Protecting data and assets starts with the ability to identify with an acceptable level of certainty the people and devices requesting access to systems. Traditionally, identity has been established using a “secret handshake” (user ID and password) that gets the person or device through a gateway with access to permitted systems. Once through, few safeguards are in place to further confirm identity.
Now, organizations are starting to take a wider, more complex view of identity to authenticate and authorize people and devices to provide a much more reliable, context-based confirmation of identity than a user ID and password can. “We need to take identity from its current state of managing groups, resources and networks in a fairly static way, to a more real-time view of access control through intelligence and machine learning,” says Andre Durand, CEO of Ping Identity.
That approach requires a more comprehensive look at other factors that determine identity, specifically behavior and environmental attributes. Understand everything you can about the customers, employees, and devices connecting to your systems, and you can build a unique profile for each one that would be extremely difficult for a hacker to copy.
Changing the way enterprises use identity to authenticate and authorize is also driving structural changes within the organization. The people who are responsible for identity have typically not been associated with security. That’s changing as security focuses more on identity as a front-line defensive concept, and it’s having a profound effect on both groups.
“Security absorbed identity, but identity is eating security,” says Durand. As organizations build security strategies that start with strong authentication, identity becomes the new perimeter.