Identity: Yes, that's your security perimeter being reinvented
The evolution of enterprise security architecture will require a layer of identity and access control that extends beyond the current firewall boundary and is integrated across distributed infrastructures, platforms, applications and devices, according to industry observers.
In the process, current enterprise security perimeters will be shattered and redefined as part of a global network that will demand to know who, what, when, where and why.
"A revolution needs to happen," says Mark Diodati a research vice president at Gartner who focuses on identity infrastructure. "Boundaries we saw between on-premises and cloud and boundaries between user constituencies are breaking down."
The transformation is under way with current identity systems being adapted, new technologies and standards being added and corporate directories taking on redefined roles.
In this changing world, clouds, mobile devices and distributed applications mean IT no longer can count on identity staples like user authentication, authorization and provisioning always happening under their control. And end-users are just as apt to be partners or contractors as internal employees.
Outside becomes the new inside and distributed networking flips on its head everything that has been labeled identity and access management.
Authentication is fairly well adjusted, but controls like fine-grained authorization, standardized user provisioning, trust frameworks, integrated audit controls, compliance, account management and standardized protocols remain works in progress.
As the annual RSA Conference opens Tuesday every hardware and software security vendor will be talking about how its products, strategy, and R&D is bending to capitalize on networking's evolution.
For identity, the focus is on building a distributed, loosely coupled foundational anchor that determines who trusts who, who has access to what, when and from where.
"You don't have employees anymore," says Diodati. "We were focused on employees using Active Directory joined workstations. Now enterprises don't care. They can't depend on the typical tricks of the ID trade. If you want access to stuff it will require high identity assurance."
Curves are being thrown by users who show up with an identity in tow, acquired from a social network or ID hub, or bring their own device that IT does not control.
Core concepts of identity aren't changing, but they are no longer perceived as standalone disciplines. "They are being absorbed into platforms like cloud and mobile device management (MDM)," Diodati says.
While technologies evolve, some say there is one concept that needs to die.
"We have to get rid of passwords," says Sally Hudson, a research director in IDC's security products and services group. "That is nothing new, but that is what needs to be solved." She says emerging standards such as OpenID Connect and OAuth for user, device and application programming interface (API) authentication are shaping up as potential solutions along with multi-factor options tethered to mobile devices.
"Identity is part of the infrastructure, it is middleware," says Hudson. "People will build on top of the infrastructure and that is what will be talked about not [the technology] underneath."
For example, users won't care that OAuth 2.0, which is nearing completion as an Internet Engineering Task Force standard, was used to authenticate access to an API; the focus will be on the data culled from a third-party application.
In this model, identity and access will be an expectation.
"The way you should access control your apps should be the same regardless if the user is the guy in the next cube or someone from outside," says Eve Maler, a principal analyst with Forrester Research. "It is a data centric, resource centric kind of view, putting a tiny crunchy shell around each kind of app access as opposed to it being in a big mass of chewy-center protected by one thin firewall."
Maler refers to something Forrester calls zero-trust identity.
"You start from a position of zero trust," she says. "The same as you should for preparing for deliberately punching through enterprise [security] perimeters."
Maler says companies need to think about how they address identity and access management as an extended enterprise, one that has resources that don't live on networks they own and are accessed by people who are not employees.
"You have to pretend it is all open and prepare for it being all open." She says identity federation is part of the answer along with identity as a service, although both disciplines are still on evolutionary tracks.
"We need to have access control and authorization dial tone so developers can tap into it more easily," says Jim Reavis, executive director of the Computer Security Alliance, an industry group that develops best practices for cloud security.
"Identity has to extend beyond users to devices, applications and data stores, we have to have this holistic view."
CSA this year plans to extend its identity working group beyond just best practice development and get involved in pilot programs with corporate members, governments and universities.
"In the big picture, I think that identity and better ways to establish identity is actually the most critical part of how we move from traditional IT to a world of highly virtualized IT."
See also: