Why user identity is becoming the new security perimeter

(Image credit: Image Credit: Geralt / Pixabay)

Digitalisation has many advantages, from increasing productivity to improving accessibility. However, every technology has its downside, and with digitalisation this comes in the form of increased organisational risk. So while we all benefit from being able to access networks from any location via a greater range of endpoint devices, and from using collaboration software, implementing agile working etc., by doing so we potentially increase the number of data egress points from our organisation’s network. All of this results in a significantly increased attack surface which those with malicious intent can target, and it enables them to utilise a much higher range of threat vectors.

First and foremost this is a business risk, not simply an IT risk. Every organisation needs to understand its position on risk and define this in policy – which requires a full understanding of assets, threats and vulnerabilities. The organisation needs to invest in the right level of resistive strength to balance against the increasing threats and threat vectors, taking into account the cost to the business if a threat succeeds. This requires board level commitment and appropriate commercial cover.

Designing networks from the inside out

From an IT perspective, addressing the risks arising from digitalisation means taking a fresh look at network architecture. The perimeter security architecture of enterprise networks has traditionally been designed from outside in, using a ‘castle and moat’ or a ‘hub and spoke’ approach. This needs to be re-examined, along with the relevance of MPLS connectivity, firewalls and VPNs, as it is no longer enough, with respect to value, to secure traffic emanating from data centres.

Today’s networks should be designed from the inside out, based on a consideration of data flows and security stacks. And it is not just infrastructure that is important. Compliance frameworks and policies may no longer be relevant or can inhibit agility, and so will have to constantly reviewed and rewritten – particularly as we move to a world of software defined networks, where policy and compliance are the main considerations in access to resources.

In a digital world, security has to be built into infrastructure, business applications and solutions from the moment that they are conceived, not just considered post development. We then need to challenge existing trust levels and move towards a point of zero trust – a granular implementation in security boundaries, termed micro segmentation, which restricts unrequired and unwanted lateral movement of traffic between systems and in user access.

Implementing zero trust – or restricted trust – begins with a full understanding of access management and the aligning of rights, privileges and behavioural patterns that are built into policies. It means implementing least privilege and default deny policies for each user and each system, with clear processes to elevate rights on approval. This should be accompanied by the ability to monitor and log access and failed access. We also need to incorporate data protection into system design. The mapping of personal data needs to be considered carefully, in the light of GDPR, and zero trust can be built into systems to such a way as to restrict or prevent any data loss.

Users are the new security perimeter

In a zero trust network, access management is aligned to user management and for effective security, organisations need to know who is accessing what data, when, where and why, so that they can wrap security around how their users actually work. For example, if someone is logging into the network at 10pm, is this normal behaviour? What applications and data are they accessing, and should this set alarm bells ringing?

In effect, users are becoming the new security edge, and identity management is becoming the new perimeter management.

To apply user management effectively, organisations first need to fully understand access behaviour across system users (the Who, What, When, Where and Why). There are many analysis tools available within existing applications. For example, Microsoft provides a number of analysis tools within the Office 365 suite, depending on which licenses an organisation has purchased, including advanced threat analytics and advanced threat protection. These systems analyse the environment and who is doing what, where and when. They are self-learning and will work towards a point when they will only alert you when they detect abnormalities in access and traffic flow. However, organisations still need the resources to map their environment and the behaviour of their users so that they can tune these tools to create a picture of normal working at the organisation.

User management should be accompanied by robust cyber security training and awareness and acceptable use policies linked to HR policies. There should be ongoing training to ensure that all new cyber threat vectors are understood by users and mitigated effectively.

Finally, it is vital to securely manage access to company resources from mobile and other devices, especially where staff are permitted to use personal devices (i.e. BYOD, BYOT and the IoT). Multi factor authentication should be implemented, along with mobile device management (MDM), Mobile Application Management (MAM) and Mobile Identity Management (MIM) where data security is important.

Handling threats means logging everything

Logging user behaviour as outlined above will help organisations to understand what is ‘normal’ in their network and for their users. This information can also be used for compliance analytics, which involves gathering and storing relevant data and mining it for patterns, discrepancies, and behavioural abnormalities. Compliance analytics helps companies proactively identify issues and provide appropriate remediation actions.

All of the above may sound like a huge amount of work. However, it is worth remembering that most security breaches come from failures in basic security defences and not from complex attacks. In order to minimise the risks, organisations should begin by implementing basic security correctly, and setting data access based on roles and attribute based policies, before moving onto more complex analytics.

Neville Armstrong, Service Strategist, Fordway Solutions
Image Credit: Geralt / Pixabay