During the Cloud Identity Summit 2017 keynote, there was a predictable discussion about the state of our deteriorating security perimeter. Given this is the year’s premiere identity event—and that the speaker was Ping Identity’s CEO—you may expect to hear the now ubiquitous meme: “Identity is the new perimeter.” That is not what we heard, though. I want to quote what he said exactly and spend some time breaking it down. His quote is:
“Our perimeter isn’t disappearing – it’s shrinking…and if you thought security was hard before, try doing it at the level of a single piece of data.”
Andre Durand, CEO, Ping Identity
There is a lot to unpack here. I’ll start by saying I could not agree more. It is a popular idea to bash on firewalls and say that network security means nothing in a world of cloud, mobile, IoT, and other emerging trends. That is simply false. A presenter from last week showed us how his large manufacturing organization would be moving quickly to a zero trust, always-on internet model for all back office and knowledge worker systems. These are largely mobile and cloud-based already so it simply makes sense. Here, identity will be their perimeter. The organization will also have plants that, while not using VPN to connect across locations, will operate LAN networks that have perimeters that are more traditional. The takeaway is there will be things that look like current security perimeter models with us for a very long time to come.
What happens to the data that lives outside these perimeters, though? What protection do they get? That protection is the shrinking security perimeter about which Andre Durand spoke. Identity is part of that because the question of “who” is key to access today. However, there is also a question of enforcement. “Something” has to ask the question and then decide on an action given the answer. For your data, that something is going to be the systems that house the data—and maybe even the data itself. Most of these systems are designed as if they still live in a safe inner ring of network-level protection. As that goes away, they must step up their ability to work with new security models.
Data protection is a security problem with an identity answer. The ability to see how well aligned your data is today to the identities—the people—you wish to have access is a critical capability as you transition into the next generation of technology. Even organizations that have invested in Data Access Governance are often approaching it from a compliance mindset. We need to shift our view and see Data Access Governance as a critical function to align the future of our security—which is largely about contextualized identity—with the protections all the way down at the level of the data itself. We need to know what’s in the data so we can make informed decisions, and we need to understand what access exists today. Only with all that perspective in hand, will we have the tools to enter this world of open but zero trust networks and controls enforced by these shrinking perimeters.