The days of establishing a security perimeter around an organization’s IT infrastructure are long gone. Clouds, SaaS, the Internet of Things (IoT), and the need to share data and connect applications with other organizations have completely reshaped enterprise security and perforated the traditional perimeter.
Most business leaders recognize this change. However, often overlooked is how identity management is now what protects an organization as it adopts a more modern framework. To amplify the importance of identity for security, traditional network controls today have little or no value in the cloud and in SaaS environments.
It’s no wonder the industry now widely accepts that identity is the new perimeter.
Making Identity Matter
Evolving beyond a perimeter-centric focus involves a basic truth: It has become onerous, if not entirely impossible, to rely on perimeter protections to remain safe and secure. Even the most committed and adept organization cannot completely control and manage risks and vulnerabilities at the network level.
Instead of tossing endless time and resources at the task (and attempting to extend protections to every single device), an organization instead adopts a broader view of managing the relationship between a user, applications and data.
Identity-first revolves around five key areas, all of which start with the letter A (the five A’s):
• Authentication. This includes moving to passkeys and other forms of passwordless access along with multifactor authentication (MFA), where needed. These tools, particularly when combined with phone-based biometrics, can add essential protections while simplifying things for an organization and its users.
• Access management. Role-based access control is a cornerstone of identity management and security best practices. By giving groups and individuals the least permissions to do their job, it’s possible to enforce policies far more effectively—at a granular level that can help with compliance audits.
• Authorization. With robust access management in place, an enterprise can establish fine-grained authorizations such as who can perform a specific function or task—and under what conditions. It’s also possible to adapt a framework around continuous access evaluation for every request for every resource and protect against rogue users in a rapid way to reduce exposure.
• Administration. With the ability to manage things in a centralized way, the task of managing security policies can become much simpler, including controls for both east/west (across multiple clouds) and north/south (across the computing stack).
• Audit. An enterprise needs to routinely conduct audits, review user and administrator activity, and analyze the policies that grant access to apps and data. This can deliver deep insights into how user permissions and actual activity compare and are required to demonstrate compliance.
Getting To Identity-First
By focusing on identity rather than protecting every system, device and asset, it’s possible to rein in complexity and embrace a zero-trust security framework. An identity-first approach can protect users, apps and data in ways that far exceed today’s widely used network security tools.
Here are six critical factors required to adopt a best practice framework for identity-first security:
• Unify identity islands into a common identity fabric. Once an organization can see, manage and control identity from a single place (and orchestrate changes universally), identity management can become simpler and better. Gaps and vulnerabilities disappear, and a more modern and effective security framework can emerge.
• Inventory, survey and classify users, applications and data. It’s critical to assemble a complete picture and have a well-conceived implementation strategy before switching to an identity-first model. This process can reduce the risk of encountering problems. It can also illuminate critical factors such as what to modernize first, what protections must be in place for different users and data, and which identity provider (IDP) and authentication tools are best for the job.
• Modernize identity systems. With a sound classification process, answers about how to proceed can become much more manageable. For example, an enterprise might identify the need to replace a legacy IDP system and move apps to an identity management provider in the cloud.
• Augment security by adding passwordless, MFA and biometrics. Any identity management system is only as good as the authentication it uses. MFA has moved into the realm of critical, and passwordless is rapidly becoming a necessity. Combined with device-based biometric authentication, it’s possible to greatly reduce the risk of phishing and other attacks.
• Use standards-based approaches to avoid vendor lock-in (SAML, FIDO, IDQL, etc.). A key to gaining flexibility and scalability while avoiding vendor lock-in is using a standards-based approach. Over time, this approach can also save money and maximize the odds that technology will not lag or become obsolete.
• Map modernization and migration projects to the five A’s. Using these key factors as an underlying framework for an identity-first project can help an organization understand processes and workflows that will be impacted by an initiative. Not surprisingly, risk is reduced, and the odds of success greatly improve.
To be sure, identity-first represents a significant change in thinking about security frameworks beyond the traditional network perimeter. Organizations that adopt the concept are likely to witness changes that ultimately improve protection, simplify administration and cut costs. It’s a formula for success in an increasingly complex business environment.
