We're all familiar with the notion that perimeter is disappearing from IT systems – but it's not a new phenomenon. In fact, the perimeter has been dissolving for years, says NetIQ's Ian Yip.
“There is no perimeter, and there hasn't been for years,” he told the company's CSO Agile Security breakfast in Sydney. Even the popular emerging theme that “identity is the new perimeter” is counter-productive, he said, because it allows CIOs to hold onto a long out-dated model.
“If you hold onto that out-dated concept, it will be very difficult to move on from what we do now,” he said.
As discussed in the article, Yip is a strong believer in the development of identity standards that would allow better use of ID in managing access to systems.
However, that creates a different and difficult problem: perfect identity creates the perfect way to steal identity. CSO asked Yip about the best way to manage this issue – which seems to shift the risk from the enterprise to the individual.
Behavioural analysis is important, he said: “if you can identify what's normal for an individual from a behavioural standpoint, and if you have a good baseline to start with, you can spot anomalies”. That data, he said, is what indicates when an attempt has been made to steal an identity.
This is, he added, probably simpler to achieve in the enterprise, where both the identity and the behaviours will live in a more constrained environment. However, he agreed with CSO that the BYOD world undermines the clear division between someone's “public” identity and their “enterprise” identity.
“That's what puts a premium on understanding the context,” Yip said. “The identity you have on a mobile device has a social identifier that's useful for low-risk transactions. If someone is attempting a more serious transaction, then you need to step up to a stronger identity.”
In relation to the BYOD environment, Yip said, that understanding of identity becomes the foundation for managing BYOD security. Enterprises, having decided what their staff need to access, what they have the right to access, and what amount of access they can be allowed from their mobiles, have a much better chance of properly securing the environment – whereas mobile device management solutions, focusing as they do on the device rather than the user, are nothing more than a tactical solution.