Identity is the new perimeter

John Hawley makes the case for why recent technology advances and adoption mean a central identity service will soon be the main access door for every application

By John Hawley

September 17, 2012 — CSO —

Cloud adoption, mobility and the consumerization of IT present the opportunity to transform the way enterprise employees, partners and customers do business. But as we move to leverage these new capabilities, we realize that the IT environment is quickly becoming more distributed.

The enterprise data center has become more of a virtual concept and is highly fragmented, quickly oozing around the comfortable security perimeter of firewalls and VPNs we so carefully constructed over the last decade. Protecting the cloud-based, mobile enterprise requires a new approach. While we cannot control the whole security stack for every SaaS application, we can leverage new identity standards to fill the gaps left by the disappearance of the traditional perimeter as we know it. Identity is the common denominator. Identity is the new security perimeter for the fragmented IT data center.

How We Got Here
It started with users outside the network. More employees are working remotely and new organizations are being added through mergers and acquisitions. In many organizations, partners and even customers must be connected to application platforms as well to accelerate business interactions. But the diversity of the user is not the only dynamic. The end-user footprint is rapidly expanding as well. According to Forrester Research, 52 percent of all information workers use three or more devices for work. Forrester also states that "in 2016, 350 million employees will use smartphones and 200 million of them will bring their own." The idea of controlling each device to create a network security perimeter is no longer a viable approach.

[Ten identity management metrics that matter]

On the application side, cloud service models are fragmenting the data center. Many new applications are running on private clouds hosted externally or even on public cloud services such as Amazon EC2 or force.com. Of course, the cloud service model adopted most frequently is SaaS. IDC reports that "by 2015, about 24 percent of all new business software purchases will be of service-enabled software."

In fact, many of the SaaS purchases are undertaken by business owners, completely bypassing IT and security organizations and creating new instances of the enterprise IT environment. This is known as Shadow IT.

Previously, the Shadow IT movement was about a business owner buying a server, getting an IP address and installing a stealth application. But today's Shadow IT problem presents a far greater threat to the security of an organization through the "Shadow Identities" employees and cloud-based user accounts create. Every Shadow Identity creates a back door to the enterprise. In most cases, employees will use the same account name and password for cloud services or external applications as they do in the enterprise or their personal accounts. In that situation, if the SaaS provider credential database or any personal accounts are compromised, the attacker can come right through the enterprise front door and take whatever they want. You don't want to be pulled into that conversation with your CEO.