In the last decade, we have seen rapid change in technology usage. New technologies brought to the market shifted how we engage with and use technologies amid a global shift toward digitalization. Digitalization aims to bring rapid and instant gratification to stakeholders, from corporate employers to consumers, and with this, identity has become a key and central player for proffered services.
Services can be consumed on the go, in the moment and from anywhere focused on a targeted demographic, utilizing increasingly connected devices and cloud-based applications. These, in turn, bring inherent risk to people, things and systems outside that traditional security perimeter of yesteryear.
History of Identity and Access Management
Identity and access management (IAM) goes back to the 1960s when IBM developed the Resource Access Control Facility (RACF) for their mainframe systems.
The intent behind RACF was to provide a centralized authentication and access control mechanism for mainframe resources. RACF would allow administrators to manage user accounts and control access to different resources based on defined policies and included features such as password management, user authentication and auditing.
As technology progressed, we saw the rise of distributed computing and networking in the 1980s. Distributed computing, in turn, led to a need for IAM systems that could manage identities and access across multiple systems and platforms, resulting in the development of Lightweight Directory Access Protocol (LDAP) and other directory services.
The 1990s saw the advent of web-based applications and the internet going mainstream, which led to the development of identity federation standards such as Security Assertion Markup Language (SAML) and Open Authorization (OAuth). SAML and OAuth allow administrators to manage access across different domains and systems, and enable users to authenticate and authorize access to web applications.
Leading into the 2000s, we saw the emergence of cloud computing and more reliance on mobile devices, which created new challenges for IAM administrators concerning access management for resources not on-premise. This resulted in the introduction of cloud-based IAM solutions, which has grown further over the last several years as cloud computing and digital transformation became mainstream.
Identity as the New Security Perimeter
Organizations, as we know, are continually developing and adopting new digital technologies to meet business objectives and customer satisfaction metrics. This, coupled with the rise in working remotely or in a hybrid model, is contributing to the traditional security perimeter as we know it becoming less effective.
Traditional perimeter-based security models, as we know, are the physical and logical boundaries that protect an organization’s IT infrastructure and rely on security within physical locations and network boundaries. These models served as a foundation for enterprise security for many years until the advent and adoption of cloud services, mobile devices and remote work, as we experienced in volumes over the pandemic.
As this traditional model falls obsolete in effectively protecting organizations against ever-evolving and dynamically shifting security threats, identity will lead in crafting effective security strategies within modern organizations.
With constantly moving users, who may leverage multiple modes of connecting to the internet, a security model focused on user identity and access control will be a more agile method to secure organizations from threats against users, things and systems that will only grow. With this new identity as a security perimeter, identity is the common denominator across location-agnostic access points, devices, and networks, enabling organizations to holistically authenticate, authorize, and manage users, things, and systems.
Then, as we continue to mature this perimeter, identity-based security models with embedded machine learning and AI can enhance insights on identity threats for faster remediation. These identity threats to organization are digital gold for any malicious actor.
Getting back to the concept of the word “perimeter” in this case, we are looking at a digital perimeter and establishing an identity trust model that is bounded by borderless digital and virtual environments. Such a model has to look at user identity and behavior as metrics to create an identity trust model, as seen in work done by the MyVayda identity risk and trust platform team.
Identity trust then takes into consideration factors such as:
- The rise of insider threats, be they malicious or accidental, as shown in a study by Ponemon Institute which found that insider threats increased 34% since 2020. Furthermore the 2022 Ponemon Institute Cost of Insider Threat stated:
“The time to contain insider threat increased from 77 days to 85 days.”
“Incidents that took more than 90 days to contain cost organizations an average of $17.19 million.”
- The rapid adoption of digitalization, cloud services and remote work, where identity management is critical, to ensure that only authorized users have access to specific systems and resources. This requires that, regardless of their location or the devices they use, privileges and entitlements are assigned per authorizations, and policy and are audited regularly.
- Regulatory compliance, e.g., SOX 404, GDPR, CCPA, etc., can be challenging in a distributed environment where data is stored across multiple locations and jurisdictions.
- Applications, systems, and Internet of Things (IoT) complexity, requiring identity scalability.
- Reducing and consolidating fragmented identity data to reduce security gaps, costs and errors with the management of access controls.
- Striking the right balance between security and user experience to reduce friction for users that could impact productivity and user satisfaction.
Technologies and Strategies for Addressing Identity Management Challenges
To address challenges such as complexity in managing and securing digital identities across multiple cloud services, devices, and networks, insider threats, and regulatory compliance requirements, incorporating the following will be vital to ensuring success.
In building an identity as a new security perimeter, we must include single sign-on (SSO), multi-factor authentication (MFA), continuous monitoring and an IAM platform that provides a centralized solution to manage user identities, access controls and authentication policies. It is imperative that we also have a robust policy and process that defines auditable risk-based access control.
Not only will a risk-based access control process dynamically adjust the level of authentication and authorization required by an organization mapped to a user’s behavior, device, location and other contextual factors, but as a model, it will enhance user satisfaction and operations experiences as they work with applications, systems and Internet of Things (IoT) in their day-to-day functions.
Of course, new processes have to be measured and tested for improvements, maturity, and effectiveness. With this in mind, some of the things we will need to measure and quantitively assess as a measure of the success of our new identity security perimeter are:
- How is identity as a security perimeter protecting digital assets from unauthorized access and reducing the risk of data breaches?
- How are things like SSO and MFA improving user experience by simplifying application access?
- How is this new security perimeter enabling organizations to scale their security measures more effectively, ensuring that employees can access the resources they need from any location, device or network?
- How are organizations leveraging IAM platforms to ensure an auditable and robust Identity Lifecycle Management from onboarding to offboarding, provisioning and de-provisioning access rights, updating user information and monitoring for suspicious activities?
- How are organizations integrating identity governance to provide a centralized view of all user identities and access rights across the organization, set policies, enforce compliance, and mitigate risk by identifying and addressing security threats?
- How are they using IAM platforms to manage user roles, groups, and permissions based on business requirements?
- Based on the organization’s approval workflows, how are user requests automatically routed to an appropriate approver?
- How are they automating password management and password synchronization across multiple systems?
- How are they leveraging privileged access management (PAM) within their organizations, and how are they using identity federation, which will simplify access management across multiple cloud services and applications?
As this new security perimeter continues to evolve, technologies such as AI and ML, blockchain, biometrics, passwordless authentication, and "Zero Trust" will significantly enhance identity security. Most of us know the concepts or building blocks comprising the term "zero trust architecture (ZTA)" have been around for a while.
Many core security principles and technologies comprising the ZTA model have been evolving for decades.The concept of zero trust can be traced back to the "need-to-know" principle, developed in the 1960s by the US Department of Defense (DoD) as part of its security policies for classified information.
Others later adapted this, including the National Institute of Standards and Technology (NIST), which developed the concept of "least privilege" access control.
Navigating a Growing Security Perimeter
The evolution of the security perimeter from traditional to identity-based is critical to protecting organizations’ digital assets in today’s interconnected world. As technology evolves and the cybersecurity landscape becomes more complex, the importance of identity as the new security perimeter will only continue to grow.
As a result, this traditional concept of a well-defined security perimeter bound by physical borders and incident response mechanisms is no longer the ideal option.
By adopting a defense-in-depth strategy built on identity, organizations can not only improve protection against external and internal threats but also gain increased insight and integrated auditability with integrated IAM platforms. These will ensure the security of their data and systems in preparation for tomorrow’s more complex and interconnected digital ecosystem.
This, coupled with an understanding of identity risk and living identity movements throughout organizations’ applications, systems and Internet of Things as shown by the MyVayda team and others, will be critical to the success of identity as a new security perimeter.