Joe Onisick:
Polarizing technologist, leader, marketeer, channel whisperer and Continuum Principal.
Information security (InfoSec) was born in the ’70s with two research projects, Creeper and Reaper — the world’s first computer worm and antivirus software. From there, it grew and matured with technology itself in an evolutionary fashion. As the threats advanced, security evolved to match them. Now entering its early ’50s, InfoSec is experiencing an identity crisis.
Joe Onisick:
Polarizing technologist, leader, marketeer, channel whisperer and Continuum Principal.
Information security (InfoSec) was born in the ’70s with two research projects, Creeper and Reaper — the world’s first computer worm and antivirus software. From there, it grew and matured with technology itself in an evolutionary fashion. As the threats advanced, security evolved to match them. Now entering its early ’50s, InfoSec is experiencing an identity crisis.
This isn’t the type of existential crisis requiring a motorcycle and a new all-in hobby. This crisis is far more literal. To properly enforce security policy, we need to know who or what is attempting access. We need to know the identity. The identity tools and processes in place today are heavily fragmented and wrought with major gaps. We have an identity crisis.
To properly enforce security policy, we need to know who or what is attempting access. We need to know the identity.
To properly enforce security policy, we need to know who or what is attempting access. We need to know the identity.
The existing fragmentation and gaps are not new. They’ve grown (often exponentially) over time. Identity is stored in multiple locations, and servers and systems rely on one source while the network relies on another. As we moved to the cloud, this fragmentation rapidly expanded, adding new identity stores within cloud platforms or whole new silos with cloud single sign-on (SSO) systems. Where identity gaps exist, we simply bandage them with default trust — for example, trusting anything on a network segment to be secure.
Identity fragmentation and default trust can be major contributors to massive data breaches. Each plays a unique role. The lack of correlation of identity between fragmented silos prevents a global picture of the users, things and services (actors) acting on our systems. For example, a user’s actions through a cloud SSO are not correlated with on-premises identity and directory services. The same actor has separate identities in separate systems. Meanwhile, default trust leads to the massive scope of breaches we so often see. A device on a trusted network or system is compromised and able to propagate freely.
The industry constantly evolves enforcement systems like firewalls while chasing new security methodologies like zero trust without solving this underlying identity problem. While advancements occur, they are limited in scope. SSO consolidates some (but not all) identity, while concepts like multifactor authentication (MFA) enhance identity verification while adding user friction and leaving gaps with the devices and services coming online with the Internet of Things (IoT). It’s akin to bailing water without a plan to fix the hole in the hull.
To achieve the goals of zero trust, the industry must start with an ability to correlate identity globally for each user, device or thing accessing a system. There are many ways to solve this, from new identity systems to platforms for correlating identities stored in existing silos. In any implementation, the goal must be a globally correlated identity that provides a view of everything an actor accesses or attempts to access.
To achieve the goals of zero trust, the industry must start with an ability to correlate identity globally for each user, device or thing accessing a system. There are many ways to solve this, from new identity systems to platforms for correlating identities stored in existing silos. In any implementation, the goal must be a globally correlated identity that provides a view of everything an actor accesses or attempts to access.
This global identity becomes the platform from which to build robust security policy and enforcement. By creating a universally available source of identity, default trust zones can be removed. This moves the needle closer to zero trust, where every action can be assessed and authorized based on the specific actor involved.For security teams, this means an end to attacks propagating freely within default trust zones. For operations and compliance teams, this means a global view of who is accessing what and the auditability that comes with it. This type of visibility is critical. Two examples illustrate this further — the ability to ensure a new hire has access to all required systems, and the ability to ensure an exiting employee is removed from all available systems. As we are in the midst of one of the greatest IT staff migratory phases the industry has seen, the power of this global visibility is instantly apparent.
Solving this identity crisis should be top of mind for CISOs and their teams. The groundwork for this is looking at the current identity fragmentation within an environment and working to reduce it without adding to it. As identity projects are taken on, they should be assessed to ensure they won’t further fragment identity sources. As new identity and access tools are deployed, they should be required to fit a paradigm where global identity is the basis of security policy.