The language of all things technical – science, medicine, technology – can be confusing. To make matters worse, in the technical world and more specifically cybersecurity we are famous for evolving or conflating terms that can often create confusion with our customers and the broader industry. The latest example is the evolution (and perhaps confusion) of Identity and Access Management to Identity Security and the term that is important to us, Identity Defined Security. In addition, variations of these terms seem to pop up everywhere – identity-centric security and identity-focused security, for example. The goal of this blog is not to examine how we got here, but more importantly make sense of where we are and provide some clarity around the terminology that is being used to describe how we address the security of digital identities and the resources they are accessing.
“Identity” defines the person or entity taking part in a digital transaction, while “Security” is a general term to confirm trust in these digital transactions. Both of these terms have become central to what we now call cybersecurity. However, what is also important is how these two terms are used to imply a specific set of characteristics and principles of cybersecurity. The meaning of identity and security when used by themselves is clear, but it becomes a bit blurry when these words are used together.
There is a general realization in the industry that two distinct, but related disciplines are at play in the world of identity. The first is the lifecycle, definition and protection of an identity itself that we will refer to as Identity Security. The second is use of identity in a contextual manner when enforcing security across various components of the stack that carry out an action or transaction which we will refer to as Identity Defined Security. Let us explore these terms in more detail.
The term “identity security” is not new, but the concept of managing an identity and its related attributes throughout identity lifecycle, also known as the “joiner, mover, and leaver” cycle, has become a widely adopted discipline. The types of identities have evolved to include humans with elevated privileges, as well as non-human (or machine) identities that encompass physical devices, applications, and processes, just to name a few.
Identity Security ensures that identities are properly set up and protected. An identity, be it human or non-human, is typically associated with one or more identifiers and a set of attributes. It means making sure the identity being referenced is not compromised. An identity can be compromised when it falls into the wrong hands or is misused in the “right” hands. Therefore, preventing identity compromise means we prevent gratuitous disclosure of personal information, and make sure it cannot be used to impersonate a general or privileged user.
A system that claims to offer identity security ensures that the correct user is connecting to it, and that confidential information, including credentials, about the user is not stolen or compromised. This can be achieved by granting entitlements to the identity through accounts, privileges, roles and groups. These assignments will further associate users to policies that would determine the level of authorization for the identity. At a high level, Identity Security also encompasses what is commonly known as identity administration and identity governance – which can be further broken down into things like lifecycle management, identity verification and proofing, access provisioning, etc. These aforementioned components are critical to identity security and must be validated to be operating effectively in order to achieve compliance.
Identity Defined Security
The term “identity defined security” was introduced in 2015 and relies upon the use of a trusted identity and its context propagating downstream to the various enforcement points to further protect and secure other assets. These assets can be confidential data, guarded resources, or applications that are protected by a set of access policies. The policies dictate which identity or groups have access to the resource, for how long the access should be granted, and any special factors that can limit this access. These factors can be dynamically adjusted, but this adjustment is always a function of the identity making the request. For example, some users may have access round the clock, while others may only have access to the resource during business hours. This concept of trusted identities assumes that the identity of the user (whether human or machine) who is requesting access is known and cannot be maliciously impersonated. As such identity security is a prerequisite of identity defined security. Furthermore, unlike identity security that only deals with the establishment and protection of the identity itself, identify defined security, or identity centric security applies to everything that validates the trust of an identity. It can also serve as a necessary component, even a prerequisite for frameworks such as Zero Trust.
We recognize that given the complexity and evolution of identity security, existing definitions may vary and, in some viewpoints, there may be an overlap between the two terms. However, in an effort to create a crisp understanding, we would suggest these two definitions:
- Identity Security: Protect and properly manage an identity and its related credentials.
- Identity Defined Security: Use a trusted identity to protect other resources in the system.
Why it Matters?
If you are reading this blog, you are most likely faced with the daily challenges of securing an organization in our constantly evolving, and dynamic digital environment. In the last 10 years the challenges have shifted from protecting the perimeter to protecting identities and the resources they access. The expanded attack surfaces created by more devices, more applications and a dissolving perimeter are being exploited and have resulted in 79% of organizations reporting a breach in the last 2 years due to a compromised identity.
As we examine these breaches, we find that more often than not the identity being used to breach the organization is a legitimate credential. While Identity Security can protect an identity through mechanisms such as multi-factor authentication or identity proofing, and reduce the risk of impersonation, we know that bad actors are working to stay one step ahead of these controls and in some cases are trusted insiders.
However, through Identity Defined Security, additional security controls can be applied to protect the resources being accessed in the event a bad actor is able to impersonate a legitimate user. For example, allowing access to cloud data based on the identity of the entity making the request or analyzing user behavior and comparing to a baseline before granting access to an application. Identity Defined Security is therefore an important foundation for Zero Trust, which requires that identity verification is done as close to the resource and as frequently as deemed necessary by security policies.
While it is human nature to evolve terminology and (in theory) do so in an attempt to create clarity, we sometime create confusion. We felt defining these terms and explaining the role of Identity Security and Identity Defined Security in protecting our organizations was an important topic. One relies on the other, but they are not interchangeable and when implemented together can be a powerful strategy.
About the Author: Asad Ali, IDSA Technical Working Group chair, is a technologist at Thales with 25 years of experience, and a track record of technical innovation, research, development, team management and product delivery in the digital security space. He currently serves in the CTO office of Thales cyber-security business unit, and has been an evangelist for company-wide adoption of user-centered design and usable security framework. He has also represented Thales in technology Standards bodies (W3C, OpenID Foundation), industry technology alliances (CSA, IDSA), and academia outreach programs. He holds 10 patents and has over 40 publications in peer-reviewed technical journals and international conferences. Asad received a Master’s degree in Engineering from MIT.