I recently attended yet another security conference where a vendor triumphantly declared that “identity is the new perimeter”. As often as this statement has been made, it seems as though it is perceived to be some sort of generally accepted truth.
This conventional wisdom is founded on the idea that with the rise of the four horsemen of IT – cloud, mobile, social, consumerization – that the old perimeter, based on firewalls, is too porous to provide protection alone, requiring a fallback perimeter based on controlling the identities of those who can access information.
As an employee of an identity management vendor, I’m tempted to join this bandwagon. Yet, this approach perpetuates a flawed way of thinking that really isn’t any different than what it replaces. Identity isn’t the new perimeter because the idea of a perimeter at all is antiquated.
What would Donald Trump think?
In this season’s heated presidential political campaign, the national perimeter of the United States has been a leading topic, thanks to the magniloquence of Donald Trump. His simplistic prescription for blocking illegal immigration relies largely on building a better wall on the southern border of the United States.
It is not difficult to imagine all the ways to circumvent physical border walls – tunnels, boats, legitimate border crossings, airports – and that’s assuming that the wall itself is unbreachable. With each escalation of perimeter defense comes ever-more inventive means of circumvention. Just like in IT security.
Of course, once the perimeter is in place, the question of how to identify those in the country arises. There are laws to prevent those without proper visas from working, and yet official estimates put the number of illegal workers at over 11 million. If identity were to be the new perimeter of the United States, what sort of police state would that require? Apparently, Mr. Trump can solve this problem with a wave of his outstretched palms - security practitioners have no such luxury.
Is identity a preventative or enabling technology?
Moving past outmoded ways of thinking of identity requires answering this question: is the purpose of identity to enable business users, or is it primarily a foundation for controlling access?
To be fair, it’s both, but your perspective of which is primary indicates your way of thinking. Identity should not be considered the toll booth, but the road itself. It is the avenue to most efficiently connect users with the resources and information they need to conduct business. This change in mindset is a part of the broader repositioning of IT security as secure enablers rather than the “department of no”.
What about keeping attackers out?
Yes, the perimeter has a role in keeping out less-sophisticated attackers. But the idea that we can lock everything down has already proven impossible as breach after breach is reported. Keeping out determined attackers who are finding it ever easier to obtain insider credentials to take information undetected poses its own ongoing challenges to this identity-as-the-perimeter concept.
The concept of securely enabling business users is different. It starts from the mindset of how to help those users get to the information and applications they need – whether in the cloud, on mobile devices, or connected to legacy systems. The security elements have to be as transparent as possible. If breaches are inevitable, then part of that transparency is monitoring identity behavior to establish a baseline of normalcy, so that abnormal behavior can be flagged when legitimate credentials are being abused.
The true value of identity is not in creating more defense in depth, which means that identity is not the new perimeter. The immigration debate gets lost in enforcement rhetoric rather than focusing on a means of fairly matching willing providers of labor with those who want to purchase it. Let’s not make the same mistake in IT security, but focus instead on how to use identity to make our businesses more productive, and better at working with others.