Click for more special coverage
The perimeter around our critical data and infrastructure was lost years ago when applications began moving to the cloud and remote work became prominent. With the perimeter collapse came an unexpected rise in the importance of identity security, and enterprises have been slow to react.
The consequences of this rapid shift away from a perimeter-focused world have had a devastating impact: 74% of breaches target humans as the attack vector, according to the 2023 Verizon Data Breach Investigations Report. Security professionals must begin to pivot their organizations towards this new reality by taking a blended approach that focuses on identity first and the principles of Secure By Design/ Secure by Default.
The phrase “identity is the new perimeter” often gets overused, but that doesn’t mean it’s inaccurate. Identity has always played a critical role in security. Still, over the past five years, its importance has exponentially increased with the cloud's shared responsibility model and the explosion of applications both on-premises and in the cloud. In this context, the "Secure By Design/Secure by Default" (SBD2) directive by the Cybersecurity Infrastructure Security Agency (CISA) isn't just timely— it's vital.
However, there are massive barriers to the SBD2 goal and identity as the perimeter, despite the best efforts of the industry’s Cybersecurity Awareness Month celebration. One such barrier that affects every business is nonstandard applications. Applications that fall into this category do not support common identity and security standards such as APIs and SAML. While Shadow IT usually refers to SaaS used without IT and security approval, nonstandard applications, including on-premises, OT, legacy, and cloud, fall across the IT infrastructure and systems spectrum. How big is this problem? Research from Okta and Netskope highlights that a staggering 97% of an enterprise's apps fall outside the typical identity perimeter. The Ponemon Institute took this one step further and found that 52% of organizations have experienced cybersecurity incidents caused by nonstandard applications.
Moving to an identity-first world requires us to bring nonstandard applications under the control of an organization's identity provider, such as Okta, Azure AD (Entra ID), and SailPoint. However, this isn’t possible without a solution that creates a fully connected identity mesh between your identity provider and nonstandard applications. In the past, organizations attempted to band-aid this problem with enterprise password managers, but this no longer works because of their lack of automation and integration with identity providers.
Navigating the cybersecurity landscape requires an intricate dance with SBD2 principles, nonstandard applications, and the concept that identity forms the new perimeter. The trinity of these elements creates a critical framework for modern digital defense.
SBD2 inherently encourages a posture of prevention, integrating security protocols seamlessly from birth to deployment, which offers a solid foundation to counteract threats. Yet, the prevalence of nonstandard applications presents a challenge, inherently resisting streamlined integration with identity providers due to their lack of support for standards. The strategy then pivots to establishing identity as the forefront of our digital interactions, fortifying security where traditional perimeters have dissipated, particularly amid the unwieldy scope of nonstandard applications. A harmonized approach, which weaves the intrinsic security of SBD2 and a fully- connected identity mesh, with identity providers like Okta, Azure AD, and SailPoint at the center, emerges as the best path forward.
Reflecting on the 20th year of Cybersecurity Awareness Month and identity's emergence as the new perimeter leads to three areas security professionals need to focus on:
- Process over products: While crucial, tools such as multi-factor authentication (MFA), strong passwords, and password managers aren't silver bullets. They're part of the short-term solution as we move towards a fully- connected identity mesh and standards like FIDO2.
- Control the unmanageable: The risk of nonstandard applications has become pressing and warrants immediate and collective attention. This problem affects every business; the problem space is growing, not shrinking.
- Automate what’s tedious but critical: Our focus must shift towards a future emphasizing automation and in-built security: SBD2.
We face a complicated threat landscape and our conversations should not just focus on strong passwords and MFA. The industry must address the entire Identity and Access Management (IAM) lifecycle – especially nonstandard applications. My years in the field have shown one consistent truth: users often find themselves in murky waters when navigating tasks like enabling MFA or optimizing their account security. The software industry must ensure users aren’t overwhelmed with these essential yet complex tasks, move towards SBD2, and use automation where it isn't.
The end game? A digital world where individuals can navigate confidently without being security experts. Here’s to paving the way for a safer digital landscape in the next two decades of Cybersecurity Awareness Month and beyond.
Matthew Chiodi, chief trust officer, Cerby