Contact Us
August 27, 2019

Why You Need Identity-Defined Security Now

Mark Arnold

Trusted for decades, the beloved password has finally reached the end of the road. Increasingly stringent rules about complexity and length have failed to defeat brute force password crackers – and lax security habits by employees have only served to exacerbate matters.

The inescapable truth is that passwords are no longer fit for the purpose.

Businesses will need to find a workable alternative that better protects and controls access to information systems. As sanctions for GDPR breaches begin to bite, a replacement for (or enhancement of) passwords is becoming increasingly urgent.

One workable, and powerful, solution is IDS – Identity-Defined Security.

What is Identity-Defined Security

As you might expect, explaining IDS is complicated, not least because it is a multi-layer concept designed to deal with increasingly complex operating environments. The key points you need to be aware of are:

  • Access is denied by default. Unless a user has been granted explicit permissions, they will be unable to access any network resource. Permissions are added on a system-by-system, user-by-user basis to maintain security integrity and to prevent configuration mistakes that allow hackers to exploit poorly managed user accounts and permissions.
  • Security is tied to identity. A password is tied to a user account, but those credentials can be shared or stolen. With IDS, security is linked directly to the user’s identity.
  • Trusted device lists. In the same way that users are denied access to network resources by default, IDS applies a very similar set of restrictions to devices. If a device is not on a pre-defined access control list, it will not be permitted to access core resources.
  • Coordinated across the entire data estate. IDS centralizes and controls identity and access across all systems and platforms to create consistent, reliable security controls.

The Identity Defined Security Alliance (comprised of security vendors, solution providers and practitioners) has defined six key principles for applying IDS:

  1. All identities – IDS is designed to manage security access for employees, customers and partners.
  2. Federated architecture – You must assume that all resources exist outside network perimeter defenses and apply security safeguards accordingly.
  3. Built using standards – By selecting technologies that are based on industry standards, your business can increase the speed of deployment and rely on enhanced interoperability so they can build best-of-breed solutions and avoid vendor lock-in.
  4. Support for web, mobile and APIs – Including measures that protect beyond the traditional network perimeter ensures that you are able to secure all resources present and future, including IoT devices.
  5. Internet scale – Security provisions need to be built with scalability at the core, using automation to support potentially millions of identities as your system and requirements grow.
  6. Flexible deployment options – Chosen security technologies need to include a high degree of flexibility so they can be deployed wherever necessary, including outside the traditional network perimeter and in the cloud.

To achieve these principles, IDS uses a multi-layer approach to identity security and systems access. To prevent creating a single point of failure, no one system has overall final control of access. This diagram shows what a best-in-class multi-layer security deployment looks like according to IDSA principles:

Why does Identity-Defined Security matter?

As mentioned earlier, basic password authentication provisions are no longer fit for ensuring optimum security postures. Figures from the US – always a barometer for trends elsewhere in the world – have previously suggested that although individuals are more concerned about security, they are not playing their part in helping to raise standards.

49% of people questioned by Pew Research believed that their personal information had become less secure over a five year period, for instance. But they don’t help themselves;

  • 41% of adults have shared the password to one of their accounts with a friend.
  • 39% say that they use the same (or very similar) passwords for many of their accounts.
  • 25% admit that they often use passwords that are less secure than they’d like, because simpler passwords are easier to remember than more complex ones.

With passwords, the end user is a trusted guardian of the keys to your networked resources. This clearly goes against the multi-layer principles of IDS by creating a single point of failure.

Bad habits and human frailties are undermining passwords – and that’s before you even begin to consider technical threats; malware and advanced persistent threat (APT) attacks exploit weak passwords and permissions to gain access to a network, and then to elevate permissions until the hacker can exfiltrate data undetected.

Identity-Defined Security takes much of the responsibility for security out of the hands of the end user. An element of challenge-authentication will persist, but in a newer, multi-layer form.

What is the future of Identity Defined Security?

At the heart of any IDS deployment will be the use of a Single Sign-On (SSO) system. Centralizing and rationalizing credentials seems counter-intuitive to the multi-layer demands of IDS, but it helps to overcome one of the most serious weaknesses of current safeguards – password fatigue. With so many passwords to remember (at least 90 per person according to one estimate) it is little surprise that people reuse them, increasing the risk of compromise.

But SSO is just one of the IDS layers. This is joined by multi-factor authentication, preventing a password from being the only key to network access. A username and password will still be required, but they are joined by a second, personal factor – such as a fingerprint or facial scan, or even a temporary token sent to the user’s mobile phone that needs to be entered alongside the password.

In the future, IDS deployments will mature further, better controlling activity inside the network too. Expect to see non-interactive safeguards like automated user behavior analysis grow in popularity for instance. These tools will use machine learning to analyze micro-actions to create a behavioral overview of authenticated users, even down to the rhythm of their typing, or the way in which they move their mouse.

Ongoing analysis establishes a behavioral baseline for each user; any activity that deviates from the norm could indicate a compromised account – triggering an automatic lock-out until a proper investigation can be started.

Ultimately, IDS will become smarter and faster as artificial intelligence is employed to deal with the rapidly changing security landscape. These capabilities will also help to manage the multiple levels of protection demanded by the IDS framework.

To learn more about IDS and how your business can improve its security provisions, please get in touch, visit our Security and Compliance page or call (888) 298-8222

About Mark Arnold

Mark (CISM, CISSP, GWAPT, GXPN, Ph.D.) brings 20+ years of security leadership experience to Navisite. Previously, Arnold served in various security roles at Optiv, PTC, Thermo-Fisher Scientific, Computershare, TJX, and boutique security firm @stake. Mark oversees managed security services, the security and compliance product roadmap, and security strategy development. Mark is also active in the security community. He currently serves on the advisory boards for the SOURCE Conference (as content and speaker management), OWASP Boston, and InfoSecWorld ( Besides holding industry certifications, Mark has degrees from Stanford University (B.S.EE, Princeton Theological Seminary (MDiv), and Harvard University (Ph.D.).