Identity is the New Security Perimeter.Two questions were asked at the K(NO)W Identity Conference this week that highlight some of the complexities and abstraction associated with online identity. Where is identity security going? Why is it important?
Identity is the new security perimeter.
Industry now recognizes that identity is the new security perimeter as defense models have proven to be necessary, but insufficient. No longer can simple, static credentials, such as the username/password alone, be used for online risk mitigation. It only takes one malicious internal or external actor to steal a credential to put an entire organization at risk. Once inside, they typically synthesize a credential and escalate privileges to steal sensitive network services and data. Theft of user PII data continues to have global repercussions as hackers pose as valid users for nefarious purposes.
Publicized hacks with identity theft have rapidly driven corporate and regulatory bodies to revisit the key policy tradeoffs – security, privacy, liability, cost and user experience. As brand reputation and stock prices for compromised enterprises have suffered, negligence law suits, and resulting penalties have become important drivers of enterprise behavior and policy. The Internet has evolved to become a web services platform upon which corporations and government depend, and threats and transaction risks have become more sophisticated. In response, the online identity security models are evolving from reliance on static credentials and data to dynamic information that can more reliably and accurately provide evidence of Identity.
Organizations must move towards a multi-step model to address the first layer of security vulnerabilities: control over the identities that access networks, applications and data. A three-tier identity security model is proven to be effective in protecting enterprise identity defense perimeters. Let’s briefly explore these three steps – Verify, Trust and Access:
Verifying users who are trying to access your online services is the first step to mitigating the risks surrounding user access. Verifying who a user is will enable you to sleep well at night knowing that your organization is protected. The type and number of attributes varies according with the level of security required. You wouldn’t want to let someone transfer $1 million without knowing who they were, right? Verifying these users through a more intensive backend process helps mitigate risk that could lead to security breaches, drop in stock prices, layoffs, and depreciation of your brand value.
For users, having your identity verified facilitates easier access to online services you want. User experience improves due to a more fluid login process after tying the user’s identity to a credential. No longer does the individual need to remember 100 username password combinations that aren’t secure, particularly without multi-factor authentication.
Once verified, an identity can be linked to a credential to support the level of trust required by security policy. This linkage of credentials, identity attributes and contextual attributes (e.g., device ID) is typically customized to support the level of trust needed for each service.
Access across one or more services is easily and securely enabled using a trusted credential with Adaptive Authentication where real-time checks on attributes are updated as appropriate for the security policy associated with each online service. For insiders, organizations can be sure that employees can only access areas of your network, applications and data that they have been granted permission to access. As a user, you can be sure you are easily given access to what you are approved to work with.
As the new security defense perimeter, identity is complex because each online service can require a different combination of attributes and credentials. In addition, enterprise identity security models are dynamically evolving to address the growing diversity and frequency of cyber threats. Organizations need a comprehensive solution to verify identities on an ongoing basis, to continuously establish trust, and to manage user access while retaining the flexibility to change policy in response to external and internal drivers.