Skip to main content

Forget Firewalls, Identity Is The Perimeter

"It is pointless having a bullet proof double-locked front door, if you have no glass in your windows".  I'm not sure who actually said that (if anyone..), but the analogy is pretty accurate.  Many organisations have relied heavily in the past, on perimeter based security.  That could be the network perimeter or the individual PC or server perimeter.  As long as the private network was segregated from the public via a firewall, the information security manager's job was done.  Roll on 15 years and things are somewhat more complex.

"Identity as the perimeter" has been discussed a few times over the last year or so and I'm not claiming it as a strap line - albeit it is a good one at that.  But why is it suddenly becoming more important?



The Extended Enterprise - Mobile, BYOD, Consumer

Organizations of all sizes are no longer central places of work, with siloed business units, headed up by managers in glass-walled offices.  Remote working is no longer limited to cool startups or the creative industries.  Desktop PC's are now in decline, with tablets and smartphones able to do the majority of work related use cases.  Many organisations now have complex supply chains, leveraging partners, sub-partners, clients and consumers.  Outsourced services and applications now make up a large percentage of an organization's delivery management process, with these services often allowing authentication and user management controls outside of the standard corporate LDAP.

The increased use of BYOD, mobile workforces and increased outsourced and consumer lead service interaction, requires a much more integrated and agile view of an identity, but also requires CISO's, to view data protection and segregation in a much more user centric approach.

There Is No Network Separation - Everything is Connected

Everything is connected.  You can receive corporate email on your smartphone over a network carrier paid for privately.  Remote backup and file sync solutions allow sensitive files to be stored off site without the knowledge of a DLP solution.  There is no longer a 'corporate' network with strong demarcation lines.  Whilst this has obvious user benefits and efficiency gains, it has opened up new areas for security management.  The one thing which is staying relatively static is the that of the identity driving this change.  I don't mean the role and concept of identity is static.  Quite the opposite, but identities are still the driving force between application interactions, network traffic analysis, DLP techniques, firewall management and so on.  Each transaction should be linked in some way to an identity.  This identity could be well masked through alias upon alias, but there are fewer and fewer chances for a truly anonymous computer interaction.

Extend the Enterprise or the Stretch The Cloud?

These identities are developing in multiple directions.  The traditional corporate view of an identity originating from an authoritative source such as HR and flowing via provisioning systems to a target directory or database is still present.  Complex workflows and RBAC projects will keep many a consultant in work for years to come.  But with the onset of the extended enterprise, the increased use of social and cloud based identity brokers and platforms (Google, Facebook et al), there is a need for fusion.  The ability for organisations to extend to the 'cloud' and the for the internet based services and brokers to able to reach out to traditionally standalone organizations with their new apps and services securely, whilst still making the user experience convenient.  But where to start?  Traditional enterprise identity and access management solutions are often too static and unable to scale to internet style proportions.  Internet focused identity has been about single sign on, federation and authentication via social platforms. Organizations need to be able to manage interactions with 3rd party service providers from a centralised, potentially policy driven, authentication and authorization perspective.  It's pointless disabling a contractor's internal LDAP account if they still have an active Saleforce or Dropbox account when they've left.

Compliance doesn't just fade away in cloud and internet based scenarios.  There are still stringent controls that need to be adhered to, in order for an organization's identity management platform to be both convenient and effective.

By Simon Moffatt

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…