Identity is the new perimeter
The enterprise data center has become more of a virtual concept and is highly fragmented, quickly oozing around the comfortable security perimeter of firewalls and VPNs we so carefully constructed over the last decade. Protecting the cloud-based, mobile enterprise requires a new approach. While we cannot control the whole security stack for every SaaS application, we can leverage new identity standards to fill the gaps left by the disappearance of the traditional perimeter as we know it. Identity is the common denominator. Identity is the new security perimeter for the fragmented IT data center.
How we got here
It started with users outside the network. More employees are working remotely and new organizations are being added through mergers and acquisitions. In many organizations, partners and even customers must be connected to application platforms as well to accelerate business interactions. But the diversity of the user is not the only dynamic. The end-user footprint is rapidly expanding as well. According to Forrester Research, 52 percent of all information workers use three or more devices for work. Forrester also states that "in 2016, 350 million employees will use smartphones and 200 million of them will bring their own." The idea of controlling each device to create a network security perimeter is no longer a viable approach.
On the application side, cloud service models are fragmenting the data center. Many new applications are running on private clouds hosted externally or even on public cloud services such as Amazon EC2 or force.com. Of course, the cloud service model adopted most frequently is SaaS. IDC reports that "by 2015, about 24 percent of all new business software purchases will be of service-enabled software."
In fact, many of the SaaS purchases are undertaken by business owners, completely bypassing IT and security organizations and creating new instances of the enterprise IT environment. This is known as Shadow IT.
Previously, the Shadow IT movement was about a business owner buying a server, getting an IP address and installing a stealth application. But today's Shadow IT problem presents a far greater threat to the security of an organization through the "Shadow Identities" employees and cloud-based user accounts create. Every Shadow Identity creates a back door to the enterprise. In most cases, employees will use the same account name and password for cloud services or external applications as they do in the enterprise or their personal accounts. In that situation, if the SaaS provider credential database or any personal accounts are compromised, the attacker can come right through the enterprise front door and take whatever they want. You don't want to be pulled into that conversation with your CEO.
The bottom line is that as the data center fragments, IT will often not have control over the network security perimeter, the device or the application security stack. Instead, the role of the corporate security officer is evolving to be the connector of business services. The security challenge is more about connecting the right people to the right business service, which cannot be done if every business service manages its own authentication and identity management. Security professionals need a way to pull identity and access management out of each cloud or business service and keep it within their control. A centralized identity management and authentication service that controls access to every business service, regardless of location or end-user device, will provide the ability to secure every door into the fragmented IT environment. Confirming the identity of each user and securely transmitting that information to each app becomes the new perimeter control.
Making it work
In the past, creating this model has been challenging, given that each application required its own user list and credentials. However, recent advances and growing adoption around standards such as SAML, OpenID Connect and OAuth for authentication and SCIM for user administration are making it possible to centralize authentication and pass a token to each application.
Given that the central identity service becomes the main access door for every application, initial authentication of the user is critical. Risk-based modeling that adjusts authentication modes based on context such as the device, time of day, location, recent history and/or transaction value are required. These technologies are evolving such that much of this activity can be done transparently, keeping customers happy and ensuring business users dont work around corporate controls.
The security team gains obvious benefits from this architecture. They now have a control point to initiate and remove access to any application across the fragmented datacenter. What is new here is that the business will be supportive as well. The business owners buying their own SaaS applications will gladly cooperate to get single sign-on provided by the identity service. The CIO will welcome the reduction in support costs related to accessing such distributed applications. And everyone involved in compliance will support the identity service to gain the simplicity in reporting provided by a single access point to all applications. IT can even gain some extra kudos from the business owners by leveraging centralized reporting to identify SaaS application licenses that are not being fully used.
For most enterprises, implementation of the new identity perimeter architecture should start with the SaaS applications. For IT, its important to collaborate with the business owners to identify what new projects they are pursuing, as many are likely to be fulfilled by SaaS applications. Next, get ahead of the game by researching the SaaS providers in that application area. Find providers that focus on enterprise-grade security and (or are at least planning to) support standards like SAML and SCIM. Finally, publish a catalog of those SaaS applications so your business owners have several to choose from. Capturing these projects at the outset and directing them through the new identity service will make securing the fragmented IT data center much simpler.
Whether you decide to build the identity service on-premise or buy it from an IAM-as-a-Service provider, keep in mind that this discussion is about more than just architecture. The value now lies in securely connecting users to distributed business services, using Identity as the new perimeter. But it's about even more than that. It's also about how the role of enterprise security must evolve to that of a business enabler. Once seen in that light, the security function will move from the back office to the boardroom.
John Hawley is Senior Director of Security Strategy at CA Technologies.