The traditional approach to IT security used by many organisations can be likened to building a castle surrounded by a moat. Core resources are housed in an on-premise datacentre and protected from outside threats by firewalls and other security tools.
Now, in 2021, this approach is rapidly changing. Rather than relying on building and maintaining a secure perimeter around resources, increasing numbers of organisations are embracing a strategy based on identity.
Often dubbed a ‘zero trust’ approach, the strategy follows the logic that people, devices, and applications have to prove their identity before being allowed to access resources. It’s only once this identity has been confirmed that they are granted the access they desire.
The concept of secure identity is gaining traction in other areas as well. From online shopping and interacting with governments to secure digital health records, identity is quickly becoming a key component.
Identity-based security is particularly important in the post-COVID world. With large numbers of staff expected to work from home for an extended period, if not permanently, the concept of having a secure perimeter simply no longer makes sense.
The growing number of connected devices in use is also driving demand for an identity-based approach to security. With everything from IP-enabled cameras and sensors to connected machinery and cars needing access to centralised systems, being able to accurately identify them and grant access is critical.
For these reasons, organisations are shifting their security spending towards identity-based and zero trust solutions. They understand it is the only effective way to maintain security of core corporate digital assets while also making them available to those who need them.
Attention is also focusing on how identities will be managed. Organisations need to decide whether they will be providing digital identity credentials to all authorised users or rely on credentials provided by a trusted third party. Such third parties could be anything from a bank to a government department or a telecoms company where a customer has already proven their identity.
Organisations also need to have in place the ability to identify the devices through which users are asking for access. This might be easy to achieve if it is a company issued PC or smartphone but becomes more challenging if it is a home-based computer.
The third element that needs to be in place is the ability to manage the access rights of each identity. Just because someone has confirmed their identity, it doesn’t mean they should be granted access to all applications and databases. Mechanisms are needed that ensure they are only able to reach resources that they specifically need to complete their work tasks.
Here, it must be remembered that there is a clear difference between authentication and authorisation. Identity is part of the puzzle, but it is tightly linked to how the authority to access resources is managed.
AI and automation
When building a robust and effective identity-based security infrastructure, there is also a role for AI and automation tools. By putting them to work across the organisation, they can monitor user behaviour and flag anything that looks suspicious.
Odd events might be a user accessing a database they have never used before, or sending large volumes of data to an external party. In this way, the tools can put an additional layer of protection in place that augments the steps taken by the identity management components.
It’s clear that the old perimeter-based approach to IT security is over. New approaches based on identity are quickly filling the gap and will soon become the standard for most organisations. The result will be better flexibility, access, and security for all.
Mark Lukie is the APAC sales engineer manager at Barracuda.