A few years ago, we all were bombarded by marketing campaigns from identity management (IDM) software vendors stating that the “Identity is the new Perimeter.” While that sounds good and sells well to CISOs and CIOs, it is a little simplistic and misleading. I believe that identity is just a small part of what can be considered the “new security perimeter.”
We know that the weakest link in the cybersecurity chain for any company is its users. Attackers know that they can socially engineer users and get them to divulge credentials or download malware from compromised websites. IT security teams continue to deploy protection software to prevent users and systems from being harmed from mistakes made by users. For many organizations, a significant percentage of the IT security budget is dedicated to simply trying to protect the company from human error.
The reality is that the “new perimeter” is comprised of a holistic view that combines identity, system or device, network, applications, and data. If you focus on just one—or even a few—of these pillars, it can provide a false sense of security. You may successfully monitor and protect the pillar or pillars you’re paying attention to and still end up compromised. If any aspect of this holistic “perimeter” is exploited, the attacker has a fairly easy path to a full-blown breach where all aspects are compromised.
Too many CISOs define their cybersecurity strategy by checking boxes for regulatory requirements of the different agencies that audit their environment. While compliance to regulatory frameworks like Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), and other mandates is required and can be expensive if not adhered to, the simple fact is that compliance is not security. Chasing regulatory checklists is not a strategy, but a recipe for disaster leading to a breach.
Holistic or aggregate security considers a broader view of the environment when defining the cybersecurity strategy and selecting tools and processes. Aggregate security focuses on making sure that protections of each object (identity, system, data, application, etc.) are integrated with the others. For example, when strange or malicious behavior is detected on the network, that is a red flag that should impact the system, identity, data, and application security posture.
The push for a holistic approach is also evident in merger and acquisition activity in the security industry. There has been a movement in recent years to try and integrate different layers of security. We have seen vendors buy up smaller point solution vendors and roll everything together so they can say they have a “holistic” security solution. The challenge, however, is in successfully and seamlessly integrating the different solutions. Do they really share information across each layer or application to provide a robust security platform? Success in this area is few and far between.
The latest trend in security frameworks is secure access service edge (SASE) and zero trust architecture (ZTA). I am a huge advocate of both these movements and see great promise in these new innovations. But neither will solve the silo solution that I am seeing if the security teams are not able to integrate their solutions to take advantage of shared information across all the pillars. Having an aggregate security mindset is critical to delivering a full-scoped solution.
Identity is not the new perimeter. It is one facet of a comprehensive security posture. The new perimeter is not a perimeter at all but a mindset that views aggregate security across all pillars of the environment.
This blog was written by Morgan Reece, System Director of Security Architecture at Baylor Scott & White Health.