology?

Advertisement. Scroll to continue reading.

Moving past outmoded ways of thinking of identity requires answering this question: is the purpose of identity to enable business users, or is it primarily a foundation for controlling access? 

To be fair, it’s both, but your perspective of which is primary indicates your way of thinking. Identity should not be considered the toll booth, but the road itself. It is the avenue to most efficiently connect users with the resources and information they need to conduct business. This change in mindset is a part of the broader repositioning of IT security as secure enablers rather than the “department of no”.

What about keeping attackers out?

Yes, the perimeter has a role in keeping out less-sophisticated attackers. But the idea that we can lock everything down has already proven impossible as breach after breach is reported. Keeping out determined attackers who are finding it ever easier to obtain insider credentials to take information undetected poses its own ongoing challenges to this identity-as-the-perimeter concept. 

The concept of securely enabling business users is different. It starts from the mindset of how to help those users get to the information and applications they need – whether in the cloud, on mobile devices, or connected to legacy systems. The security elements have to be as transparent as possible. If breaches are inevitable, then part of that transparency is monitoring identity behavior to establish a baseline of normalcy, so that abnormal behavior can be flagged when legitimate credentials are being abused. 

The true value of identity is not in creating more defense in depth, which means that identity is not the new perimeter. The immigration debate gets lost in enforcement rhetoric rather than focusing on a means of fairly matching willing providers of labor with those who want to purchase it. Let’s not make the same mistake in IT security, but focus instead on how to use identity to make our businesses more productive, and better at working with others.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.