Identity Is Still the Perimeter

The phrase "identity is the new perimeter" first came into the lexicon some time around 2018, give or take a year or two. It was both a revolutionary and an evolutionary statement - It heralded a paradigm shift in cybersecurity priorities, but one that was already years overdue. Dial-up remote access was all but forgotten, and IPSec based VPNs were already becoming passe, having been edged out by cloud computing and browser-based access. Single Sign On (SSO) and Zero Trust became the rallying cries of the security team, replacing the prominence of network based security technologies like firewalls and intrusion detection systems.

This was happening against the backdrop of true high-speed cellular communications - 4G service could reach 100Mb/sec, and had 10 years of rollout behind it already, and 5G was just starting to roll out in major metro areas, putting 4G's speeds to shame. Rank-and-file workers were getting used to having laptops to do work, and executives were insisting on being able to work from their phones and tablets. Web-apps were taking over as the interface of choice, even over some of the richly designed client applications that had driven the business world for decades - think Microsoft Outlook - do you still use it as an app or do you use the browser-based version?

Then came the pandemic, and work-from-home became a near universal experience for office workers. If your organization hadn't recognized identity as the perimeter already it had to shift paradigms almost without a clutch - gears ground and the company lurched - but we emerged from the pandemic with a new visceral understanding that identity was the perimeter.

I'm here to tell you that even with the paradigm shift to AI, and a myriad of companies insisting workers return to the office, identity is still the perimeter.

Services Over HTTPS Make Firewalls Less Useful

Over the past several years we've migrated to both doing everything over the Internet, and all of that Internet traffic being performed via HTTPS - both the port and the protocol. This poses two significant difficulties for firewall style security tools:

1. No longer can traffic be readily identified by the port used for it. Yes, there are still some activities that happen over specific ports, but these are generally infrastructure activities these days, not user activities. Gone are the days that file transfers regularly occurred via FTP (port 21, etc.), now we generally do that over the same port we use for web browsing.
2. Encrypted packets deny the ability to sniff the activity to look for signs of malicious behavior. End-to-end encryption means that your firewall and IPS no longer has the same view into traffic that it used to. Corporations can get around this with a complicated scheme of "man-in-the-middle" decryption, but that is both a significant effort to set up and maintain as well as a serious potential privacy issue - some traffic should never be intercepted by a corporation.

Don't get me wrong, firewalls are still important and valuable, but we've shattered the myth that a good firewall is the cornerstone of a good cybersecurity program. This was a painful lesson to many, but one that I think we've mostly learned. I don't see the balance swinging back in favor of the firewall any time soon.

Cloud Based Systems Negated the Value of Traditional VPNs

The moment we stopped hosting our own business applications in our own intranets we made hub-and-spoke VPNs almost useless. In the "before times," only IT and some executives were working via VPN connections, and those were primarily for after-hours purposes. You connected into the corporate network and then all of your traffic - even if it was destined for the Internet - went through the VPN concentration that existed n the corporate network. Soon we started allowing "split tunneling," where only traffic related to company systems went through the VPN, and Internet traffic went straight to the Internet. While this was a security compromise, it was necessary from a bandwidth perspective - as more and more users were granted VPN access, and more and more traffic was Internet focused rather than corporate LAN focused, the cost of bandwidth became too great to support full tunneling. Eventually many companies have stopped hosting any systems "inside the network," and the traditional VPN concept has faded into the past, much as long distance train travel has in this country: you can still find it, but most people and organizations prefer other solutions.

AI Powered Deepfakes Make Identity Even More Important

So that was the past, but the present has new dangers that make authentication even more important. We've all experienced - either first or second hand - a scam impersonating our boss via text, email, etc. trying to convince us to hand over money or resources to scammers. I've even written about how my wife and I were almost taken by one of these scams. AI powered deepfakes that can impersonate both voice and video of a person makes these scams even harder to detect going forward.

While I won't pretend I have a foolproof answer for this issue, I know that authentication will be a critical force for ensuring we don't hand over assets to scammers in these situations.

Identity Is Your Personal Perimeter Too

We talk mostly about how identity is the perimeter for companies and organizations, but the reverse is true as well, but perhaps a bit differently.You must actively protect and defend your identity. That means things like not reusing passwords, closing accounts for services you no longer use, reporting doppelganger accounts on social media platforms, and securing your logins to everything. But that's one side of the equation.

The other is who you allow yourself to interact with. A great many scams and frauds involve people pretending to be your trusted service providers, like your bank, utility provider, or the IRS (yes, I know, I'm using the word "trusted" to do a lot of work here) and convincing you to share sensitive data with them.

Identity Strategies That Work

Organizations should know most of this already, but let's recap quickly:

• Use MFA. Good MFA, none of that SMS crap.
• Use Single Sign On for as much as you can. And use good, purpose-built MFA, not just your email provider's lowest common denominator SSO offering.
• Be especially focused on detecting Business Email Compromise and other impersonation activities. Train your team on how they should detect and report these events.
• Practice out-of-band verification of identities for questionable of important tasks.
• Have thorough identity logging enabled, retained, and monitored. (Just because we don't say "AAA" anymore doesn't mean it isn't still important)

With that out of the way, let's focus on how we as individuals can protect ourselves from identity related issues, online and otherwise.

Use Multi Factor Authentication

I've written on this before, but at the end of the day using more than one authentication factor greatly improves the strength of your authentication process. As individuals we need to change our attitude about MFA from "what a pain in the ass" to "I'm glad my provider is helping me protect my identity." And if they're not offering MFA (come on, even my Mastodon provider (literally some CISO who decided to build his own instance) has deployed good MFA, your bank, social media provider, utility, etc. can offer it to you as well.

Use a Password Manager to Generate Unique Passwords

This is another topic I've written about that bears repeating: you must use lengthy, unique passwords for everything. very website, every app, every laptop, every tablet, and every phone. While there are some of us who may be neurodivergent enough to do this without the aid of a tool, most of them would probably tell you they would want a tool for it, and the rest of us need a tool.

Use Out-of-Band Validation Practices

This is a lot more simple than it seems. Basically when someone reaches out to you insisting that they are person X or company Y and ask you to provide sensitive information, finances, or ask you to do something that triggers your spidey-senses, end the initial communication with them and communicate with them via another method to validate. Here are a few examples:

• If you get a phone number from your Internet provider telling you that you owe them back due payments, ask for a reference number for the case and tell them you will contact them right back. End the call. Now you have a couple of options: find an old billing statement to get the customer service number to call them back at to confirm the reference number they gave you. Or, open your provider's app and check your balance. Or, use a browser to go to their website and log in there to validate the same information.
• If you get an email requiring you to click a link in it to pay a bill or verify some information - and you weren't explicitly expecting such an email - never click the link. Instead use a search engine or specifically type in the company's website if you want to follow-up online, or else call them after finding a phone number via a similar method (don't trust the number that may be published in the email)
• If you get an email from a coworker that seems off, use the corporate directory or your contacts list to call them and validate. However, if they sent you a text message try to use some other means than calling them back on the same phone number the text came from. Email, or a 3rd party messaging app would be good choices in that event.

While it isn't impossible for bad actors to have taken over every communication channel with the person or organization you're trying to communicate with, it is extremely unlikely that they have. Usually they'll have compromised one thing, and will try to bluff you beyond that.

Don't Share Your Credentials.

I've worked the helpdesk in the past. I've helped people over the phone, over web-meetings, and over their shoulder as we troubleshoot and solve computing issues. A security conscious helpdesk worker will NEVER ask you to share your password. If they need you to authenticate into something they will ask you to input your password yourself.

If you are contacted by your service provider (bank, investment house, etc.) they will as a rule NEVER ask you for your password or authentication code - you should only be asked to input those into systems yourself.

Being asked for your credentials by a person is a huge red flag. However, there are some situations where it may be unavoidable. Keep these few in mind:

1. You're dropping off a personal (not company) computing device (phone, tablet, computer, etc.) at a repair house. They may need your password/pin/etc. in order to log into the machine while they are repairing it.
2. THAT IS IT. THERE ARE NO OTHER TIMES YOU SHOULD SHARE CREDENTIALS.

If you do have to provide a pin or password so a technician can troubleshoot your device you should change that credential immediately on getting the device back from the repair service.

The good news is that these services are less and less likely to need your password to perform their work, as many manufacturers are now providing "technician login" accounts that are able to allow a technician to confirm the hardware is working properly without giving them access to your data and applications. The other good news is that if you choose a reputable repair service they're less likely to misuse your device.

Looking To the Future

Identity is still the perimeter, and that's unlikely to change any time soon. So much so that we need to be thinking about it not only at work, but in our personal lives as well. But we can all help ourselves manage our own identities, and be on the look out for fraudulent identities all around us.