Digital identity is the new security control plane

2020 saw a hugely accelerated evolution in the cybersecurity landscape. The pandemic pushed workforces remote and caused companies to move up plans for digital transformation, cloud services, and a plethora of remote access technologies. Meanwhile, the traditional operating models are not and will not be completely replaced in most organizations, and organizations have been left with a huge range of perimeters — from the endpoint to secure access service edge (SASE), from system-level role-based access control to virtual private networks, creating huge operational complexity. This is compounded by a technical staff that was probably already stretched, and a workforce that is operating under a new paradigm.

Despite this fragmentation of vendors, platforms, and security models, it remains vital that data and applications continue to be appropriately protected. Complexity is the enemy of security, so it’s vital that we simplify administering systems to avoid complexity leading to misconfiguration leading to exposures. The controls must be as transparent as possible to the end user — security as an enabler of access, not a frustration to be avoided or circumvented.

We have a parallel for this challenge, at least. As networks grew, it became infeasible to manage routing on every single device via static routing — it was both overly complex and very inflexible. Users needed to be able to access resources easily and without interference; admins needed not to be making constant updates. The RIPv1 routing protocol was standardized in 1988 and BGP in 1989, and these protocols allowed for consistent packet handling across multiple devices and vendors with less-manual intervention. They provided a consistent control plane across all these disparate routing platforms.

Our security infrastructures now consist of disparate, possibly layered, controls. These controls are from multiple vendors, in multiple places, with multiple implementations, and are applying different types of protection. It’s vanishingly rare that a single pane of glass can manage even a subset of the controls that are needed to enforce the security policy. To simplify this, we need a consistent “control plane” equivalent for these controls, and one that can be applied to as many as possible of the huge range of enforcement points

Digital identity — in the form of trusted contextual data defining who is accessing a system and how — provides this control plane. Users are already providing identity (and likely at multiple points).

To read the complete article, visit Dark Reading.