Identity as the new perimeter: Why enterprises must act now

The world has changed profoundly over the last two years amidst the pandemic and an accelerated wave of digitalisation. While cybersecurity has always been a never-ending race, the newfound requirements to support remote work and operational pressures to embrace a plethora of new digital tools have greatly increased the attack surface that bad actors can exploit.

As organisations continue with their digital transformation initiatives by harnessing the cloud and a digital-first mindset, the cybersecurity investments of today – or lack of them – will have profound downstream implications in the future.

The new threat vector is identity

To get ahead of these threats, businesses must take the initiative and proactively address evolving IT environments. Take perimeter security as an example: Enterprises in the past would invest heavily to secure the network perimeter with defences such as firewalls and intrusion detection systems (IDS). They would also insist that non-local users use a VPN and install anti-malware software on all end-user devices.

Yet the changing face of work means that employees today are likely to shuttle between the home and office or may be full-time remote workers. As the number of employees who rarely step into the office grows, it is imperative that enterprises can readily verify the identities of their employees. In this way, the new perimeter is not bounded by the network, but by each employee in the organisation – wherever they might be.

It is no wonder that Gartner has observed that identity has become the de facto perimeter for organisations – and a gaping security vulnerability: Gartner estimates that 75% of all security failures result from a lack of identity management.

Elsewhere, rising cloud adoption is quickly moving traditional cybersecurity architecture, centred on physical and perimeter access, to legacy cybersecurity protections. While good physical security remains vital, the virtual boundaries of the cloud mean the adoption of new cloud-relevant capabilities to guard against the risks associated with working from home and cloud transformation is critical.

With the long list of cyber breaches stemming from stolen credentials, compromised passwords, distracted users, other simple methods of attack continuing to make headlines, the responsibility is with businesses to move beyond a perimeter security mentality and to take steps to strengthen their cybersecurity posture through solutions that incorporate identity and access management (IAM) and governance control.

Defending the modern workplace

How can organisations defend the modern, identity-bounded workplace? Fortunately, solutions to strengthen identity management already exist. For a start, multi-factor authentication (MFA) is a mature technology that combines two or more credentials to ensure that an employee is who they say they are. With Verizon finding that passwords were one of the leading causes of all breaches every year for the last 15 years, leveraging additional authentication factors help enterprises gain a layered defence to guard against unauthorised access and protect against the most frequent types of breaches.

One common misconception of MFA revolves around the perception that it is only required for high-value employees. However, the evidence from publicly disclosed intrusions reinforces the importance of leaving no exceptions when implementing MFA; bad actors have time and again demonstrated an uncanny ability to move laterally across the network or to exploit initial access from limited accounts to breach business-critical systems.

Another option is passwordless authentication, which does away with passwords or other knowledge-based secrets. The weaknesses inherent to passwords stem from either weak passphrases or employees who reuse their passwords. Moreover, passwords sit at the heart of phishing attempts, where users are tricked to input their credentials at fake sites masquerading as the real ones. That same Verizon report found that 82% of breaches involved the human element, including phishing and the use of stolen credentials. On this front, solutions based on the FIDO open standard can help organisations remove passwords, go passwordless and offer a higher level of phishing protection.

Finally, identity management at the modern workplace must begin with an IAM solution designed for all users, whether they’re working on-premises or in the cloud. That platform should at a minimum incorporate support for MFA and passwordless. Ideally, that platform should be able to scale to meet business’ needs as their users expand and their strategies evolve.

A secure, flexible IAM for the future

Organisations looking to implement a secure cloud IAM can now turn to ID Plus, a complete and flexible IAM platform from RSA. ID Plus is the only true hybrid identity solution, allowing organizations the choice of supporting users in the cloud, on-premises, or across hybrid deployments. ID Plus also offers the most ways to authenticate, including support for software authenticators, hardware authenticators, and SMS, to meet every identity and access management requirement.

ID Plus is a no-compromise solution that helps enterprises avoid the cost and time of having to build and manage a robust IAM platform. Enterprises can rely on the deep expertise that RSA brings for day-to-day operational support and management, with cloud-based self-service features that make it possible to enrol users without the need to contact the helpdesk.

With native support for the RSADS100 hardware authenticator, ID Plus allows enterprises to deploy passwordless MFA as part of a seamless solution for enhanced user experience and lower total cost of ownership. And as a hybrid IAM, enterprises can also leverage it to maintain key on-premises resources as they journey to the cloud.

Crucially, built-in on-premises failover protects against interruptions in the unlikely event of a cloud or Internet outage. An on-premises authentication component kicks in seamlessly should the ID Plus cloud become inaccessible, giving users continued access to their systems. Notably, the on-premises component is built on a proven RSA platform developed over the last four decades with robust authentication support.

To set up ID Plus as a Software-as-a-Service (SaaS) deployment, all that is required is a corporate email address to sign up with. Enterprises that want to do a hybrid deployment will need to perform the additional step of deploying an on-premises virtual machine.

You can learn more about ID Plus here.