When it comes to protecting your network, identity is the new perimeter

With the boom in cloud computing, DevOps, IoT, and employees accessing systems from all over the world on a variety of devices, the "perimeter" of a network has become difficult to define. In response, companies are shifting their attention to authentication, moving away from traditional perimeter security methods in favour of a solid technology focused on identity, such as public key infrastructure (PKI), increasingly in the form of digital certificates.

IT has changed dramatically

To understand how monumental the change to digital identity has been, consider how IT departments used to be. As little as 10 years ago, IT departments were much more in control of all access levels. Companies owned their own operating centres, IT hardware and the client machines used by employees, many of which didn't even leave the building. There were no BYOD mobile devices, and people who were not employees, such as contractors and customers, rarely accessed a company's networks. Everything involving IT was controlled by a single department that ultimately reported to the CIO.

Things are considerably different today, given how the digital transformation has permeated every aspect of business. Almost all departments and LOB are developing applications for their own commercial operations, which means that there are development groups throughout the company. These developers are not even necessarily employees; they can be paid consultants or vendors that are completely outside the traditional IT budget.

Developers are creating apps that interact with systems they don't own or whose physical location may be entirely unknown to them. Employees often use personal devices, such as mobiles and computers, and the company has little control over their security. With such a decentralised ecosystem, how can a limit be placed on a network? How do you ensure that these applications and work devices create a safe barrier against external attacks? If no measures are taken, the possibilities of breaches, data theft and business interruptions are alarmingly high.

Identity is the future

In the current business environment, identity is the new security perimeter. If each device, user, server, process and IoT has a unique identity, these identities become the new "perimeter" to avoid unauthorised access to data and systems. By denying access to any device or process that does not have the proper permissions, unauthorised actors are kept away and commercial processes are allowed to continue.

And passwords are not good enough. Many passwords can be guessed and there are methods for stealing passwords; during a breach, credentials are among the first things an intruder will look for. While companies can implement methods such as multifactor authentication (MFA), which do help somewhat, nobody wants to be denied access to all their accounts just because they left their phone at a bar. 

In today's world, the edge of the network is in every discrete logical element. Every digital "entity" that is connected to the network needs its own identity. Each mobile device, each DevOps container and each IoT device needs a unique digital certificate. Every user needs solid credentials that are controlled by and linked to accesses and permissions that are customised to each user's role in the company or ecosystem.

The number of entities requiring certificates increases exponentially in modern computer architectures. For example, DevOps environments need a unique certificate for each container created in the cloud; otherwise, a false container may be injected into the environment, resulting in stolen data, unauthorised access, interrupted processes or other negative outcomes. Since a container may only last a few minutes or seconds before it does its job and is deleted, the total volume of certificates will be much greater than in a traditional computer architecture.

Similarly, if intruders can break into an IoT environment and access the network's communications by pretending to be a valid device, they can also steal information and interrupt operations. These are the types of weaknesses that attackers are looking for. 

The new perimeter of PKI

A modern PKI platform can assign, track and manage the life cycles of certificates for each device. The value of this functionality has been obvious to high-risk industries, such as finance, but as procurement technology has evolved and weak authentication methods put networks in danger, PKI has provided a reliable and secure solution to every industry. PKI is more widespread than you might think, and it has been adapted to conform to the modern company. Previous iterations of PKI technology sufficed in a single technology stack, like Windows, but now they must be integrated with the cloud and mobile devices, and with all their associated platforms and operating systems.

To implement PKI efficiently and comprehensively as the new perimeter, companies must have a certificate management platform that can accommodate the full range of business use cases. The visibility of all types and uses of certificates, both public and private, is essential. Equally important is the support technology that provides for automatic implementation, monitoring and renewal. 

As teams seek to protect their networks now and in the future, digital identity will increasingly become the new business perimeter.