Identity: Yes, that's your security perimeter being reinvented

Identity: Yes, that's your security perimeter being reinvented

Summary: Clouds, mobile devices and distributed applications are smashing traditional enterprise security boundaries and identity is poised to help redefine a new security perimeter.

SHARE:
TOPICS: Security
7

The evolution of enterprise security architecture will require a layer of identity and access control that extends beyond the current firewall boundary and is integrated across distributed infrastructures, platforms, applications and devices, according to industry observers.

In the process, current enterprise security perimeters will be shattered and redefined as part of a global network that will demand to know who, what, when, where and why.

"A revolution needs to happen," says Mark Diodati a research vice president at Gartner who focuses on identity infrastructure. "Boundaries we saw between on-premises and cloud and boundaries between user constituencies are breaking down."

The transformation is under way with current identity systems being adapted, new technologies and standards being added and corporate directories taking on redefined roles.

In this changing world, clouds, mobile devices and distributed applications mean IT no longer can count on identity staples like user authentication, authorization and provisioning always happening under their control. And end-users are just as apt to be partners or contractors as internal employees.

Outside becomes the new inside and distributed networking flips on its head everything that has been labeled identity and access management.

Authentication is fairly well adjusted, but controls like fine-grained authorization, standardized user provisioning, trust frameworks, integrated audit controls, compliance, account management and standardized protocols remain works in progress.

As the annual RSA Conference opens Tuesday every hardware and software security vendor will be talking about how its products, strategy, and R&D is bending to capitalize on networking's evolution.

For identity, the focus is on building a distributed, loosely coupled foundational anchor that determines who trusts who, who has access to what, when and from where.

"You don't have employees anymore," says Diodati. "We were focused on employees using Active Directory joined workstations. Now enterprises don't care. They can't depend on the typical tricks of the ID trade. If you want access to stuff it will require high identity assurance."

Curves are being thrown by users who show up with an identity in tow, acquired from a social network or ID hub, or bring their own device that IT does not control.

Core concepts of identity aren't changing, but they are no longer perceived as standalone disciplines. "They are being absorbed into platforms like cloud and mobile device management (MDM)," Diodati says.

While technologies evolve, some say there is one concept that needs to die.

"We have to get rid of passwords," says Sally Hudson, a research director in IDC's security products and services group. "That is nothing new, but that is what needs to be solved." She says emerging standards such as OpenID Connect and OAuth for user, device and application programming interface (API) authentication are shaping up as potential solutions along with multi-factor options tethered to mobile devices.

"Identity is part of the infrastructure, it is middleware," says Hudson. "People will build on top of the infrastructure and that is what will be talked about not [the technology] underneath."

For example, users won't care that OAuth 2.0, which is nearing completion as an Internet Engineering Task Force standard, was used to authenticate access to an API; the focus will be on the data culled from a third-party application.

In this model, identity and access will be an expectation.

"The way you should access control your apps should be the same regardless if the user is the guy in the next cube or someone from outside," says Eve Maler, a principal analyst with Forrester Research. "It is a data centric, resource centric kind of view, putting a tiny crunchy shell around each kind of app access as opposed to it being in a big mass of chewy-center protected by one thin firewall."

Maler refers to something Forrester calls zero-trust identity.

"You start from a position of zero trust," she says. "The same as you should for preparing for deliberately punching through enterprise [security] perimeters."

Maler says companies need to think about how they address identity and access management as an extended enterprise, one that has resources that don't live on networks they own and are accessed by people who are not employees.

"You have to pretend it is all open and prepare for it being all open." She says identity federation is part of the answer along with identity as a service, although both disciplines are still on evolutionary tracks.

"We need to have access control and authorization dial tone so developers can tap into it more easily," says Jim Reavis, executive director of the Computer Security Alliance, an industry group that develops best practices for cloud security.

"Identity has to extend beyond users to devices, applications and data stores, we have to have this holistic view."

CSA this year plans to extend its identity working group beyond just best practice development and get involved in pilot programs with corporate members, governments and universities.

"In the big picture, I think that identity and better ways to establish identity is actually the most critical part of how we move from traditional IT to a world of highly virtualized IT."

See also:

Topic: Security

About

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • useless

    It is amazing how one can write a whole technical arcticle without telling anything of any value.
    ForeverSPb
    • Ditto that

      I wasn't sure what the point to this pablum was, either.
      ScorpioBlack
  • the point...

    The point is between the lines... there is going to have to be some centralized "authority" that verifies users then allows them their (naturally limited) access. Any guess who'll want that power?

    And corporations will be thrilled to death to offload the liability for positively ID-ing not only the user, but their location, blood pressure, recent purchases and their entire personal lives while were at it.

    This will enable what I wrote in a sci-fi short I wrote in the 90's, wherein people can be entirely shut out of all commerce and contact based on whether the "authority" is pleased with them or not. The Brave New World.
    pgit
    • Power corrupts

      and absolute power corrupts absolutely.... We have all heard it, and that is the best reason for having common law rather than a dictater, whether "benevolent" or not. So, yes we have the need, but, in a nutshell, we are not willing to cede authority to anyone who might be able to help.
      Willnott
  • Imaginary Math???

    C'mon now, "security perimeter" on the Internet???? Doesn't exist except in minds of dreamers and wannabes who just can't seem to recognize it is a public forum, with all the security that goes along with any public forum. Anonymity does nothing more than detract from credibility and heighten suspicions by authorities. Please get real and help the "denialians" understand the plight they are really in!
    Willnott
  • I have the answer!

    Reject BYOD and cloud services. Whew, that was tough!
    lippidp
  • the cloud

    do not belive what these company say the cloud is deadly and it will all ways be so do not use the cloud and ask your internet company if they use the cloud if so sue them and company that useing the cloud and has your info sue them
    ttx19