Will “Identity based perimeter” provide better security posture ?
All of us have recently heard about many data breaches , and other major cybersecurity incidents; and sometimes we ask ourselves how this happened ?
Few years ago , employees were accessing most of IT assets from 9 AM to 5 PM, and access was done from a controlled location ( i.e. ID access cards , security guards , etc.… ). So, in past , traditional network security perimeters used to protect efficiently organizations against most of threats.
Now , highest level of UX ( User Experience) is expected by everyone, and there are requirements to allow access “anytime” from anywhere (i.e. home , office , Starbucks , etc.…) using any device( i.e. laptop , tablet , smart phone, etc.…) . Also , with hybrid and multi-cloud environments , and increasing number of people working from home , organizations are facing new challenges that require innovative cost-effective ways to minimize residual risks.
Let’s consider a simple scenario, we do have a fictive organization ABC ( around 5000 staff , multiple partners, and many services providers) that has offices across country.
Ten years ago , all ABC employees were accessing mission critical systems while being physically in buildings that belong to the organization, they were using organization owned devices , and all workload were running on-premises in Data Centers controlled by the organization .
Initially, organization network design included 3 zones ( i.e. Internet, DMZ, and internal network), and resources behind firewall were trusted.
Now , 80% of ABC employees are working from home , BYOD( Bring Your Own Device) is allowed, mobile devices are being used by employees ,there is a cloud-first policy , IoT devices are being used for mission critical operations, over 50% of ABC partners are using its API , and migration to the cloud is completed for 60% of its applications ( Note — Let’s assume that different service models have been used : IaaS , PaaS , SaaS).
That new “normal” increases attack surface, and reduces efficiency of practices focusing exclusively to network perimeter security.
Next steps ?
So , what will be a solution that can allow to mitigates most of the risks , protect IT assets against most of attack vectors , and relatively address many new vulnerabilities that didn’t exist 10 years ago ? The answer could be “the identity based perimeter“, and Software Defined Perimeter (SDP).
First of all , the use of “Zero Trust” frameworks that allow to treat equally requests from inside and outside organization may be a great starting point to get the ball rolling with an identity based perimeter strategy.
Secondly, assuming that organization plans to move majority of its workload to public cloud , major CSPs ( Such as Amazon Web Services , Microsoft Azure, or Google Platform Cloud ) offer IAM (Identity & Access Management) and PIM ( Privileged Identity Management) solutions that can be deployed quickly; and that can be a foundation building block for an identity-centric security.
Also , for large organizations with extensive in-house applications development ; using exclusively secure APIs , and the adoption of DevSecOps approaches will be another building block.
Finally , we can say that following all security best practices ( i.e. Least privileges , defence in depth , separation of concerns , MFA , etc.….) will still apply ; but in post COVID-19 era , when many employees may telework by default, a mindset shift to an identity-centric model may be required to ensure that all critical security controls to meet business needs are implemented .