Hybrid work is driving a shift to identity-centric security

Access & Identity Management Handbook 2022 Access Control & Identity Management, IT infrastructure

The Covid-19 pandemic has been one of the most disruptive workforce events of the century. The disruption began when organisations were forced to deal with a remote workforce, finding it was not only possible – it could be productive.

Lori MacVittie.

The past 18 months have significantly shifted organisations’ attitudes toward remote work, but not so much as to fully embrace such a model moving forward. Yes, there are organisations who are and plan to continue, operating in a fully remote mode. But a more likely model is a hybrid one in which some employees work from home, others from the office and still others in combination of the two.

Debates rage about who should decide where employees work on any given day, as well as how many days they should be in the office, but in general the notion of a fully hybrid workforce has been accepted across those industries that can support it.

I personally watch these discussions with detached interest because, well, I was never in the office and trust me, I’m not going to be. It’s a really long drive.

To be honest, the implementation details of a hybrid work model aren’t as important as the result: there will be employees working from home and from the office every day of the week. Hybrid work is the new default.

This will have a profound impact on the future of access strategies.

IP-based access

You see, traditional IP-based technologies rely largely on a fixed set of network ranges and addresses. Policies deny or allow access to network and application resources based on IP. That’s the point of a VPN; to effectively assign you a ‘local’ IP address that is part of the range of IP addresses allowed to fritter freely around the corporate network.

We could keep doing that, but we won’t – at least not for most of the workforce. There will always be operators and engineers that need the kind of network access provided by a VPN, but let’s be honest; I don’t need a VPN to browse Confluence or SharePoint or bug the architects on Slack. If my productivity and communication needs are fully served by applications, then I really don’t need access to the network.

And let’s be frank, restricting access to the network is probably the best shift in security strategy we could make right now given the increasing incidents of malware, ransomware and other nastyware. The fewer resources these destructive constructs can access, the better.

This is a real threat because the reality is that a hybrid – largely transitory – workforce is likely to pick up some nastyware and one day log into the VPN: and then you’re in trouble. That’s part of the reason a good VPN solution includes scans and health checks before anything else. But not all VPN solutions are good solutions and some organisations don’t require scans even if the VPN solution can provide it.

This doesn’t mean sunshine and unicorns for application access solutions either. Because many of them are based on IP and in an enterprise, there are a lot of IP addresses to manage.

The number of network devices a single NetOps must manage is alone significant – more than half are managing between 251 and 5000 devices. (NetDevOps Annual Survey: www.securitysa.com/*F5-1).

Add to that my personal, private, home IP address and the personal, private, home IP addresses of everyone else who might be working from home today. Oh and let’s not forget the increasing number of machine-to-machine communications that need to be secured. Cisco’s Annual Internet Report (www.securitysa.com/*cisco2) predicts that “by 2023, there will be more than three times more networked devices on Earth than humans. About half of the global connections will be machine-to-machine connections.”

The result is an untenable model that overwhelms operators, security teams and ultimately the services and systems that must enforce the policies.

Identity is the way

The security challenges associated with hybrid work are accretive to those arising from the rapid pace of digitalisation. Together, these challenges will drive security models toward an identity-centric approach. This approach considers not just human users, but machine users in the form of workloads, devices and scripts. After all, workloads are increasingly as transitory as people. And ultimately, workload A is still workload A, no matter what IP it might be using. Just as I am still me, whether I’m in my home office or in the airport at Minneapolis, or at the office in Seattle.

While certainly IP may be a part of an identity-centric security policy, it is not the primary or determining factor for allowing access to a resource. Rather it becomes an attribute that helps determine what level of identity verification should be required.

If I’m on the VPN/corporate network, perhaps my credentials are enough. But if I’m not, then perhaps my credentials and a second factor should be required. And if I’m attempting access from a previously unseen IP address, perhaps there’s a third factor.

Regardless of how an IP address is used, it should no longer be used alone. Not even for workloads. After all, nastyware may be on the corporate network, but it should never be allowed access to applications and resources. Furthermore, we need to expand our understanding of identity beyond people to the workloads, applications and devices we increasingly rely on.

I’m sure I don’t have to mention the debacle of SolarWinds. But are you aware of threats like Siloscape, described as “malware [that] pries open known vulnerabilities in web servers and databases so as to compromise Kubernetes nodes and to backdoor clusters” and the threat of misconfigured management consoles? Many management consoles are secured primarily by IP-based controls that end up disabled because they interfere with remote access – a must with today’s hybrid work model.

A more robust, identity-based set of access controls would provide protection against hijacking and unauthorised use, no matter the originating location. Additionally, robust identity-centric security would provide protection from compromised systems that attempt to infect, hijack, or otherwise exploit other resources from the safety of the corporate network.

We have been slowly moving toward identity-based security for a long time. But the explosive growth of automation and digitalisation, along with a trend toward hybrid work models, will accelerate that movement until we finally ditch IP addresses as a primary method of access control.

Identity-centric security is the way.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

SAN market set for growth
Technews Publishing News IT infrastructure
Storage-area network (SAN) market to hit US$ 26,86 billion in revenue by the end of 2029 due to factors like widespread adoption of Hybrid SAN-NAS solutions.

Advanced server performance and energy efficient design
Editor's Choice IT infrastructure Products
Dell PowerEdge server portfolio expansion offers more performance, including up to 2.9x greater AI inferencing while Dell Smart Flow design and Dell Power Manager software advancements deliver greater energy efficiency.

Gallagher to showcase new Controller 7000 single door
Technews Publishing Access Control & Identity Management Products
Gallagher will be showcasing its latest access control innovation, the Controller 7000 Single Door on its stand at Intersec Dubai from 17-19 January 2023.

Fast, reliable and secure cloud services
Technews Publishing Editor's Choice Cyber Security IT infrastructure
Security and speed are critical components of today’s cloud-based services infrastructure. Cloudflare offers a range of services supporting these goals beyond what most people think it does.

Smart parking management platform
Access Control & Identity Management Asset Management, EAS, RFID
Parket builds a seamless bridge between supply and the ever-increasing, but fluid – and often temporary – demand for parking bays.

Visible-light facial recognition terminal
ZKTeco Access Control & Identity Management Products
The SpeedFace-V5L [P] is a visible-light facial recognition terminal using intelligently engineered facial recognition algorithms and the latest computer vision technology.

Facial and palm verification
ZKTeco Access Control & Identity Management Products
The ProFace X [P] supports both facial and palm verification, with a large capacity and rapid recognition.

Glide Master High Security 90° Sliding Gate
BoomGate Systems Access Control & Identity Management Products
Boomgate Systems was asked to make a sliding gate that can turn 90 degrees. The gate had to offer high security and be vandal-proof.

Informing, entertaining and communicating across your landscape
Evolving Management Solutions Access Control & Identity Management
For the first time, the attraction of large shopping malls with many stores, entertainment and food courts no longer offers enough appeal to attract customers.

Suprema’s new BioStation 3
Suprema Access Control & Identity Management Products
The brand new BioStation 3 is not only Suprema’s smallest face recognition device to date, but it also comes packed with the largest variety of features.