Why Identity Is the New Network Perimeter

Once upon a time, when all enterprise computing happened on premises, the network perimeter was easy to define. Antivirus software and a firewall with detection and prevention were all that we needed to stay secure. 

Today’s IT departments face a much more complex landscape. Users are dispersed globally, often use their own devices, and often are not employees—creating another layer of risk. IT assets are dispersed as well, spread across hybrid clouds, on-premises data centers, edge deployments, and IoT devices. Application development is spread out among multiple departments and LOBs all developing their own apps. In this way, even the perimeter between IT and operations is obscured.

Not a day goes by when zero trust isn’t praised as the silver bullet to all security worries. But CISOs, who are in the trenches, are skeptical. 

“I tend not to focus on network controls as much as I used to,” said one CISO in the report, Perfecting Cyber Resilience: The CISO Blueprint for Success. “Zero trust is overplayed. It means a lot of different things to a lot of different folks.”

“If you look at the breaches out there, everything seems to be identity-focused.”

Why Identity Is Outrunning Zero Trust 

Here’s a real-life example of the power of identity-based security. Recently, the security awareness company KnowBe4 hired a software developer via video conference. The company conducted a background check and the usual pre-hiring checks before offering the developer a job. But as soon as the new hire received their company computer, KnowBe4 detected a steady stream of malware downloads. 

KnowBe4’s endpoint detection and response (EDR) software detected the malware. And once the company’s security partner examined user behavior such as the downloading executable software, the security team shut down device access. The threat actor appeared to have stolen a real person’s identity. Since KnowBe4 restricts new employees’ access to live production environments, there was no loss or data or damage to company systems. 

To repel unauthorized users like the KnowBe4 “employee,” security teams must nail down identities via unique identifiers in the form of digital certificates for every aspect: users, devices, servers, databases, containers, and all other digital assets. In this way, identity creates a new perimeter by forming a logical firewall, so that entities lacking correct digital certificates can be easily detected and denied.

Managing so many identities may seem like a burden compared to the zero-trust approach, which, simply put, means no one is trusted by default from inside or outside the network. Zero trust requires a fundamental shift in processes for managing trust, authentication, and authorization, and many companies will find it requires too great a sacrifice in user experience and productivity. For most organizations, zero trust should be considered more as a long-term objective than an immediate solution. 

Another big question around security and identity is the continuing migration of on-premises applications to cloud-hosted software-as-a-service (SaaS) environments. The standard methods of securing user accounts often don’t work in a SaaS environment, making it challenging to keep track of people leaving the company or changing roles. In short, departing employees might still be able to access apps and data. In these cases, identity is likely a more effective security solution than zero trust.

It’s important to note that service accounts also represent a huge attack vector, because once they’re created, they’re never managed properly. Passwords never change, privileges never evolve, and the accounts are not deleted when they’re no longer needed.

Hackers Have a Fresh Appetite for Identity

Almost 50% of organizations experienced phishing or third-party attacks that resulted

in compromised credentials in 2023, according to Scale Venture Partners. Looking at recent breaches, it’s clear that identity is what hackers are looking to exploit. Beyond employing traditional approaches where appropriate, CISOs and their teams should look at better orchestration for identity—not only to control access and understand what people are doing but also to repel intruders. 

And it’s not just people that hackers are exploiting: It’s the “non-humans” whose identities can also be compromised. These are admin or service accounts for SaaS solutions that are turned on when the software is activated–then typically are never turned off and are essentially ignored, even after the human admins or purchasers leave the business. With no updates, patches, or oversight, the non-human identities become a prime target for hackers. 

Because traditional security tools, such as firewalls, weren’t built to tackle the new network perimeter or identities (human and non-human), CISOs and their teams must seek out process-focused solutions like privileged access management. They also should add tools like multi-factor identification, so they don’t rely solely on trust or authentication.

In fact, combining identity with other security strategies may help shore up defenses. As Gartner reports, by 2027, 70% of organizations will combine data loss prevention and insider risk management disciplines with identity and access management to identify potentially malicious behavior.

The reality is that we must focus on identity as the perimeter.  Users and their privileges should be defined and managed on a consistent basis to ensure the right levels of access in an environment. 

Download “Perfecting Cyber Resilience: The CISO Blueprint for Success” to Learn More

To learn about this and other security trends on leading CISO’s minds right now and what tools and technologies they need most to reinforce their organizations’ data, download the report and learn more about Pure Storage’s data protection solutions.