Is Identity the New Perimeter?

By BlackRidge

A recent Dark Reading article conceptualized ‘Is Identity the new Perimeter?’ The team at BlackRidge agrees with the premise of the perimeter-less enterprise, and with using strong identity to establish trust. To take the argument further, trust needs to be established end-to-end, starting with a device, and be inclusive of all of the underlying resources being accessed and used. The current Identity and Access Management (IAM) technologies are a good start, but they are not sufficient for establishing trust, since they are not inclusive of the network layer.

To see this, let’s look at the bigger picture. The Internet can be viewed as having two layers - the application layer, which communicates application specific content, and the network layer, which is responsible for providing the communication of the application content. Identity is widely used at the application layer, with usernames and passwords, single sign-on, multifactor authentication and PKI certificates.

None of these Identity technologies are deployed at the network layer. There are layer 2 technologies, such as 802.1x and MACSEC that provide Identity within a LAN, but these cannot cross router boundaries and cannot communicate Identity end-to-end across the Internet. VPNs only provide a network link, and any Identity used within a VPN does not exist outside of the VPN tunnel. When you add in the rise of Software Defined Networking (SDN), with its virtual network overlays, Identity within the network is non-existent.

This leaves a hole in the network that APTs (Advanced Persistent Threats) and cyber criminals can readily exploit to scan for targets and vulnerabilities and to spread malware laterally throughout organizations. Without Identity, clouds and networks must rely on implicit trust, in what has become a zero trust environment. Trust and the establishment of trust is a fundamental problem of information and cyber security. The lack of Identity within and across the network allows APTs to exploit networks and network resources without challenge.

Since Identity and explicit trust are not present in the network, most security focus has been to add explicit trust to the application layer. Strong Identity exists at the application layer, but the application layer relies on the network to establish sessions, and these are established without authentication or explicit trust. When you add to this the ubiquitous access demands of mobile and cloud resources - access anytime, from anywhere, by any device - you can see why most of the focus has been on strengthening application security, with relatively less attention paid to networks.

Strengthening application security and identity is essential, but it is not sufficient. Identity technologies used at the application layer – Single Sign-On, PKI Certificates and Multifactor Authentication - are all good things. But all of these operate after a network TCP session has been established. Even the SSL and TLS protocols require a TCP session to be established first. TCP sessions are established without authentication, because TCP has no native and backwards compatible authentication capability, until now. 

BlackRidge provides explicit trust at the network layer with Transport Access Control (TAC):

  • TAC performs First Packet Authentication, providing strong authentication before a TCP session is established.
  • TAC uses existing identity credentials from PKI Certificates and SmartCards to provide Secure Identity Aware Networking.
  • TAC is compatible with existing network equipment and security devices and provides end-to-end identity across the Internet.
  • TAC is address independent and NAT tolerant, to provide strong identity from mobile devices without requiring administrators to know or manage addresses and network topologies.

IAM technologies along with BlackRidge enable Identity to be the new perimeter.