"Identity Is The New Perimeter": What's new, and what was the old one?

Greg Soltis

Another round of de-mystifying security jargon: “Identity is the new Perimeter”. This one can, depending on your age, either seemed like a major change or seems super obvious.

The Perimeter being referenced is the security perimeter that you are responsible for. If you’re stage security at a concert, it might be the stage and backstage doors. If you work security at a museum, it might be the velvet ropes in front of exhibits. So, what’s the perimeter for InfoSec? And if Identity is the new Perimeter one, what does that mean, and what was the old one?

In previous eras, you might’ve had a setup where you would sit down at your computer in your office and authenticate to a local domain controller to log on. By the time you were typing your password, you were already inside the network perimeter: the authentication and response is sent over a local network. Securing the authentication flow from outsiders was a nice bonus benefit to securing the network perimeter from outsiders. Some resources might even only be secured by network access (think public pages on the internal corporate wiki).

Fast forward a bit, and it is no longer sufficient to only allow authentication while sitting at your desk in your office. Before ubiquitous smartphones and lightweight laptops, remote access to internal resources was treated as a special request rather than the default. Mobile computing has reversed that paradigm completely. Resources that should not be accessible remotely are now treated as the special request.

To make this all work, the earlier paradigm of securing the network to secure authentication had to be flipped. Authentication requests are now sent from all over the internet: your phone is on some cell carrier network, your laptop is on coffee shop wifi. Rather than your IP address, your identity, post-authentication, is now what authorizes your access to internal resources. Thus, the new perimeter to secure is the identity of your employees. If someone can impersonate one of your employees, they now have inside-the-perimeter access.

Approaches to securing this new perimeter are many and improving as the industry learns more about the threats and user experience. Multi-factor authentication is an improvement here, as are services that apply more context to authentication attempts (think: Starbucks wifi might be ok, but not if the same user authenticated from another starbucks 1000 miles away one hour ago). At Gold Fig, basic identity protection steps are always one of the first things we check.