Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


10:00 AM
Connect Directly
E-Mail vvv

Digital Identity Is the New Security Control Plane

Simplifying the management of security systems helps provide consistent protection for the new normal.

2020 saw a hugely accelerated evolution in the cybersecurity landscape. The pandemic pushed workforces remote and caused companies to move up plans for digital transformation, cloud services, and a plethora of remote access technologies. Meanwhile, the traditional operating models are not and will not be completely replaced in most organizations, and organizations have been left with a huge range of perimeters — from the endpoint to secure access service edge (SASE), from system-level role-based access control to virtual private networks, creating huge operational complexity. This is compounded by a technical staff that was probably already stretched, and a workforce that is operating under a new paradigm.

Related Content:

COVID-19's Acceleration of Cloud Migration & Identity-Centric Security

Special Report: Understanding Your Cyber Attackers

New From The Edge: Understanding TCP/IP Stack Vulnerabilities in the IoT

Despite this fragmentation of vendors, platforms, and security models, it remains vital that data and applications continue to be appropriately protected. Complexity is the enemy of security, so it's vital that we simplify administering systems to avoid complexity leading to misconfiguration leading to exposures. The controls must be as transparent as possible to the end user — security as an enabler of access, not a frustration to be avoided or circumvented.

We have a parallel for this challenge, at least. As networks grew, it became infeasible to manage routing on every single device via static routing — it was both overly complex and very inflexible. Users needed to be able to access resources easily and without interference; admins needed not to be making constant updates. The RIPv1 routing protocol was standardized in 1988 and BGP in 1989, and these protocols allowed for consistent packet handling across multiple devices and vendors with less-manual intervention. They provided a consistent control plane across all these disparate routing platforms.

Our security infrastructures now consist of disparate, possibly layered, controls. These controls are from multiple vendors, in multiple places, with multiple implementations, and are applying different types of protection. It's vanishingly rare that a single pane of glass can manage even a subset of the controls that are needed to enforce the security policy. To simplify this, we need a consistent "control plane" equivalent for these controls, and one that can be applied to as many as possible of the huge range of enforcement points

Digital identity — in the form of trusted contextual data defining who is accessing a system and how — provides this control plane. Users are already providing identity (and likely at multiple points). Systems are already consuming it — in the case of software-as-a-service (SaaS) environments, it may be one of the few configurable security controls available — but the decoupling of security from location and IP address is present in many other solutions. It can be tailored to an organization's needs and be risk-sensitive, with different methods and phases required, depending on the resource accessed. Even better, it's a control plane that can and should be implemented in a phased approach and provides a path to a zero-trust network architecture.

The steps to building this are conceptually simple, and we can do extensive preparation. First, ensure even before you implement that the technologies you are investing in are identity-aware and able to make differentiated security decisions in the data plane based on that identity. This must extend to SaaS applications — one of the largest benefits of using identity as your control plane is the ability to bring these into the fold, as it were, and to match them to your security model. Second, consolidate identity to a single "source of trust" — that is, a single secure, consistent, and accurate repository for identity. Doing so means that your control plane is authoritative and reliable, while fragmented domains and sources add complexity and risk. The single source also can be integrated to business process (HR and customer/vendor management), further aligning security to address business risk.

Once the source is established and managed, it's a matter of integration work. In terms of driving toward zero-trust network access, tying in the remote access and SaaS applications that support your remote workers is an excellent starting place, as well as ensuring that all critical internal applications are part of the control plane. As with most of security — it'll be a journey, but in this case the result is a decrease in complexity that facilitates the new normal.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/29/2021 | 6:15:22 PM
Nice article
Digital Identity has indeed become the core of security and a important control plane in a defense-in-depth strategy. 
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.