Hybrid work is driving a shift to identity-centric security

Access & Identity Management Handbook 2022 Access Control & Identity Management, Infrastructure

The Covid-19 pandemic has been one of the most disruptive workforce events of the century. The disruption began when organisations were forced to deal with a remote workforce, finding it was not only possible – it could be productive.


Lori MacVittie.

The past 18 months have significantly shifted organisations’ attitudes toward remote work, but not so much as to fully embrace such a model moving forward. Yes, there are organisations who are and plan to continue, operating in a fully remote mode. But a more likely model is a hybrid one in which some employees work from home, others from the office and still others in combination of the two.

Debates rage about who should decide where employees work on any given day, as well as how many days they should be in the office, but in general the notion of a fully hybrid workforce has been accepted across those industries that can support it.

I personally watch these discussions with detached interest because, well, I was never in the office and trust me, I’m not going to be. It’s a really long drive.

To be honest, the implementation details of a hybrid work model aren’t as important as the result: there will be employees working from home and from the office every day of the week. Hybrid work is the new default.

This will have a profound impact on the future of access strategies.

IP-based access

You see, traditional IP-based technologies rely largely on a fixed set of network ranges and addresses. Policies deny or allow access to network and application resources based on IP. That’s the point of a VPN; to effectively assign you a ‘local’ IP address that is part of the range of IP addresses allowed to fritter freely around the corporate network.

We could keep doing that, but we won’t – at least not for most of the workforce. There will always be operators and engineers that need the kind of network access provided by a VPN, but let’s be honest; I don’t need a VPN to browse Confluence or SharePoint or bug the architects on Slack. If my productivity and communication needs are fully served by applications, then I really don’t need access to the network.

And let’s be frank, restricting access to the network is probably the best shift in security strategy we could make right now given the increasing incidents of malware, ransomware and other nastyware. The fewer resources these destructive constructs can access, the better.

This is a real threat because the reality is that a hybrid – largely transitory – workforce is likely to pick up some nastyware and one day log into the VPN: and then you’re in trouble. That’s part of the reason a good VPN solution includes scans and health checks before anything else. But not all VPN solutions are good solutions and some organisations don’t require scans even if the VPN solution can provide it.

This doesn’t mean sunshine and unicorns for application access solutions either. Because many of them are based on IP and in an enterprise, there are a lot of IP addresses to manage.

The number of network devices a single NetOps must manage is alone significant – more than half are managing between 251 and 5000 devices. (NetDevOps Annual Survey: www.securitysa.com/*F5-1).

Add to that my personal, private, home IP address and the personal, private, home IP addresses of everyone else who might be working from home today. Oh and let’s not forget the increasing number of machine-to-machine communications that need to be secured. Cisco’s Annual Internet Report (www.securitysa.com/*cisco2) predicts that “by 2023, there will be more than three times more networked devices on Earth than humans. About half of the global connections will be machine-to-machine connections.”

The result is an untenable model that overwhelms operators, security teams and ultimately the services and systems that must enforce the policies.

Identity is the way

The security challenges associated with hybrid work are accretive to those arising from the rapid pace of digitalisation. Together, these challenges will drive security models toward an identity-centric approach. This approach considers not just human users, but machine users in the form of workloads, devices and scripts. After all, workloads are increasingly as transitory as people. And ultimately, workload A is still workload A, no matter what IP it might be using. Just as I am still me, whether I’m in my home office or in the airport at Minneapolis, or at the office in Seattle.

While certainly IP may be a part of an identity-centric security policy, it is not the primary or determining factor for allowing access to a resource. Rather it becomes an attribute that helps determine what level of identity verification should be required.

If I’m on the VPN/corporate network, perhaps my credentials are enough. But if I’m not, then perhaps my credentials and a second factor should be required. And if I’m attempting access from a previously unseen IP address, perhaps there’s a third factor.

Regardless of how an IP address is used, it should no longer be used alone. Not even for workloads. After all, nastyware may be on the corporate network, but it should never be allowed access to applications and resources. Furthermore, we need to expand our understanding of identity beyond people to the workloads, applications and devices we increasingly rely on.

I’m sure I don’t have to mention the debacle of SolarWinds. But are you aware of threats like Siloscape, described as “malware [that] pries open known vulnerabilities in web servers and databases so as to compromise Kubernetes nodes and to backdoor clusters” and the threat of misconfigured management consoles? Many management consoles are secured primarily by IP-based controls that end up disabled because they interfere with remote access – a must with today’s hybrid work model.

A more robust, identity-based set of access controls would provide protection against hijacking and unauthorised use, no matter the originating location. Additionally, robust identity-centric security would provide protection from compromised systems that attempt to infect, hijack, or otherwise exploit other resources from the safety of the corporate network.

We have been slowly moving toward identity-based security for a long time. But the explosive growth of automation and digitalisation, along with a trend toward hybrid work models, will accelerate that movement until we finally ditch IP addresses as a primary method of access control.

Identity-centric security is the way.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
The power of PKI and private sector innovation
Access Control & Identity Management News & Events Government and Parastatal (Industry)
At the recent ID4Africa 2025 Summit in Addis Ababa, the spotlight was firmly on building secure, inclusive, and scalable digital identity ecosystems for the African continent.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
Biometric security key for phishing-resistant MFA
Products & Solutions Access Control & Identity Management
New FIDO-compliant USB, Bluetooth, and NFC BioKeys with biometric login and centralised management for phishing-resistant, passwordless multifactor authentication (MFA) for enterprise users.

Read more...
Fastest PCIe Gen 5.0 NVMe SSD
Products & Solutions Infrastructure
Sandisk has unveiled the WD_BLACK SN8100 NVMe SSD with PCIe Gen 5.0 technology, an internal SSD delivering speeds up to 14 900 MB/s and capacities up to 4 TB, with 8 TB solutions available soon.

Read more...
Unified storage solution
Products & Solutions Infrastructure
CASA Software has announced the local availability of Nexsan’s upgraded unified storage solution, Unity NV4000, which is ideal for mixed workloads, from virtualisation and video surveillance to secure backup and recovery.

Read more...
Gallagher Security releases OneLink
Gallagher Animal Management Products & Solutions Access Control & Identity Management
Gallagher Security has announced OneLink, a cloud-based solution that makes it faster, easier and more cost-effective to deploy security anywhere in the world, transforming how security can be delivered to remote sites and distributed infrastructure.

Read more...
Suprema unveils BioStar Air
Suprema neaMetrics News & Events Access Control & Identity Management Infrastructure
Suprema launches BioStar Air, the first cloud-based access control platform designed to natively support biometric authentication and feature true zero-on-premise architecture. BioStar Air simplifies deployment and scales effortlessly to secure SMBs, multi-branch companies, and mixed-use buildings.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 8 TB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.