Your Fortress is Obsolete: Why CISOs Need a Zero-Trust Identity Revolution
- By Winston Thomas
- March 05, 2024
Synthetic identities, advanced attack vectors, and increasingly distributed networks are forcing a shift in the identity and security space.
CISOs, long accustomed to the mentality of a walled fortress, find themselves struggling to keep up. However, some pioneering tech companies offer a path to securing the modern enterprise. Johan Fantenberg, principal solutions architect at Ping Identity, sits at the vanguard of that movement.
The rise of a new identity perimeter
Fantenberg sees that the old perimeter-based security model is fundamentally flawed in today's environment. It made sense in a world of clear boundaries, but those lines are gone.
"Identity is the new parameter," Fantenberg argues. The idea that you can authenticate once and be free to operate is no longer tenable. Modern architectures demand continuous verification with each and every transaction.
So what’s stopping CISOs? One major inhibitor is legacy technologies. It bottlenecks operations as systems strain to keep up.
CISOs looking to make this shift must consider the technological implications and look past adding more layers of security or bolting on new tech on aging infrastructure.
"There's only so much lipstick you can put on an existing platform," Fantenberg observes. In some cases, wholesale updates to the core IAM solution may be necessary.
AI/ML: Security’s double-edge sword
Applying AI and machine learning in the security space presents challenges and solutions.
On the one hand, these technologies can enhance detection and user behavior analytics and ultimately make the environment safer. On the other, legacy solutions may not be ready to leverage these capabilities.
Companies that want to adopt cutting-edge AI solutions for fraud detection might need to fundamentally change their identity platforms.
Fantenberg highlights the cost-benefit analysis, especially for those with large enterprise transformations.
"We can let the machines do more of the analytical work we maybe are using manpower for today," he says, suggesting that AI could help companies focus their most valuable talent on innovative work.
The use of AI and ML also raises concerns around data privacy, especially as CISOs may need to collaborate with external providers. Fantenberg champions several techniques that can help address this:
- Trust and partnership: Vendors must treat data responsibly, which includes obtaining relevant certifications.
- Data minimization: Limiting PII exposure should be a fundamental design goal for identity solutions.
- Tokenization: Where PII cannot be avoided, tokenization helps to anonymize data.
The struggle for the security of the future
Among the most pressing concerns, Fantenberg highlights synthetic identities—identities that are not entirely fabricated but built upon at least one piece of legitimate information like your social security number. This makes them incredibly difficult to detect, as they often pass initial verification checks.
"The principle of minimizing what we ask for is a core building block of reducing the attack surface in a way for synthetic identities,” says Fantenberg. "It's easy to ask for more than you actually need. But it's really hard to just ask for what you really need."
He emphasizes using strong identity verification techniques such as liveness detection to fight synthetic identities—not just at account opening but also during transactions like account recovery.
Looking further into the future, verifiable credentials offer significant promise: Rather than constantly submitting and storing sensitive data, individuals could use verifiable credentials to prove specific aspects of their identity when needed.
Fantenberg sees this as an urgent concern, not just for traditional fraud, but in an age where deepfakes and credential stuffing attacks are becoming increasingly sophisticated. "I think the bad actors will, for sufficient reward, invest more in a lot of surveillance techniques," he cautions. He adds that it also does not help that we leave a lot of our digital footprint on the internet.
This is where companies like Ping Identity are forging an alternative path.
Fantenberg emphasizes Ping Identity's unified platform as its key value proposition. More importantly, this consolidated approach covers customer and workforce identities, AI and ML-powered fraud detection, and even internal identity governance. This eliminates the integration challenges often associated with more disparate product ecosystems.
The company also works with regulators and industries to stay ahead of the curve. This helps customers prepare for regulatory shifts like those seen in open banking and provides guidance for sectors such as retail, which might not face the same level of scrutiny as financial institutions yet.
The new CISO imperative
The world of identity and data protection is in the midst of a major transformation.
The move to a zero-trust, identity-centric model is no longer a matter of 'if' but 'when.' It's a shift that requires CISOs to be bold—questioning deeply ingrained assumptions, pushing for change, and embracing cutting-edge solutions.
CISOs must also collaborate more closely with CIOs and DevOps teams to ensure security is built in, not bolted on at the end.
Lastly, they also need to re-evaluate whether their technology stack is truly fit for purpose, as the move to zero-trust and risk-based authentication may call for difficult decisions and significant upgrades.
The alternative is not just being outpaced but being left dangerously vulnerable in a world where your identity is your most valuable asset.
Image credit: iStockphoto/jax10289
Winston Thomas
Winston Thomas is the editor-in-chief of CDOTrends. He likes to piece together the weird and wondering tech puzzle for readers and identify groundbreaking business models led by tech while waiting for the singularity.