Identity as a New Security Perimeter

In the last decade, we have seen rapid change in technology usage. 在全球向数字化转变的背景下，市场上的新技术改变了我们与技术的接触和使用方式. Digitalization aims to bring rapid and instant gratification to stakeholders, from corporate employers to consumers, and with this, identity has become a key and central player for proffered services.

Services can be consumed on the go, in the moment and from anywhere focused on a targeted demographic, utilizing increasingly connected devices and cloud-based applications. These, in turn, bring inherent risk to people, things and systems outside that traditional security perimeter of yesteryear.

History of Identity and Access Management

Identity and access management (IAM) goes back to the 1960s when IBM developed the Resource Access Control Facility (RACF) for their mainframe systems.

RACF背后的意图是为大型机资源提供集中的身份验证和访问控制机制. RACF将允许管理员管理用户帐户，并根据定义的策略和包含的功能(如密码管理)控制对不同资源的访问, user authentication and auditing.

As technology progressed, we saw the rise of distributed computing and networking in the 1980s. Distributed computing, in turn, 导致了对可以跨多个系统和平台管理身份和访问的IAM系统的需求, 导致轻量级目录访问协议(LDAP)和其他目录服务的发展.

The 1990s saw the advent of web-based applications and the internet going mainstream, 它导致了身份联合标准的发展，如安全断言标记语言(SAML)和开放授权(OAuth). SAML and OAuth allow administrators to manage access across different domains and systems, and enable users to authenticate and authorize access to web applications.

Leading into the 2000s, we saw the emergence of cloud computing and more reliance on mobile devices, 这给IAM管理员在非本地资源的访问管理方面带来了新的挑战. This resulted in the introduction of cloud-based IAM solutions, 在过去的几年里，随着云计算和数字化转型成为主流，哪一个发展得更快.

Identity as the New Security Perimeter

Organizations, as we know, 是否不断开发和采用新的数字技术来满足业务目标和客户满意度指标. This, coupled with the rise in working remotely or in a hybrid model, is contributing to the traditional security perimeter as we know it becoming less effective.

Traditional perimeter-based security models, as we know, 保护组织的IT基础设施并依赖于物理位置和网络边界内的安全性的物理和逻辑边界是否存在. 这些模型多年来一直作为澳门赌场官方下载安全的基础，直到出现和采用 cloud services, mobile devices and remote work, as we experienced in volumes over the pandemic.

由于这种传统模型在有效保护组织免受不断发展和动态变化的安全威胁方面已经过时, identity will lead in crafting effective security strategies within modern organizations.

With constantly moving users, who may leverage multiple modes of connecting to the internet, 关注用户身份和访问控制的安全模型将是保护组织免受用户威胁的更灵活的方法, things and systems that will only grow. With this new identity as a security perimeter, identity is the common denominator across location-agnostic access points, devices, and networks, enabling organizations to holistically authenticate, authorize, and manage users, things, and systems.

Then, as we continue to mature this perimeter, identity-based security models 嵌入式机器学习和人工智能可以增强对身份威胁的洞察力，从而更快地进行补救. These identity threats to organization are digital gold for any malicious actor.

Getting back to the concept of the word “perimeter” in this case, 我们正在寻找一个数字边界，并建立一个由无国界的数字和虚拟环境所限制的身份信任模型. 这样的模型必须将用户身份和行为视为创建身份信任模型的指标, as seen in work done by the MyVayda identity risk and trust platform team.

Identity trust then takes into consideration factors such as:

1. The rise of insider threats, be they malicious or accidental, as shown in a study by Ponemon Institute which found that insider threats increased 34% since 2020. Furthermore the 2022 Ponemon Institute Cost of Insider Threat stated:

“The time to contain insider threat increased from 77 days to 85 days.”
“Incidents that took more than 90 days to contain cost organizations an average of $17.19 million.”

2. The rapid adoption of digitalization, cloud services and remote work, where identity management is critical, to ensure that only authorized users have access to specific systems and resources. This requires that, regardless of their location or the devices they use, privileges and entitlements are assigned per authorizations, and policy and are audited regularly.
3. Regulatory compliance, e.g., SOX 404, GDPR, CCPA, etc., 在数据存储在多个位置和管辖区的分布式环境中是否具有挑战性.
4. Applications, systems, and Internet of Things (IoT) complexity, requiring identity scalability.
5. Reducing and consolidating fragmented identity data to reduce security gaps, costs and errors with the management of access controls.
6. 在安全性和用户体验之间取得适当的平衡，以减少可能影响生产力和用户满意度的用户摩擦.

Technologies and Strategies for Addressing Identity Management Challenges

解决跨多个云服务管理和保护数字身份的复杂性等挑战, devices, and networks, insider threats, and regulatory compliance requirements, incorporating the following will be vital to ensuring success.

In building an identity as a new security perimeter, we must include single sign-on (SSO), multi-factor authentication (MFA), 持续监控和IAM平台，提供集中式解决方案来管理用户身份, access controls and authentication policies. 我们还必须有一个健壮的策略和流程来定义可审计的基于风险的访问控制.

基于风险的访问控制流程不仅可以根据用户的行为动态调整组织所需的身份验证和授权级别, device, location and other contextual factors, but as a model, it will enhance user satisfaction and operations experiences as they work with applications, systems and Internet of Things (IoT) in their day-to-day functions.

Of course, new processes have to be measured and tested for improvements, maturity, and effectiveness. With this in mind, 我们需要衡量和定量评估的一些事情是衡量我们的新身份安全边界的成功:

1. 身份作为安全边界如何保护数字资产免受未经授权的访问并降低数据泄露的风险?
2. How are things like SSO and MFA improving user experience by simplifying application access?
3. 这个新的安全边界如何使组织能够更有效地扩展其安全措施, ensuring that employees can access the resources they need from any location, device or network?
4. How are organizations leveraging IAM platforms to ensure an auditable and robust Identity Lifecycle Management from onboarding to offboarding, provisioning and de-provisioning access rights, updating user information and monitoring for suspicious activities?
5. 组织如何集成身份治理以提供组织内所有用户身份和访问权限的集中视图, set policies, enforce compliance, and mitigate risk by identifying and addressing security threats?
6. How are they using IAM platforms to manage user roles, groups, and permissions based on business requirements?
7. Based on the organization’s approval workflows, how are user requests automatically routed to an appropriate approver?
8. 他们是如何在多个系统之间自动化密码管理和密码同步的?
9. How are they leveraging privileged access management (PAM) within their organizations, and how are they using identity federation, which will simplify access management across multiple cloud services and applications?

As this new security perimeter continues to evolve, technologies such as AI and ML, blockchain, biometrics, passwordless authentication, and "Zero Trust" will significantly enhance identity security. 我们大多数人都知道组成术语“零信任体系结构(ZTA)”的概念或构建块已经存在一段时间了.

构成ZTA模型的许多核心安全原则和技术已经发展了几十年.The concept of zero trust can be traced back to the "need-to-know" principle, 在20世纪60年代由美国国防部(DoD)开发，作为其机密信息安全政策的一部分.

Others later adapted this, including the National Institute of Standards and Technology (NIST), which developed the concept of "least privilege" access control.

Navigating a Growing Security Perimeter

在当今互联的世界中，安全边界从传统到基于身份的演变对于保护组织的数字资产至关重要. As technology evolves and the cybersecurity landscape becomes more complex, the importance of identity as the new security perimeter will only continue to grow.

As a result, 这种由物理边界和事件响应机制约束的定义良好的安全边界的传统概念不再是理想的选择.

By adopting a defense-in-depth strategy built on identity, 组织不仅可以改进对外部和内部威胁的保护，还可以通过集成获得更多的洞察力和集成的可审核性 IAM platforms. 这将确保他们的数据和系统的安全，为未来更加复杂和相互关联的数字生态系统做好准备.

This, 再加上对整个组织应用程序的身份风险和生活身份运动的理解, systems and Internet of Things as shown by the MyVayda team and others, will be critical to the success of identity as a new security perimeter.