The New Cybersecurity Perimeter: Part 2
In THE NEW CYBERSECURITY PERIMETER: PART 1 we discussed the history of the security perimeter and why the “castle and moat” model, based on firewalls and other defense in depth mechanisms, is not suited for modern architectures. With the rapid move to a workforce and extended supply chain that requires access from anywhere in the world to applications and resources – resources that are both “on prem” and in the cloud – traditional perimeter-based controls are simply not sufficient.
“Anywhere access to any resource” turns the traditional perimeter model on its head, effectively making identity the new security perimeter. Protection, detection and response capabilities, from controls placed at, and inside the network perimeter will endure but undergo a metamorphosis–from on-prem technology to cloud-based infrastructure that will effectively become a part of the network fabric itself. Ingress and egress traffic will be routed through cloud-based control points.
But perhaps the most prominent change driven by “anywhere-to-anything” access will be to shift the primary control point all the way out to endpoints. Individuals will be required to positively authenticate with new controls which further analyze the device being used to login before access to apps or other network resources is granted.
We believe there are three key implications of this new identity-based perimeter:
- Passwords, and all the band-aids that accompany them, are not up to the task and will be replaced with much stronger authentication methods.
- Organizations will move to adaptive, risk-based authorization–controlling who gets access to what resources after scrutinizing additional risk factors.
- SOC and compliance teams will require the same level of visibility for the new identity-based perimeter that they had with legacy network perimeter.
We discuss the first implication below and the other two we will cover in Part 3 of this series.
Death to Passwords
Bill Gates and, many others, long-ago predicted the death of passwords. But despite these prognostications they still remain the primary authentication method across the internet–as Mark Twain once famously said, “the reports of my death have been greatly exaggerated.”
Instead of eliminating passwords, a raft of band-aids arose to reduce the risk or passwords. From complex passwords that users hate to manage and often forget or simply reuse, to password-managers which are clunky at best and require yet another password, these workarounds have not solved the root problem. Passwords are a “shared secret”, known by the user and the server. They can be stolen and used by attackers and fraudsters. By some account, there are over 15 Billion (yes, with a B) credentials for sale on the dark web.
Worse yet, particularly from a user convenience perspective, many organizations turned to legacy multi-factor authentication (MFA) methods such as one-time links or codes that users have to fish out of emails or texts, or authenticator apps that require users to grab a second device to login. This can add another layer of security to the fundamentally insecure password. However, legacy MFA injects friction into the login process and utilizes techniques known to have security vulnerabilities.
The solution is not to try and fix passwords, but to eliminate them altogether and replace them with a fundamentally secure primary authentication mechanism. The most secure solutions for passwordless authentication eliminate shared secrets entirely and replace them with some form of asymmetric cryptography.
The FIDO standard, which leverages asymmetric crypto, has gained traction recently and promotes replacing passwords with a secure authentication method based on key pairs. The standard enables organizations to solve some authentication use cases–specifically authentication to browser-based apps–and is currently supported by many but not all browsers.
Passwordless with Beyond Identity
Beyond Identity leverages asymmetric crypto-replacing passwords with secure and highly scalable X.509 certificates that are also being used to secure trillions of dollars of financial transactions daily (via TLS – AKA the lock in the browser). We provide strong, secure, scalable authentication across a range of use cases – from browser-based access to support for native apps. Very importantly, especially to security veterans, Beyond Identity requires zero knowledge of, or management of, certificates. The Beyond Identity cloud-based platform takes care of 100% of certificate issuance and management so you get all the benefits of the strongest authentication possible without any of the hassles of certificate management.
More Security with Less Friction
Securing the new perimeter should include a combination of increased security and a reduction in user friction. The two goals go hand in hand, as more user friction from complexity to the login process leads users to find simpler and less secure workarounds. If workarounds are not possible then the added friction also leads to increased strain and costs for the help desk and IT department who must assist users more frequently and manage a more complex tech stack. Passwordless authentication, with solutions that actually eliminate rather than work around passwords, fixes both these issues in ways that legacy MFA solutions can not.
While eliminating passwords has many risk reduction and user experience benefits it is a starting point, not the destination in creating a modern identity-based perimeter security program. In Part 3 we will discuss additional requirements.
Up Next | The New Cybersecurity Perimeter: Part 3