Demystifying Digital Identity in the Age of Cloud Authentication.
Now more than ever we are defined by our digital identity, due to the pervasiveness of social media and multiple digital profiles. More and more our actions online are used to categorise us, and are used to determine the offers, services and opportunities presented to us.
With the arrival of regulations like GDPR organisations are being forced to recognise that Personally Identifiable Information (PII) is a valuable commodity. It not only needs to be protected, but individuals now also have clearly defined rights associated with their digital identity.
With the explosion of cloud services and flexible working locations we find ourselves in a position whereby our identity is portable and its borders are flexible.
The king of the castle
Before the arrivals of the cloud end users primarily worked in an office location using heavily supervised or controlled devices. All of the key infrastructure and data was stored within that central environment. To use an analogy we presumed that as the castle contained all of the crown jewels all we had to do was build a high wall and inspect people on the way in and out to remain secure. Perimeter security was standard policy, and whilst this methodology of data access and storage held true it was valid.
Now data is often stored remotely in the cloud and access to it can be from personally owned devices in a variety of locations. In this environment we must define a new perimeter for security and the only constant is our identity.
Identity is the new perimeter
With scattered data and variable device controls we must address the constant we have - our identity - along with these variables to ascertain the appropriate controls to apply to access and usage.
To some extent we already do this, utilising usernames and passwords to ascertain the level and reach of access, but how many of us tie this access to both the device and location from which we attempt access? How many of us utilise identity as the defining parameter for access on our firewalls rather than IP addresses?
The ambiguity of the cloud
While methodologies exist to tie these elements together, such as Network Access Control, the cloud poses new challenges because the data may remain within our control, but access to it becomes obscure.
For example, with a relatively inexpensive subscription to Office365 all users are able to login and download applications and data on five different devices. Do you own or control all five of those devices?
Cloud applications often place user convenience above security, with some specifying that firewalls should not be placed “in the way”. This means that we need to change our approach so that we are working with, and not against cloud applications. By utilising their tools or their APIs we can maintain effective control of our data, who accesses it and what they do with it.
Should Big Brother be watching?
When perimeter security was considered sufficient we could easily monitor our firewall and VPN logs for suspicious behaviour and act accordingly. Now that we have defined individuals as the perimeter a new approach is required.
Firstly, we must continue to educate users as to their responsibilities relating to data security, and this must be continual process, but we need to be careful not to overload the user.
Next we must enable their devices to act as perimeters with endpoint management, firewalling, anti-virus and advanced threat protection. Just as we provide these tools and capabilities at our network perimeter now we must deploy them at the new perimeter. This immediately sounds like a large overhead of control and management, but there are tools which provide large scale deployment and reporting. Consider also feeding logs from such systems into a SIEM for further analysis.
Finally we have to do something uncomfortable.
Going back to our castle analogy we presumed that if you had made it past the drawbridge you could be trusted and could have access to almost all of the interior. Today we still find the majority of internal networks are flat and ubiquitous.
If the perimeter has moved, we must recognise that a user may be compromised. One of the most important steps is to stop lateral movement of an attack, and as such should approach users as borders and take the view of least privileged access.
Ultimately, users should only be able to access data that they need in order to perform their role, and we have to assume that at some point they will be compromised. Detecting this can be difficult, hence the rise of behaviour analytics. Instead of looking for incontrovertible proof of a breach, we try to define what is typical. If we can baseline user behaviour and determine what is normal then we can be alerted when something abnormal occurs.
Note that this last technique also requires a change in response. Whereas before we responded to known events that are proven now we must investigate a possible issue and the tools you deploy should aid you with this.
Ultimately our digital identity has come to define us both in our personal and professional lives, we must now adapt our security postures to surround, protect and contain users rather than just assets.
Identity management should enable your business—not hold it back
We invite you to start your identity management transformation journey with us. Together, we can help transform your security program into a cost-effective, innovative, and user-friendly experience.