Many organizations still rely on an aging perimeter security model to safeguard digital assets. In this model there is a neat demarcation between an untrusted external zone and a trusted internal zone, protected by a security perimeter, replete with firewalls, intrusion detection systems, anti-virus software, etc. The working assumptions are that:
- Within the security perimeter, all actors and assets are safe with no threats to corporate security. Those outside the perimeter are unsafe and potential security threats.
- The perimeter is effective at preventing hostile, outside parties from penetrating the perimeter and attacking corporate IT assets.
Given the continued onslaught of data breaches that handily bypass our perimeter security, it’s a safe bet that these assumptions are no longer true.
Disruptors Change Everything
The key trends largely responsible for the dissolution of the perimeter are the advent of cloud computing, the explosion of mobile devices and the greatly expanded access to IT resources by non-employee actors, such as vendors, partners, service providers and even customers. Together, these developments allow unfettered access to applications, many of which exist outside the traditional security perimeter, using uncontrolled mobile platforms by just about anyone, anytime, anywhere. What could go wrong?
The Perimeter Isn’t Dead, It’s Just Not Enough
All the while this new and nebulous corporate computing model is upsetting the security apple cart, IT still needs to care for traditional computing platforms, applications and data that sit quietly behind the security perimeter, but are even in more need of an updated security model. Remember that a large number of breaches over the past five years have used targeted IT systems, such as AD Servers, as a core component of the attack. These systems were safely ensconced inside the security perimeter. Despite this, cyber crooks were able to penetrate the network, steal and create admin credentials for systems such as AD Servers.
The reality is that being “inside the perimeter” or “outside the perimeter” is no longer inclusive enough to be useful to security practitioners. “Identities” can no longer be defined based on a location in the topology. Authenticating and granting access to IT assets needs to be based on an expanded definition of “identity” and become the central point of control, the “new perimeter” for the distributed IT environment.
Barriers to Strong Authentication
There are many authentication technologies coming to market that could potentially take the wind out of the data breach juggernaut. However, with all good news comes a cautionary note. To be effective, security solutions must be easy to deploy, administer and use.
Unfortunately, many identity and authentication solutions are expensive, complex to use and require long deployment times, often involving application code changes. Furthermore, many authentication solutions only provide partial coverage, offering a limited set of authenticators and leaving many systems and applications unprotected. More than ever, the market needs solutions that provide full coverage and are easy to deploy and use.
To learn more on the new trends in strong authentication, read Crossmatch’s article featured in the current issue of BankNews Magazine. Download it here.
Chris Trytten has over two decades of technical and managerial experience in systems and security at leading companies in Silicon Valley, including positions with Crossmatch, DigitalPersona, Interlink Networks, Apple, Siemens and Amdahl. In his current position as Market Solutions Manager at Crossmatch, he is using his experience serving the Financial and Retail markets by guiding the product and market teams to address the security needs of these industries. Chris is the author of multiple security white papers and articles.