We have written extensively this past year (here, here and here) about how traditional approaches to creating a secure network perimeter are no longer sufficient to protect your organization in an increasingly mobile and cloud world.
“Securing this traditional ‘network perimeter’ included layers of firewalls, intrusion detection systems, and other network security devices and systems intended to keep data safe against attack. Attackers know that with the right credentials, they no longer have to fight through the old ‘perimeter’ defenses. They now use stolen credentials to gain access to your critical data, just like an employee.”
(from “Securing Enterprise Identities For Dummies, Centrify Special Edition”, by David Seidl, John Wiley & Sons, Inc.)
The days of creating a simple “Circle of Trust” to keep the bad guys out and the good guys in, is over. The facts are that passwords are basically dead as a means to secure access to a network. Combine this with the fact that increasing amounts of your data are stored in the cloud, on mobile devices or in partners’ networks, a circle of trust approach to security is simply creating a truly false sense of security.
So what can be done to secure your enterprise identities?
Centrify has teamed with Wiley & Sons to develop a no-nonsense guide for anyone who is.
Consider the following steps:
Step #1: Take stock of your existing enterprise
Your traditional datacenter has racks of servers in a secure location with your apps and data. But today’s enterprise has apps and data everywhere. When considering how to secure access to your apps and data you must consider all of the locations those apps and data reside including in the cloud, on-premises, big data and mobile apps.
And a special mention should be made about VPNs and identity. Offsite access can be a serious security challenge because it is both hard to prove that the user who is logged in is who they claim to be and VPN access often provides wide and deep access to you systems and resources.
When taking stock, it is important not only to consider all of your systems, apps and data but also your users. Classifying and considering each of your user communities will ensure that you don’t close the front door just to leave a side door open. Consider all user communities including system and app administrators and power users, privileged accounts, employees, contractors and outsourced IT, 3rd party vendors, partners and customers.
Step #2: Consider the role of identity in cybersecurity
Once you have taken stock in the breadth of your users and resources it is important to understand the role of identity in current cybersecurity challenges, cyber threats, breaches, hackers/attackers and advanced persistent threats. Many of these challenges start because of compromised credentials and poor security around how user accounts and rights are created, monitored, and maintained.
Special attention must be paid to providing identity and secure access for external and mobile users (and systems!) such as on hosted or cloud infrastructure, mobile devices and mobile workers.
All of this leads to how these new workflows and requirements have changed traditional network boundaries into what is effectively a single, flat network spanning all users and resources. Each of these groups needs access in a secure way, identity can provide a consistent and effective layer of security where traditional firewalls and other security infrastructure can’t.
Step #3: Architect security using identity
So how do you begin to architect security using identity? A modern security perimeter has to combine traditional perimeter defenses with additional layers that can handle hybrid infrastructure, new styles of work, and new ways of connecting. At the same time, both the traditional defenses and the new layers need to be designed to handle current threats like targeted phishing attacks, insider threats, and of course, advanced persistent threats.
A complete security plan will partner the traditional security layers like firewalls, IDS and IPS systems, and antivirus software with an identity platform that can provide user‐ and privileged account‐level security, as well as audit and control over user access and administration of accounts.
Step #4: Deploy an identity platform for security
Yes, there are lots of point products from various vendors out there that can help you begin your journey to protect access through single sign-on (SSO) as well as Identity as a Service (IDaaS), protect your mobile devices through enterprise mobility management (EMM), enable multi-factor authentication (MFA) to secure against compromised credentials, ensure correct access through provisioning/deprovisioning, reduce the exposure from a VPN through secure remote access and provide privileged identity management (PIM), privilege account management (PAM) and privileged session monitoring (PSM).
BUT an identity platform can provide you with a unified and integrated set of tools, auditing, reporting and control across all of your user communities and resources. The benefits of a platform-based approach allow you the achieve the security you are looking for with a consistent set of tools, features and without the hassle of dealing with so many other vendors.
In part two I will dive deeper on the top things to look for in an Identity Platform.
If you would like to learn more about securing enterprise identities right now, download the free guide.