In Part 1 and Part 2 of this blog series we discussed the migration to a new identity-based cybersecurity perimeter and explored why existing authentication methods, based on the fundamentally insecure password are not sufficient. And while eliminating passwords altogether and replacing them with a strong authentication method is a great start, adequately securing this modern perimeter will require other capabilities.
We believe there are three key implications of this new identity-based perimeter:
- Passwords, and all the band-aids that accompany them, are not up to the task and will be replaced with much stronger authentication methods.
- Organizations will move to adaptive, risk-based authorization–controlling who gets access to what resources after scrutinizing additional risk factors.
- SOC and compliance teams will require the same level of visibility for the new identity-based perimeter that they had with legacy network perimeter.
We covered the first item Part 2 and will discuss the remaining items below.
Adaptive Risk-Based Authorization
Positive identification based on strong, passwordless authentication is just the first step. Given the criticality of the new perimeter and zero-trust requirements, it is critical to ensure that authorization to use a given application or resource is a policy-based decision. At a minimum, authorization decisions should factor in who the user is, the security posture of the device they are using to access the resource and the criticality of the resource being accessed. It can also include additional endpoint “telemetry” data such as the location of the person logging in. It is very important that the decision is made at the time of login and leverages posture and telemetry data that is current at the time of the transaction, rather than pulled from a database with old data.
To date, organizations have taken steps to understand the risk that a given device may introduce to the organization - for example implementing MDM and EDR solutions. But, coverage across all the devices being used to access corporate resources, including BYOD devices is often spotty across various platforms. Further, the device security information is spread across disparate systems and not integrated into the login transaction–enabling risky devices to slip through the cracks.
Beyond identity collects endpoint security posture and other telemetry data, signs an envelope containing the data to ensure it is tamper-proof and sends the package over an encrypted TLS 1.3 channel. The Beyond Identity policy engine can make adaptive, policy-based authorization decisions or pass the encrypted and signed data through to the customer’s existing identity provider (e.g., SSO) to adjudicate authorization decisions. This enables organizations to be more permissive in the devices they can support (e.g., BYOD) while ensuring that only devices that meet the risk requirements of a given application or resource are actually granted access. Sending the data in a machine verifiable (tamper proof) way strengthens the authorization decision immeasurably. It also creates a very complete, single source record - reducing the time and effort SOC teams would otherwise have to expend and eliminating the integration code that is required to build out a complete audit record.
Visibility at the New Perimeter
Understanding who is entering the new perimeter will be as important as it was (still is) to track network traffic entering/leaving the old perimeter. Visibility into data crossing the old perimeter is critical in helping detect, investigate and respond to incidents. Data about the individuals and device posture that is crossing the new identity-based perimeter will be similarly instrumental to security operations center teams looking to improve detection and response capabilities. This new data will be used to more quickly respond to threats and investigate breaches.
Further, this login transaction data will remain important for compliance teams that need a full accounting of who is accessing what resources. Beyond Identity’s solution provides a complete and immutable record that includes strongly validated identity of the user, which device they are using, and the device’s security posture at the time of login. Instead of collecting and rationalizing data from multiple different data sets (mdm, edr, SSOs, etc.), the Beyond Identity solution provides a complete record for each login transaction. This complete audit record will save teams significant time and effort in compliance reporting and auditing.
More than just Authentication
Visibility, context, and control are vital to ensure a secure perimeter and this is no different when identity is the new perimeter. Simply ensuring those who access are who they say they are is the foundation but needs to be built upon with granular policies that take into account as much as data as possible to control what they will be accessing.
For more information on adaptive risk-based authorization read our blog on the topic: What is Risk-Based Authentication?