Cloud Hosting

Jon Oltsik is a principal analyst at Enterprise Strategy Group ESG and has been quoted in the Wall Street Journal, Business Week, and the New York Times.

Everyone is talking about IoT these days and for good reasonthere are already billions of devices connected to the global internet, and some researchers are predicting 50 billion by 2020. This alone will make the CISO's job more difficult, but security executives face many other associated challenges as well:

As they say down south, That dog dont hunt. In other words, traditional security processes, controls and technologies cant scale to meet the security challenges of an IoT mobile world.

This is exactly where identity (i.e. device identity, user identity, asset identity, etc.) comes into play. Connecting sources and destinations must move beyond Layer 2/3 protocols and user name and passwords. Moving forward, everything on the internet must have a trustworthy identity. These trustworthy identities can then be used to guide and monitor secure connections.

[ Related: 4 places to find cybersecurity talent in your own organization ]

My colleague Mark Bowker has dubbed this trend the "Internet of Identities" (IoI), and it fits with many security trends we are tracking. For example, trustworthy identities are at the center of networking trends such as micro-segmentation and software-defined perimeters (SDPs). Once I know the identity of a device or person and the identity of the application or service they want to connect to, I can authenticate each entity, check a policy engine to ensure that this is an authorized connection, segment and encrypt the traffic between source and destination, and maintain an audit log of connections and even all packets exchanged between the two nodes.

In essence, the big global internet gets carved up into billions of fixed-function and personal virtual network segmentsall drive by identities at either end of the pipe.

In my humble opinion, Marks theory is spot on because we need to use identity, software-defined networking technologies, and big data analytics to decrease the network attack surface and monitor whats going on across billions of nodes. On the business side, IoI will also help organizations provide high-performance services to critical network traffic and high-value customers.

While IoI seems logical, its success over the next few years depends on many factors, including:

1.Strong authentication of IoT devices. Every IoT device must have a strong and unique identity based upon biometric technologies, fingerprinting techniques or tried-and-true X.509 digital certificates.

2.Broad use of standards and baked-in technologies.Im thinking of some type of rationalization around standards like FIDO, OAuth, OpenID, SAML, etc., while increasing the use of common biometrics like fingerprint readers on phones.

3.Cloud oversight of identities.Facebook, Google and Microsoft have identity scale in the cloud and are already fighting for identity control, but IoI must evolve into a cooperative ecosystem. Industry bigwigs have to work together and agree on an identity ecosystem similar to the model provided by the Trusted Identity Group and NSTIC from the National Institute of Standards and Technology (NIST).

4.Greater use of software-defined networking technologies.As I mentioned above, Im thinking about greater use of micro-segmentation and a migration from VPN technology to software-defined perimeters that provide any-to-any network access based upon user, identity, location, risk and strict business-driven policies.

5.Mature User and Entity Behavior Analysis (UEBA) tools.There will be far too much happening for security analysts to keep track of connections or spot anomalous behavior. Mature behavior-based security analytics tools based upon machine learning and artificial intelligence (AI) must continue to evolve to bridge this gap.

Large organizations must plan for IoI in several ways:

Continue reading here:
The Internet of Identities (IoI) - CSO Online