How application security reinforces an identity-as-a-perimeter approach
'Identity as a perimeter' is a concept in cybersecurity that represents a shift in the traditional approach to network and application security. It acknowledges the limitations of perimeter-based security models, such as relying solely on VPNs, firewalls and network boundaries to protect an organisation's assets. Instead, it places the emphasis on securing access to resources based on the identity of the user or entity trying to access them.
This identity-as-a-perimeter approach recognises that in today's digital landscape, the network perimeter has become porous and less defined due to factors like cloud computing, mobile devices, remote work, and third-party integrations.
In an identity-centric approach, the primary focus is on verifying and managing the identities of users, devices, applications and services. This involves using strong authentication methods, identity, and access management (IAM) solutions, and role-based access controls (RBAC) to ensure that only authorised entities can access specific applications and network resources.
The identity-as-a-perimeter approach also aligns well with the zero-trust architecture (ZTA), which assumes that trust should not be automatically granted based on a user's location within the network. Instead, trust is verified continuously based on identity, device health and context, regardless of where the user or device is located.
As organisations increasingly adopt cloud services and support remote work on various devices, identity as a perimeter adapts to secure access from anywhere.
So how are applications secured? This requires several components, including:
- Disaster recovery: Creating a plan for disaster recovery that ensures minimal downtime and data loss in the event of a disaster, such as a cyberattack or a natural disaster.
- Infrastructure security: Protecting cloud infrastructure from security threats by implementing security controls and following security best practices, such as regular vulnerability assessments, patch management, and configuration management.
- Application security development guidelines and best practices: Ensuring that applications are designed and developed securely, following security best practices such as using encryption, validating input, and implementing secure authentication and authorisation mechanisms.
- Network security: Ensuring the security of data in transit and data at rest through network security measures, such as firewalls, encryption, and intrusion detection and prevention systems.
- Identity and Access Management (IAM): Leveraging a robust IAM system that controls user access to resources and ensures that only authorised individuals can access data and applications.
By integrating these building blocks into an application security strategy, organisations can ensure that their cloud and on-premise environments are secure, resilient, and able to recover quickly from any disaster.
Application security plays a crucial role in the broader concept of 'identity as a perimeter.' Here's how it does this:
- Authentication and authorisation: Application security starts with verifying the identity of users and ensuring they have the appropriate permissions to access specific applications or resources.
- Identity and access management (IAM) solutions are used to authenticate users and control their access based on roles and permissions. This ensures that only authorised individuals can access sensitive applications and data.
- Role-based access control (RBAC): RBAC is an important component of identity and access management. It ensures users are granted access only to applications and resources relevant to their job roles. This minimises the attack surface and limits the potential damage if an identity is compromised.
- Identity-based threat detection: Modern security solutions such as privilege escalation, posture management, and entitlement management solutions often incorporate identity-based threat detection and monitoring.
This involves analysing user behaviour and access patterns to detect unusual or potentially malicious activities. For example, if an identity is suddenly accessing sensitive data that it has never accessed before, this could be a sign of a security breach.
- Single sign-on (SSO): SSO solutions are a key component of identity as a perimeter. They allow users to log in once and gain access to multiple applications without the need to enter credentials repeatedly. SSO enhances security by centralising identity management and reducing the risk of weak or reused passwords.
- Secure coding practices: Secure coding practices are essential for building and maintaining secure applications. Developers need to implement security measures within the application code to protect against common vulnerabilities, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). These vulnerabilities can be exploited to compromise user identities and gain unauthorised access.
- Multi-factor authentication (MFA): MFA adds an extra layer of security by requiring users to provide multiple forms of authentication, such as a password and a one-time code sent to their mobile device. This significantly reduces the risk of unauthorised access, even if an attacker obtains a user's password.
- Web application and API protection (WAAP): Web application firewalls (WAFs) are security solutions that protect web applications from various attacks, including OWASP Top Ten threats. WAAP adds to the WAF capabilities by securing APIs. WAAP and WAFs help secure applications by filtering malicious traffic and requests, which could be used to steal user credentials or exploit application vulnerabilities.
In summary, application security is an integral part of an identity-as-a-perimeter approach. It focuses on securing the applications and resources that users access by implementing robust authentication, authorisation, and security measures within the applications themselves.
By combining application security with identity and access management solutions, organisations can create a strong defence against modern cyber threats and protect their sensitive data effectively.