Traditional security perimeters that once protected corporate networks have blurred to the extent that they are no longer effective when it comes to securing today’s enterprises.
During the global COVID-19 pandemic, entire workforces began working from home overnight, and in the aftermath, remote, or at least hybrid working, is here to stay. Employees need to access networks and apps from anywhere, via practically any number of connected devices, meaning the attack surface has grown exponentially wider.
Again, this breadth of access, and range of devices and applications, has broken down the security walls that businesses used to rely on to protect their environments and has forced technology leaders to look for a new security model that is able to manage this anywhere, any device reality.
This has seen a shift towards the idea of identity as the new perimeter. When identity is used to access company resources, only a specific user or device can gain access to any given resource. However, in the hands of a bad actor, those same credentials grant the same access.
Over and over again, in breach after breach, and incident after incident, attacks start with compromised identity. Threat actors use every effort to gain access to an identity and then abuse that identity to move laterally within the network, search for other credentials and identities, that will help them achieve their goals.
Time and again, in breach after breach, the modern attack cycle, particularly in the cloud starts with identity. Attackers seek to get access to an identity, then pivot between resources, discovering credentials and other identities that get them more and more access to get what they want.
The bottom line? Identity alone in a cloud-first world was no longer effective. Today, APIs are the sentinels at the gates of access, meaning that simple identity is no longer meaningful in a perimeter that extends way beyond the network. Where once security leaders used to worry about which systems cybercriminals could control, and where the chinks in the networks armour might lie, today they need to think about identities in terms of what they can be used to access and control.
However, securing identities is not an easy feat. Even with identity and access management (IAM) tools, that can look for anomalous behaviours, or behaviour analytics solutions that pinpoint any potential misuse of identities, a company isn’t safe.
This is why most forward-thinking companies are looking at the Zero Trust Network Access (ZTNA) model, which instead of authenticating identity and granting access once, it does this for every interaction. It’s important to note that zero trust is not a product, but rather a security framework that forces all users, irrespective of whether they are in or outside the company’s network, to be authenticated, authorised, and continuously validated for both security configuration and posture before being allowed access, and to maintain that access.
In this way, at every stage of a client or host connection, zero trust has a security perimeter that ensures that the request is both valid and authorised. Instead of depending on implicit trust once the correct login credentials, biometric, or access token has been entered, everything is assumed to be untrusted and needs to be authenticated again, and again, and again.
In this way, by enforcing what can be thought of as a least privilege model on steroids, where access is only granted for what is absolutely needed, and combining this with strict segmentation, the attack surface can be shrunk to the bare minimum.
This is the case because with a zero trust model, the danger of a breach in which user credentials are stolen and exploited is eliminated because identity is no longer trusted by default. By ongoing verification, organisations can ensure that their identities can only be used by the right people, at the right time, and for the right purposes.
Identity has become the new perimeter in today’s cloud-based, highly connected world, and any company that ignores this, and trusts identity without ongoing validation, does so at its extreme peril.