Not long ago, enterprise security architecture was modeled like a castle, complete with walls and a moat. Enterprises hosted their corporate applications in the data center, and users accessed them from “inside” the corporate network with company-managed devices, within the physical confines of the corporate campus. Identity and access were managed at the network level, using network constructs and network access control within the organization. Life was simple and good.
However, the industry changed, and that fairy tale architecture vanished.
The advent of digital transformation, driven by trends such as mobile, social, cloud, and IoT, has created unprecedented opportunities for enterprises, but also significant challenges with regard to managing identity and access. On one hand, enterprises are stuck with islands of identity, as security teams adopt numerous IAM policy management tools to cope with heterogeneous environments. On the other, traditional ways of managing policy through VLANS, ACLS, firewalls, VRFs, VPNs, and more, no longer provide the level of security that they once did — leaving enterprises vulnerable to attack.
The problem is that the traditional way of managing access relies on excessive trust — placing users within the castle walls. This leaves enterprises continually at risk for unwanted intrusion and lateral movement within their networks. Indeed, with this excessive trust, it is easy to spread malicious activity from a single compromised system to an entire network, thereby compromising an organization’s confidential or regulated data.
Today, enterprises need a new security model — one where the perimeter isn’t defined by physical location. They need robust security, where every access request is rigorously authenticated and authorized with sound policy and inspected for anomalies before access is granted. They need a model that adapts to the complexities of the modern environment, such as cloud and mobility, and protects people, devices, applications, and data wherever they are located. They need identity-based access management.
Enterprises need to shift from traditional, IP address-based access to user identity-based authentication and authorization. Here, identity refers to any asset that can connect to the enterprise: users, devices, applications, and data. Crucially, such a model must always include strong authentication and authorization mechanisms to ensure that any identity is compliant with access policy, before access is granted. This is a “never trust, always verify” approach to security.
We can elaborate on the definition of asset further:
To secure the enterprise perimeter in a hyper-connected world, organizations need next-generation solutions that provide a number of key capabilities:
The traditional castle-walls-and-moat architecture worked well in another era — but it no longer provides the level of security that enterprises need. To thrive in a world transformed by cloud, mobility, and connected devices, enterprises need to embrace the next-generation of security solutions and make identity the new perimeter.