F5 : Hybrid Work is Driving a Shift to Identity-Centric Security

Add to that my personal, private, home IP address and the personal, private, home IP addresses of everyone else who might be working from home today. Oh, and let's not forget the increasing number of machine-to-machine communications that need to be secured. Cisco's Annual Internet Report predicts that 'by 2023, there will be more than three times more networked devices on Earth than humans. About half of the global connections will be machine-to-machine connections.'

The result is an untenable model that overwhelms operators, security teams, and ultimately the services and systems that must enforce the policies.

The security challenges associated with hybrid work are accretive to those arising from the rapid pace of digitization. Together, these challenges will drive security models toward an identity-centric approach. This approach considers not just human users, but machine users in the form of workloads, devices, and scripts. After all, workloads are increasingly as transitory as people. And ultimately, workload A is still workload A, no matter what IP it might be using. Just as I am still me, whether I'm in my home office or in the airport at Minneapolis, or at the office in Seattle.

While certainly IP may be a part of an identity-centric security policy, it is not the primary or determining factor for allowing access to a resource. Rather it becomes an attribute that helps determine what level of identity verification should be required.

If I'm on the VPN/corporate network, perhaps my credentials are enough. But if I'm not, then perhaps my credentials and a second factor should be required. And if I'm attempting access from a previously unseen IP address, perhaps there's a third factor.

Regardless of how IP address is used, it should no longer be used alone. Not even for workloads. After all, nastyware may be 'on' the corporate network but should never be allowed access to applications and resources.

Furthermore, we need to expand our understanding of identity beyond people to the workloads, applications, and devices we increasingly rely on.

I'm sure I don't have to mention the debacle of SolarWinds. But were you aware of threats like Siloscape, described as 'malware [that] pries open known vulnerabilities in web servers and databases so as to compromise Kubernetes nodes and to backdoor clusters' and the threat of misconfigured management consoles. Many management consoles are secured primarily by IP-based controls that end up disabled because they interfere with remote access-a must in today's hybrid work model. A more robust, identity-based set of access control would provide protection against hijacking and unauthorized use, no matter the originating location. Additionally, robust identity-centric security would provide protection from compromised systems that attempt to infect, hijack, or otherwise exploit other resources from the safety of 'the corporate network.'

We have been slowly moving toward identity-based security for a long time. But the explosive growth of automation and digitization, along with a trend toward hybrid work models, will accelerate that movement until we finally ditch IP addresses as a primary method of access control.

Identity-centric security is the way.