From perimeter-centric security to Zero Trust



The migration to the cloud has consigned the term perimeter-centric security to the dustbin of history alongside typewriters, floppy disks and dial-up internet access. In response, enterprises have adopted a Zero Trust approach to address the fluidity of today’s security landscape. By doing so, organisations are enabling secure access for a variety of users, from employees, partners to contractors, regardless of location, device or network whilst maintaining a positively panoptic view of identity as the foundation of a dynamic Zero Trust platform.

Workforce identity

Starting with your workforce, identity used to be part of the software suites you purchased. Today we have identity on its own platform. This is the foundation upon which we enable hybrid IT and unified access controls across legacy applications locally to modern cloud services.

• Yesterday-identity was part of a stack
• Today-identity as an independent and neutral platform
• Tomorrow-unifying your identity platform

Customer identity

When it comes to customer identity, the past practice was to build identity and access directly into the app, which meant that each website had its own user database. Today, customers are increasingly demanding a multi-channel approach to identity and access verification as a unified experience becomes the natural preference. This shift has led to IAM practitioners to regard identity as a microservice which enables developers to prioritise adding value to your customers.

• Yesterday-build it yourself
• Today-identity as a microservice
• Tomorrow
• In house IAM as your preferred platform

Security

The network was once regarded as the ultimate perimeter. The shifting technology landscape means this is no longer the case. Everything inside is trusted, whereas everything outside is not. This development has facilitated the establishment of people as the perimeter as apps and resources exist within and outside the network. In the future, people will be the only perimeter as reliance on authentication and authorisation to enable access control decisions grows. It is at this point that we reach Zero Trust.

• Yesterday-network is the perimeter
• Today-people become the perimeter
• Tomorrow-people are the only perimeter

Defining Zero Trust

The concept Zero Trust grew in prominence due to the failure of the classical approach to network security to keep pace with the shifting enterprise landscape in which peoples, processes, assets and technology exist. Zero Trust provides an extended ecosystem in which people can use devices over networks and access data in a fluid fashion. Whilst it may still be regarded as a buzzword by many, as Zero Trust matures and acts as a catalyst for a change in security thinking, every decision will be made with the full context of the request rather than an assumption that trust is built into the network.

• Perimeter-less design
• Context-awareness
• Dynamic access control

My reflections on our recently completed 7th Identity Access Management Europe conference, which was held in Utrecht for the first time. One consistent theme throughout the day was the growing prominence and shift towards enterprise adoption of Zero Trust as a foundational security platform.

Written by Michael Hughes