When CIOs talk security they often use words like "firewall" and "antivirus." Here's why today's technology landscape needs a different vocabulary.
Modern businesses are more open than ever before, but that doesn't mean they are more secure. On the business side, companies are taking advantage of cloud computing by focusing on their internal competencies and outsourcing what they can to third-party vendors. On the consumer side, employees armed with devices are increasingly demanding flexible and frictionless access to data from anywhere.
When a CIO thinks about security he or she likely thinks "firewall" and "antivirus." While these security technologies are still relevant, the changing technology landscape to cloud and mobile require today's CIOs to embrace a new set of security technologies. Security professionals will need to make sure that "identity" enters the lexicon of every CIO's vocabulary.
Here are five new truths every CISO should teach the CIO about identity:
Truth 1: Identity is the new perimeter
The traditional approach to enterprise security has focused on keeping users out by employing firewalls as security perimeters. Today, businesses inundated with mobile, cloud, and SaaS, along with access demands from partners and customers, can no longer survive on that approach. Businesses today must validate users based on identity along with specific attributes such as role, privileges, location, and device regardless of where the request originates and where the data resides. As a result, traditional security perimeters are giving way to a virtualised world where trusted and federated identities are shaping a new security perimeter.
Truth 2: Cloud makes identity management easier
CIOs can use modern identity tools to add the word "anywhere" to their authentication vocabulary. They can take users from any repository anywhere and attach them to any authentication/security infrastructure anywhere, then connect them to any application anywhere. Current internal identity management systems and end-user directories can be integrated with cloud-based IAM services, allowing enterprises to outsource IAM for non-critical user populations and applications, while managing critical identities and privileges internally. Features such as multi-factor authentication are now add-ons that sit in the cloud, making them convenient and inexpensive to add.
Truth 3: The identity experience needs to be consistent across all channels
Many businesses invest heavily in a security regime that works for web applications, but it doesn't necessarily extend to mobile apps. New identity standards such as OpenID Connect and OAuth 2.0 offer a consistent experience for user authentication across web and mobile applications. OpenID Connect allows you to always send your users to the same place to authenticate, so that you see what your users are doing under all circumstances, and you can apply the full force of your security tools. Users get a consistent experience everywhere. In addition, the same standards can be used to secure identity-based API access to applications.
Truth 4: Deep subject matter experience is no longer a requirement
It used to be that if you wanted Internet Single Sign-On (SSO), you had to understand the Security Assertion Markup Language (SAML), or hire somebody who does. These days, wizard-based options let anyone on staff quickly make an industry-best practice connection in a very short period of time.
Truth 5: Compliance and usability go hand-in-hand
When you use Internet-grade security to connect your user community to their apps, your compliance story becomes very easy to tell. Your employees are less likely to put your corporation at risk by reusing their corporate credentials in the cloud. And because the corporation agrees to every cloud application access on behalf of the employee, control and visibility becomes much stronger. Meanwhile, your users spend less time remembering and resetting passwords, and their application access "just works."
These days, identity and access management is a moving target shaped by the forces of cloud and mobile. By understanding these new realities, your IT execs will be positioned to make decisions that will benefit your organisations now and in the future.
Patrick Harding is responsible for the Ping Identity (opens in new tab) product and technology strategy. He brings more than 20 years of software development, networking infrastructure, and information security to the role, which includes oversight of the Office of the CTO and Ping Labs.